{"id":809,"date":"2013-12-30T01:47:53","date_gmt":"2013-12-29T17:47:53","guid":{"rendered":"http:\/\/www.ceh-photo.de\/blog\/?p=809"},"modified":"2013-12-30T01:52:02","modified_gmt":"2013-12-29T17:52:02","slug":"truecrypt-on-netgear-readynas-100-series-debian-with-auto-mount-on-attached-keyfile-thumb-drive-dongle","status":"publish","type":"post","link":"https:\/\/www.ceh-photo.de\/blog\/?p=809","title":{"rendered":"Truecrypt on Netgear ReadyNAS 100 series (Debian) with auto mount on attached keyfile thumb drive dongle"},"content":{"rendered":"<p>Since I own a Netgear ReadyNAS 102 I was wondering how I could use encryption for special content in a convenient way. Because the Netgear firmware does not provide an encryption feature inside its ReadyNAS OS wrapper on top of the underlying Debian Linux I decided to have a closer look on Truecrypt, which I already have in use on my other desktop and mobile computers.<\/p>\n<p>Because Truecrypt binaries are not available for the used ARM architecture the first required step was building Truecrypt from source. During my research I came over a posting which explained the build process step by step.<\/p>\n<p><a href=\"http:\/\/www.readynas.com\/forum\/viewtopic.php?f=11&amp;t=63214\" target=\"_blank\" shape=\"rect\">http:\/\/www.readynas.com\/forum\/viewtopic.php?f=11&amp;t=63214<\/a><\/p>\n<p>If you really want to build it on your own, be aware of my comment inside the forum thread above. If you just want to go ahead, I have simplified the procedure for you with a prebuild binary available on my personal Debian-Dropbox-Repository:<\/p>\n<p>1) Install some dependencies for https access<\/p>\n<div class=\"codecolorer-container bash default\" style=\"overflow:auto;white-space:nowrap;width:70%;\"><div class=\"bash codecolorer\"><span class=\"kw2\">apt-get install<\/span> apt-transport-https<\/div><\/div>\n<p>2) Add my repo to your \/etc\/apt\/sources.list<\/p>\n<div class=\"codecolorer-container bash default\" style=\"overflow:auto;white-space:nowrap;width:70%;\"><div class=\"bash codecolorer\">deb https:<span class=\"sy0\">\/\/<\/span>dl.dropboxusercontent.com<span class=\"sy0\">\/<\/span>u<span class=\"sy0\">\/<\/span><span class=\"nu0\">8916436<\/span><span class=\"sy0\">\/<\/span>deb-packages\u00a0.<span class=\"sy0\">\/<\/span><\/div><\/div>\n<p>3) Install truecrypt<\/p>\n<div class=\"codecolorer-container bash default\" style=\"overflow:auto;white-space:nowrap;width:70%;\"><div class=\"bash codecolorer\"><span class=\"kw2\">apt-get update<\/span><br \/>\n<span class=\"kw2\">apt-get install<\/span> truecrypt<\/div><\/div>\n<p>Now you are able to use truecrypt. Some usage examples:<\/p>\n<div class=\"codecolorer-container bash default\" style=\"overflow:auto;white-space:nowrap;width:70%;\"><div class=\"bash codecolorer\"><span class=\"co0\">#basic mounting e.g. container \u00a0with EXT4 filesystem, you will need to adjust right privileges after mounting with chown\/chmod<\/span><br \/>\ntruecrypt\u00a0-t <span class=\"re5\">-k<\/span> <span class=\"st0\">&quot;KEYFILE(S)&quot;<\/span> <span class=\"re5\">-p<\/span> <span class=\"st0\">&quot;PASSWORD&quot;<\/span> <span class=\"re5\">--mount-options<\/span>=nokernelcrypto <span class=\"re5\">--protect-hidden<\/span>=no <span class=\"re5\">--mount<\/span> CONTAINER.tc <span class=\"sy0\">\/<\/span>MOUNTPOINT<span class=\"sy0\">\/<\/span><br \/>\n<span class=\"co0\">#mounting with more useful right\u00a0privileges<\/span><br \/>\n<span class=\"co0\">#owner will be user guest (ID=99) and the files will be accessible by all users due to umask=000<\/span><br \/>\ntruecrypt\u00a0-t <span class=\"re5\">-k<\/span> <span class=\"st0\">&quot;&quot;<\/span> <span class=\"re5\">-p<\/span> <span class=\"st0\">&quot;&quot;<\/span> <span class=\"re5\">--fs-options<\/span>=rw,<span class=\"re2\">uid<\/span>=<span class=\"nu0\">99<\/span>,<span class=\"re2\">gid<\/span>=<span class=\"nu0\">99<\/span>,<span class=\"re2\">umask<\/span>=000 <span class=\"re5\">--mount-options<\/span>=nokernelcrypto <span class=\"re5\">--protect-hidden<\/span>=no <span class=\"re5\">--mount<\/span> testContrainer.tc crypt<span class=\"sy0\">\/<\/span><\/div><\/div>\n<p>You can find the user and group id with the commands<\/p>\n<div class=\"codecolorer-container bash default\" style=\"overflow:auto;white-space:nowrap;width:70%;\"><div class=\"bash codecolorer\"><span class=\"kw2\">id<\/span> <span class=\"re5\">-u<\/span> USERNAME<br \/>\n<span class=\"kw2\">id<\/span> <span class=\"re5\">-g<\/span> GROUPNAME<\/div><\/div>\n<p>Now we are able to use truecrypt on the ReadyNAS, but we will need to use SSH everytime we want to mount a volume. Of course this is not\u00a0convenient, so my idea was to encrypt the container(s) with keyfile(s) instead of a password (you can also use a password and a keyfile) and mount the volume once my keyfile thumb drive is plugged into the NAS.<\/p>\n<p>1) Create udev rules for automatic script execution once the keyfile thumb drive is attached or removed from the USB port<\/p>\n<p>2) New udev rule:<\/p>\n<div class=\"codecolorer-container bash default\" style=\"overflow:auto;white-space:nowrap;width:70%;\"><div class=\"bash codecolorer\"><span class=\"kw2\">touch<\/span> <span class=\"sy0\">\/<\/span>etc<span class=\"sy0\">\/<\/span>udev<span class=\"sy0\">\/<\/span>rules.d<span class=\"sy0\">\/<\/span><span class=\"nu0\">99<\/span>-truecrypt-auto.rules<\/div><\/div>\n<p>3) With content below:<\/p>\n<div class=\"codecolorer-container bash default\" style=\"overflow:auto;white-space:nowrap;width:70%;\"><div class=\"bash codecolorer\"><span class=\"re2\">ACTION<\/span>==<span class=\"st0\">&quot;add&quot;<\/span>,<span class=\"re2\">KERNEL<\/span>==<span class=\"st0\">&quot;sd?[0-9]&quot;<\/span>,ATTRS<span class=\"br0\">&#123;<\/span>serial<span class=\"br0\">&#125;<\/span>==<span class=\"st0\">&quot;13371337&quot;<\/span>,SYMLINK+=<span class=\"st0\">&quot;truecryptkeys&quot;<\/span>,RUN+=<span class=\"st0\">&quot;\/data\/Documents\/automount.sh add&quot;<\/span><br \/>\n<br \/>\n<span class=\"re2\">ACTION<\/span>==<span class=\"st0\">&quot;remove&quot;<\/span>,<span class=\"re2\">KERNEL<\/span>==<span class=\"st0\">&quot;sd?[0-9]&quot;<\/span>,ENV<span class=\"br0\">&#123;<\/span>ID_SERIAL_SHORT<span class=\"br0\">&#125;<\/span>==<span class=\"st0\">&quot;13371337&quot;<\/span>,RUN+=<span class=\"st0\">&quot;\/data\/Documents\/automount.sh remove&quot;<\/span><\/div><\/div>\n<p>The udev rules are executed once the specified variables are matched by a device. I figured out the variable values for the new attached device with following command after I had already attached the thumb drive.<\/p>\n<div class=\"codecolorer-container bash default\" style=\"overflow:auto;white-space:nowrap;width:70%;\"><div class=\"bash codecolorer\"><span class=\"co0\"># In my case sdg was my usb thumb drive. You can check the device node for your attached device with dmesg<\/span><br \/>\nudevadm info <span class=\"re5\">--name<\/span>=<span class=\"sy0\">\/<\/span>dev<span class=\"sy0\">\/<\/span>sdg <span class=\"re5\">--attribute-walk<\/span><\/div><\/div>\n<p>To gather the right environment variable to use I have used follwing command before I have unplugged my thumb drive.<\/p>\n<div class=\"codecolorer-container bash default\" style=\"overflow:auto;white-space:nowrap;width:70%;\"><div class=\"bash codecolorer\">udevadm monitor <span class=\"re5\">--environment<\/span> <span class=\"re5\">--udev<\/span><\/div><\/div>\n<p>Like you may have already mentioned, the udev rule is executing another script, which takes care of mounting and unmounting of the truecrypt container. Here comes the script, which I have stored on \/data\/Documents\/automount.sh. Take a closer look onto the variables defined at the beginning, they specify the container, mountpoint, password(if you have one configured) and so on. The script uses all files from the thumb drive as key files for uncrypting the container. If you only want to use specific files, you will need to change the script accordingly. I just use &#8220;\/media\/USB_FLASH_1\/&#8221; to access the thumb drive, because I do not have attached other devices usually. You may have to change this, if you have a more sophisticated environment.<\/p>\n<div class=\"codecolorer-container bash default\" style=\"overflow:auto;white-space:nowrap;width:70%;height:400px;\"><div class=\"bash codecolorer\"><span class=\"co0\">#!\/bin\/bash<\/span><br \/>\n<br \/>\n<span class=\"re2\">LOGFILE<\/span>=<span class=\"st0\">&quot;\/data\/Documents\/automount.log&quot;<\/span><br \/>\n<br \/>\n<span class=\"re2\">CONTAINER<\/span>=<span class=\"st0\">&quot;PATHTOMYCONTAINER.tc&quot;<\/span><br \/>\n<br \/>\n<span class=\"re2\">MOUNTPOINT<\/span>=<span class=\"st0\">&quot;MY_FORMER_CREATED\/MOUNT_DIRECTORY\/ON\/DATA_XYZ&quot;<\/span><br \/>\n<br \/>\n<span class=\"re2\">DEVICESYMBOL<\/span>=<span class=\"st0\">&quot;\/dev\/truecryptkeys&quot;<\/span><br \/>\n<br \/>\n<span class=\"re2\">DATUM<\/span>=<span class=\"sy0\">`<\/span><span class=\"kw2\">date<\/span> +<span class=\"st0\">&quot;%d.%m.%y %H:%M:%S&quot;<\/span><span class=\"sy0\">`<\/span><br \/>\n<br \/>\n<span class=\"re2\">PASSWORD<\/span>=<span class=\"st0\">&quot;&quot;<\/span><br \/>\n<br \/>\n<span class=\"co0\">#Redirect outputs<\/span><br \/>\n<span class=\"co0\"># Open STDOUT as $LOGFILE file for read and write.<\/span><br \/>\n<span class=\"kw3\">exec<\/span> <span class=\"nu0\">1<\/span><span class=\"sy0\">&gt;&gt;<\/span><span class=\"re1\">$LOGFILE<\/span><br \/>\n<span class=\"co0\"># Redirect STDERR to STDOUT<\/span><br \/>\n<span class=\"kw3\">exec<\/span> <span class=\"nu0\">2<\/span><span class=\"sy0\">&gt;&amp;<\/span><span class=\"nu0\">1<\/span><br \/>\n<br \/>\n<span class=\"co0\">#check parameters<\/span><br \/>\n<span class=\"kw1\">if<\/span> <span class=\"br0\">&#91;<\/span> <span class=\"re4\">$#<\/span> = <span class=\"nu0\">0<\/span> <span class=\"br0\">&#93;<\/span>; <span class=\"kw1\">then<\/span><br \/>\n<span class=\"kw3\">echo<\/span> <span class=\"st0\">&quot;<span class=\"es2\">$DATUM<\/span> Missing parameters - Use 'add' or 'remove'&quot;<\/span><br \/>\n<span class=\"kw3\">exit<\/span><br \/>\n<span class=\"kw1\">fi<\/span><br \/>\n<br \/>\n<span class=\"co0\">#check parameters<\/span><br \/>\n<span class=\"kw1\">if<\/span> <span class=\"br0\">&#91;<\/span> <span class=\"sy0\">!<\/span> <span class=\"re5\">-L<\/span> <span class=\"re1\">$DEVICESYMBOL<\/span> <span class=\"br0\">&#93;<\/span>; <span class=\"kw1\">then<\/span><br \/>\n<span class=\"kw3\">echo<\/span> <span class=\"st0\">&quot;<span class=\"es2\">$DATUM<\/span> Key device symbolic link <span class=\"es2\">$DEVICESYMBOL<\/span> is not available&quot;<\/span><br \/>\n<span class=\"kw3\">exit<\/span><br \/>\n<span class=\"kw1\">fi<\/span><br \/>\n<br \/>\n<span class=\"co0\">#plug in key dongle<\/span><br \/>\n<span class=\"kw1\">if<\/span> <span class=\"br0\">&#91;<\/span> <span class=\"re4\">$1<\/span> = <span class=\"st0\">&quot;add&quot;<\/span> <span class=\"br0\">&#93;<\/span>; <span class=\"kw1\">then<\/span><br \/>\n<br \/>\n<span class=\"kw3\">echo<\/span> <span class=\"st0\">&quot;<span class=\"es2\">$DATUM<\/span> Truecrypt automount key add&quot;<\/span><br \/>\n<br \/>\ntruecrypt <span class=\"re5\">-t<\/span> <span class=\"re5\">-k<\/span> <span class=\"st0\">&quot;\/media\/USB_FLASH_1\/&quot;<\/span> <span class=\"re5\">-p<\/span> <span class=\"st0\">&quot;<span class=\"es2\">$PASSWORD<\/span>&quot;<\/span> <span class=\"re5\">--mount-options<\/span>=nokernelcrypto <span class=\"re5\">--fs-options<\/span>=<span class=\"re2\">locale<\/span>=de_DE.utf8,<span class=\"re2\">umask<\/span>=000 <span class=\"re5\">--protect-hidden<\/span>=no <span class=\"re5\">--mount<\/span> <span class=\"re1\">$CONTAINER<\/span> <span class=\"re1\">$MOUNTPOINT<\/span><br \/>\n<br \/>\n<span class=\"kw1\">fi<\/span><br \/>\n<br \/>\n<span class=\"co0\">#unplug key dongle<\/span><br \/>\n<span class=\"kw1\">if<\/span> <span class=\"br0\">&#91;<\/span> <span class=\"re4\">$1<\/span> = <span class=\"st0\">&quot;remove&quot;<\/span> <span class=\"br0\">&#93;<\/span>; <span class=\"kw1\">then<\/span><br \/>\n<br \/>\n<span class=\"kw3\">echo<\/span> <span class=\"st0\">&quot;<span class=\"es2\">$DATUM<\/span> Truecrypt automount key removed&quot;<\/span><br \/>\n<br \/>\n<span class=\"co0\">#dismount container<\/span><br \/>\ntruecrypt <span class=\"re5\">-d<\/span> <span class=\"re1\">$MOUNTPOINT<\/span><br \/>\n<span class=\"co0\">#dismount all containers<\/span><br \/>\n<span class=\"co0\">#truecrypt -d<\/span><br \/>\n<br \/>\n<span class=\"kw1\">fi<\/span><\/div><\/div>\n<p>In my case the container is formatted with NTFS (therefor the mounting options &#8220;&#8211;fs-options=locale=de_DE.utf8,umask=000&#8221;), this takes advantage of\u00a0accessibility for direct mounting on Windows and Linux computers while being able to store files larger than 4GB. I have initialized and created my truecrypt container remotely from my PC. Another important thing to note is, I recommend to disable continous protection on the share where you store the truecrypt container, as long as you have a huge container of several GB.<\/p>\n<p>You can check if the script is working proberly by manual execution with commands below<\/p>\n<div class=\"codecolorer-container bash default\" style=\"overflow:auto;white-space:nowrap;width:70%;\"><div class=\"bash codecolorer\"><span class=\"co0\"># mounting<\/span><br \/>\n<span class=\"sy0\">\/<\/span>data<span class=\"sy0\">\/<\/span>Documents<span class=\"sy0\">\/<\/span>automount.sh add<br \/>\n<span class=\"co0\">#unmounting<\/span><br \/>\n<span class=\"sy0\">\/<\/span>data<span class=\"sy0\">\/<\/span>Documents<span class=\"sy0\">\/<\/span>automount.sh remove<\/div><\/div>\n<p>All outputs will be written to \u00a0&#8220;\/data\/Documents\/automount.log&#8221;<\/p>\n<p>A last thing is missing, the udev rules seems not beeing proberly executed during boot, so the container is not mounted on boot while the key file thumb drive is attached.\u00a0To solve this issue I have used an rc-script.<\/p>\n<p>1) Create a new executable script<\/p>\n<div class=\"codecolorer-container bash default\" style=\"overflow:auto;white-space:nowrap;width:70%;\"><div class=\"bash codecolorer\"><span class=\"kw2\">touch<\/span> <span class=\"sy0\">\/<\/span>etc<span class=\"sy0\">\/<\/span>init.d<span class=\"sy0\">\/<\/span>truecryptmount<br \/>\n<span class=\"kw2\">chmod<\/span> +x <span class=\"sy0\">\/<\/span>etc<span class=\"sy0\">\/<\/span>init.d<span class=\"sy0\">\/<\/span>truecryptmount<\/div><\/div>\n<p>2) Here comes the script content:<\/p>\n<div class=\"codecolorer-container bash default\" style=\"overflow:auto;white-space:nowrap;width:70%;height:400px;\"><div class=\"bash codecolorer\"><span class=\"co0\">#! \/bin\/sh<\/span><br \/>\n<br \/>\n<span class=\"co0\">### BEGIN INIT INFO<\/span><br \/>\n<span class=\"co0\"># Provides: truecryptmount<\/span><br \/>\n<span class=\"co0\"># Required-Start: udev<\/span><br \/>\n<span class=\"co0\"># Required-Stop:<\/span><br \/>\n<span class=\"co0\"># Should-Start: $named<\/span><br \/>\n<span class=\"co0\"># Default-Start: 2 3 4 5<\/span><br \/>\n<span class=\"co0\"># Default-Stop:<\/span><br \/>\n<span class=\"co0\"># Short-Description: mount available truecrypt containers by key file<\/span><br \/>\n<span class=\"co0\"># Description: mount available truecrypt containers by key file if usb device is available<\/span><br \/>\n<span class=\"co0\">### END INIT INFO<\/span><br \/>\n<br \/>\n<span class=\"kw1\">set<\/span> <span class=\"re5\">-e<\/span><br \/>\n<br \/>\n<span class=\"co0\"># \/etc\/init.d\/truecryptmount: tries to mount available truecrypt containers by key file<\/span><br \/>\n<br \/>\n<span class=\"kw1\">case<\/span> <span class=\"st0\">&quot;$1&quot;<\/span> <span class=\"kw1\">in<\/span><br \/>\nstart<span class=\"sy0\">|<\/span>reload<span class=\"sy0\">|<\/span>restart<span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"sy0\">\/<\/span>data<span class=\"sy0\">\/<\/span>Documents<span class=\"sy0\">\/<\/span>automount.sh add<br \/>\n<span class=\"co0\">#udevadm trigger --verbose --action=add --property-match serial=44380c78721298<\/span><br \/>\n<span class=\"sy0\">;;<\/span><br \/>\nstop<span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"sy0\">;;<\/span><br \/>\n<span class=\"sy0\">*<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"kw3\">echo<\/span> <span class=\"st0\">&quot;Usage: \/etc\/init.d\/truecryptmount {start|stop|restart|reload}&quot;<\/span><br \/>\n<span class=\"kw3\">exit<\/span> <span class=\"nu0\">1<\/span><br \/>\n<span class=\"kw1\">esac<\/span><br \/>\n<br \/>\n<span class=\"kw3\">exit<\/span> <span class=\"nu0\">0<\/span><\/div><\/div>\n<p>3) Register the script with<\/p>\n<div class=\"codecolorer-container bash default\" style=\"overflow:auto;white-space:nowrap;width:70%;\"><div class=\"bash codecolorer\">update-rc.d truecryptmount defaults <span class=\"nu0\">19<\/span><\/div><\/div>\n<p>Happy Crypting!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Since I own a Netgear ReadyNAS 102 I was wondering how I could use encryption for special content in a convenient way. Because the Netgear firmware does not provide an encryption feature inside its ReadyNAS OS wrapper on top of the underlying Debian Linux I decided to have a closer look on Truecrypt, which I [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[46],"tags":[115,40,116,117,118],"class_list":["post-809","post","type-post","status-publish","format-standard","hentry","category-linux-it-2","tag-debian","tag-linux","tag-netgear","tag-readynas","tag-truecrypt"],"_links":{"self":[{"href":"https:\/\/www.ceh-photo.de\/blog\/index.php?rest_route=\/wp\/v2\/posts\/809","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ceh-photo.de\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ceh-photo.de\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ceh-photo.de\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ceh-photo.de\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=809"}],"version-history":[{"count":1,"href":"https:\/\/www.ceh-photo.de\/blog\/index.php?rest_route=\/wp\/v2\/posts\/809\/revisions"}],"predecessor-version":[{"id":810,"href":"https:\/\/www.ceh-photo.de\/blog\/index.php?rest_route=\/wp\/v2\/posts\/809\/revisions\/810"}],"wp:attachment":[{"href":"https:\/\/www.ceh-photo.de\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=809"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ceh-photo.de\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=809"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ceh-photo.de\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=809"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}