The below script can be used to mount truecrypt-encrypted disks at system startup and dismount them at system shutdown. It optionally includes a target to encrypt a disk (by running /etc/init.d/tc.sh create_encrypted_disk sdX). To use, copy the code sction into /etc/init.d/tc and create a simple configuration file /etc/tc.conf (sample provided below).
Additional references:
1. Create encrypted disk using truecrypt. See encrypting a disk using truecrypt.
2. Create encrypted file container using truecrypt. See encrypted file container using truecrypt.
3. An earlier version of the below script. See mount encrypted disk at startup.
#!/bin/bash
# Mount and unmount encrypted disks and partitions.
#
### BEGIN INIT INFO
# Provides: tc
# Required-Start: $remote_fs $syslog $time
# Required-Stop: $remote_fs $syslog $time
# Default-Start: 2 3 4 5
# Default-Stop: 1
# Short-Description: Encryted volume support
# Description: tc provide support for mounting
# encrypted disks and disk volumes
### END INIT INFO
test -f /usr/bin/truecrypt || exit 0
. /lib/lsb/init-functions
CONFIG="/etc/tc.conf"
get_disk_uuid() {
local _disk=$1
local _resultvar=$2
local _result=`ls -lah /dev/disk/by-id | grep -E '^.*?scsi..*?'${_disk}'$' | cut -d' ' -f11`
eval $_resultvar="'$_result'"
}
create_truecrypt_key() {
local _disk=$1
local _resultvar=$2
local _diskid=
local _keyfile
get_disk_uuid ${_disk} _diskid
_keyfile=/etc/`hostname`-${_diskid}.key
truecrypt --create-keyfile ${_keyfile} \
--hash=Whirlpool \
--random-source=/dev/urandom
chown 600 ${_keyfile}
echo "Created truecrypt keyfile=${_keyfile}."
KEYFILE=${_keyfile}
}
create_encrypted_disk() {
local _disk=$1
local _keyfile=
local _diskid=
create_truecrypt_key ${_disk} _keyfile
_keyfile=$KEYFILE
get_disk_uuid ${_disk} _diskid
truecrypt --filesystem=none --volume-type=normal --encryption=AES-Twofish-Serpent --hash=SHA-512 --random-source=/dev/urandom --keyfiles=${_keyfile} --password='' --create /dev/disk/by-id/${_diskid}
log_daemon_msg "Finished encrypting the disk with uuid=${_diskid} (${_disk}) with the keyfile=${_keyfile}" "tc"
}
mount_truecrypt_disk() {
local _device=$1
local _slot=$2
local _diskid=
local _keyfile=
log_daemon_msg "Mounting device=${_device} to slot=${_slot}" "tc"
echo
get_disk_uuid ${_device} _diskid
_keyfile=/etc/`hostname`-${_diskid}.key
truecrypt --filesystem=none --password='' --keyfiles=${_keyfile} --slot=${_slot} --protect-hidden=no --mount /dev/disk/by-id/${_diskid}
log_end_msg $?
}
parse_config_line() {
local _in_line=$1
local _device=
local _slot=
local _mount_indicator=
local _key_files=
_device=$(echo ${_in_line} | cut -f1 -d ' ')
_slot=$(echo ${_in_line} | cut -f2 -d ' ')
_mount_indicator=$(echo ${_in_line} | cut -f3 -d ' ')
_device=$(echo ${_in_line} | cut -f1 -d ' ')
_slot=$(echo ${_in_line} | cut -f2 -d ' ')
_mount_indicator=$(echo ${_in_line} | cut -f3 -d ' ')
if [ ${_mount_indicator} == "Y" ]; then
mount_truecrypt_disk ${_device} ${_slot}
fi
}
mount_disks() {
while read line; do
[[ ${line:0:1} == "#" || ${line:0:1} == "" ]] && continue
parse_config_line "$line"
done < "$CONFIG"
}
unmount_disks() {
while read line; do
[[ ${line:0:1} == "#" || ${line:0:1} == "" ]] && continue
_device=$(echo ${line} | cut -f1 -d ' ')
_mount_indicator=$(echo ${line} | cut -f3 -d ' ')
if [ ${_mount_indicator} == "Y" ]; then
truecrypt --dismount /dev/disk/by-id/_device
fi
done < "$CONFIG"
truecrypt --dismount $TC_DEVICE_1
}
case "$1" in
create_encrypted_disk) log_daemon_msg "Creating TC-encrypted disk" "tc"
echo
create_encrypted_disk $2
;;
start) log_daemon_msg "Mounting disk volumes" "tc"
echo
mount_disks
log_end_msg $?
;;
stop) log_daemon_msg "Umounting disk volumes" "tc"
echo
unmount_disks
log_end_msg $?
;;
*) log_action_msg "Usage: /etc/init.d/tc.sh {start|stop}"
log_action_msg "To encrypt a disk, use: /etc/init.d/tc.sh create_encrypted_disk sdX"
exit 2
;;
esac
exit 0
# Truecrypt configuration file
# The format is:
# Device Slot Mount
sda 1 Y
sdb 2 Y
sdc 3 Y
sdd 4 Y
zefr 