5

Trying to use cryptsetup to mount a drive encrypted with truecrypt.

Doing this:

sudo cryptsetup open --type tcrypt --readonly /dev/sdc1 encrypted_drive

and then typing the passphrase gives me:

Activation is not supported for 4096 sector size.

What does this error mean, and how can I mount my truecrypt volume?

Useful information:

  • The drive was encrypted with truecrypt 7.1a
  • The machine trying to do this is booted into a live USB version of ubuntu, specifically ubuntu 14.04.01, i386 desktop version.
  • cryptsetup --version yields cryptsetup 1.6.1
  • removing the --readonly option produces no change
stochastic
  • 543
  • 5
  • 11

3 Answers3

6

cryptsetup expects the sector size to be 512, but in your case it seems to be 4096, since that is what truecrypt does for devices with physical/logical sector size of 4096. This information is stored in the TrueCrypt header, you can also see it with cryptsetup tcryptDump.

The Linux version of truecrypt mounts such containers fine like so:

truecrypt /dev/sdc1 /mnt/somewhere

According to dmsetup it still uses regular encryption regardless of sector size, so this is a limitation of cryptsetup itself. You could open an issue for it on the cryptsetup issue tracker: https://code.google.com/p/cryptsetup/issues/list

frostschutz
  • 47,228
  • 5
  • 112
  • 159
  • I filed https://gitlab.com/cryptsetup/cryptsetup/-/issues/580. A patch is attached on the issue; you can clone the Gitlab repo, patch in the patch, install the dependencies mentioned in the issue, then build with `./autogen.sh && ./configure && make` – Jan Schejbal Jul 22 '20 at 02:19
0

If is not possible to use cryptsetup with 4096-byte sector devices then it may be a work-around to create a dummy device and use cryptsetup with that one:

sectors=$(blockdev --getsz /dev/sdc1)
echo "0 $((sectors-1)) linear /dev/sdc1 0" | dmsetup create dummy512bytes-sdc1
cryptsetup open --type tcrypt --readonly /dev/mapper/dummy512bytes-sdc1 encrypted_drive
Hauke Laging
  • 88,146
  • 18
  • 125
  • 174
  • 2
    The problem is not the device itself, but the Truecrypt metadata. The sector size is specified in the header, and set to `4096` at the time of creation. Your workaround may convince Truecrypt to create a new container with 512 instead of 4096 so cryptsetup will be able to open it; but won't help for existing containers... – frostschutz Jan 19 '15 at 00:04
  • @frostschutz Strange piece of software... But it would work if the 4096 was overwritten with 512 in the header? – Hauke Laging Jan 19 '15 at 00:28
  • 2
    The header is encrypted; just patch `cryptsetup` (set sector size to 512 at the end of `read_phdr()`). That happens to work for me, but may be coincidence. The data offset calculation is wrong. – frostschutz Jan 19 '15 at 02:35
0

None of the answers here worked for me. Trying to mount the volume with truecrypt as @frostschutz suggested produced the unhelpful error:

ParameterIncorrect at TrueCrypt::CoreUnix::MountVolume:443

and Veracrypt said:

ParameterIncorrect at VeraCrypt::CoreUnix::MountVolume:477

so here is what I did instead: I dumped the Truecrypt master key with the command:

cryptsetup tcryptDump /dev/...

Which gave me a poorly formatted file with the master key block. After removing all the line breaks and spaces to get a 128 character hexademical key, I loaded it into dmsetup with the command:

echo "0 5860532912 crypt aes-xts-plain64 <128-character-master-key> 256 /dev/sdh 256" | dmsetup create test

This table is in the format: 

<start sector> <sector count> crypt <cipher> <key> <iv_offset> <device path> <offset> [<#opt_params> <opt_params>]

Source: https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt

Edit the <sector count> by taking the total number of sectors on the device from fdisk -lu and subtract the offset. Update the rest of the fields to match tcryptDump. Echo the resulting table into dmsetup and hope it works!

If the key is correct, running mount /dev/mapper/test /mnt/... will work.

SurpriseDog
  • 572
  • 3
  • 18