Truecrypt on Netgear ReadyNAS 100 series (Debian) with auto mount on attached keyfile thumb drive dongle

By Christopher, December 30, 2013

Since I own a Netgear ReadyNAS 102 I was wondering how I could use encryption for special content in a convenient way. Because the Netgear firmware does not provide an encryption feature inside its ReadyNAS OS wrapper on top of the underlying Debian Linux I decided to have a closer look on Truecrypt, which I already have in use on my other desktop and mobile computers.

Because Truecrypt binaries are not available for the used ARM architecture the first required step was building Truecrypt from source. During my research I came over a posting which explained the build process step by step.

http://www.readynas.com/forum/viewtopic.php?f=11&t=63214

If you really want to build it on your own, be aware of my comment inside the forum thread above. If you just want to go ahead, I have simplified the procedure for you with a prebuild binary available on my personal Debian-Dropbox-Repository:

1) Install some dependencies for https access

apt-get install apt-transport-https

2) Add my repo to your /etc/apt/sources.list

deb https://dl.dropboxusercontent.com/u/8916436/deb-packages ./

3) Install truecrypt

apt-get update
apt-get install truecrypt

Now you are able to use truecrypt. Some usage examples:

#basic mounting e.g. container  with EXT4 filesystem, you will need to adjust right privileges after mounting with chown/chmod
truecrypt -t -k "KEYFILE(S)" -p "PASSWORD" --mount-options=nokernelcrypto --protect-hidden=no --mount CONTAINER.tc /MOUNTPOINT/
#mounting with more useful right privileges
#owner will be user guest (ID=99) and the files will be accessible by all users due to umask=000
truecrypt -t -k "" -p "" --fs-options=rw,uid=99,gid=99,umask=000 --mount-options=nokernelcrypto --protect-hidden=no --mount testContrainer.tc crypt/

You can find the user and group id with the commands

id -u USERNAME
id -g GROUPNAME

Now we are able to use truecrypt on the ReadyNAS, but we will need to use SSH everytime we want to mount a volume. Of course this is not convenient, so my idea was to encrypt the container(s) with keyfile(s) instead of a password (you can also use a password and a keyfile) and mount the volume once my keyfile thumb drive is plugged into the NAS.

1) Create udev rules for automatic script execution once the keyfile thumb drive is attached or removed from the USB port

2) New udev rule:

touch /etc/udev/rules.d/99-truecrypt-auto.rules

3) With content below:

ACTION=="add",KERNEL=="sd?[0-9]",ATTRS{serial}=="13371337",SYMLINK+="truecryptkeys",RUN+="/data/Documents/automount.sh add"

ACTION=="remove",KERNEL=="sd?[0-9]",ENV{ID_SERIAL_SHORT}=="13371337",RUN+="/data/Documents/automount.sh remove"

The udev rules are executed once the specified variables are matched by a device. I figured out the variable values for the new attached device with following command after I had already attached the thumb drive.

# In my case sdg was my usb thumb drive. You can check the device node for your attached device with dmesg
udevadm info --name=/dev/sdg --attribute-walk

To gather the right environment variable to use I have used follwing command before I have unplugged my thumb drive.

udevadm monitor --environment --udev

Like you may have already mentioned, the udev rule is executing another script, which takes care of mounting and unmounting of the truecrypt container. Here comes the script, which I have stored on /data/Documents/automount.sh. Take a closer look onto the variables defined at the beginning, they specify the container, mountpoint, password(if you have one configured) and so on. The script uses all files from the thumb drive as key files for uncrypting the container. If you only want to use specific files, you will need to change the script accordingly. I just use “/media/USB_FLASH_1/” to access the thumb drive, because I do not have attached other devices usually. You may have to change this, if you have a more sophisticated environment.

#!/bin/bash

LOGFILE="/data/Documents/automount.log"

CONTAINER="PATHTOMYCONTAINER.tc"

MOUNTPOINT="MY_FORMER_CREATED/MOUNT_DIRECTORY/ON/DATA_XYZ"

DEVICESYMBOL="/dev/truecryptkeys"

DATUM=`date +"%d.%m.%y %H:%M:%S"`

PASSWORD=""

#Redirect outputs
# Open STDOUT as $LOGFILE file for read and write.
exec 1>>$LOGFILE
# Redirect STDERR to STDOUT
exec 2>&1

#check parameters
if [ $# = 0 ]; then
echo "$DATUM Missing parameters - Use 'add' or 'remove'"
exit
fi

#check parameters
if [ ! -L $DEVICESYMBOL ]; then
echo "$DATUM Key device symbolic link $DEVICESYMBOL is not available"
exit
fi

#plug in key dongle
if [ $1 = "add" ]; then

echo "$DATUM Truecrypt automount key add"

truecrypt -t -k "/media/USB_FLASH_1/" -p "$PASSWORD" --mount-options=nokernelcrypto --fs-options=locale=de_DE.utf8,umask=000 --protect-hidden=no --mount $CONTAINER $MOUNTPOINT

fi

#unplug key dongle
if [ $1 = "remove" ]; then

echo "$DATUM Truecrypt automount key removed"

#dismount container
truecrypt -d $MOUNTPOINT
#dismount all containers
#truecrypt -d

fi

In my case the container is formatted with NTFS (therefor the mounting options “–fs-options=locale=de_DE.utf8,umask=000”), this takes advantage of accessibility for direct mounting on Windows and Linux computers while being able to store files larger than 4GB. I have initialized and created my truecrypt container remotely from my PC. Another important thing to note is, I recommend to disable continous protection on the share where you store the truecrypt container, as long as you have a huge container of several GB.

You can check if the script is working proberly by manual execution with commands below

# mounting
/data/Documents/automount.sh add
#unmounting
/data/Documents/automount.sh remove

All outputs will be written to  “/data/Documents/automount.log”

A last thing is missing, the udev rules seems not beeing proberly executed during boot, so the container is not mounted on boot while the key file thumb drive is attached. To solve this issue I have used an rc-script.

1) Create a new executable script

touch /etc/init.d/truecryptmount
chmod +x /etc/init.d/truecryptmount

2) Here comes the script content:

#! /bin/sh

### BEGIN INIT INFO
# Provides: truecryptmount
# Required-Start: udev
# Required-Stop:
# Should-Start: $named
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: mount available truecrypt containers by key file
# Description: mount available truecrypt containers by key file if usb device is available
### END INIT INFO

set -e

# /etc/init.d/truecryptmount: tries to mount available truecrypt containers by key file

case "$1" in
start|reload|restart)

/data/Documents/automount.sh add
#udevadm trigger --verbose --action=add --property-match serial=44380c78721298
;;
stop)
;;
*)
echo "Usage: /etc/init.d/truecryptmount {start|stop|restart|reload}"
exit 1
esac

exit 0

3) Register the script with

update-rc.d truecryptmount defaults 19

Happy Crypting!