Skip to main content

Truecrypt hackery

I don't really like TrueCrypt. But it's the quasi standard to encrypt (external) storage which is to be attached to different operating systems. Yes, its license is kinda fishy; OSI approval has been withdrawn too. But after all, TrueCrypt is available for Windows, MacOS X and GNU/Linux (x86). And lacking the skillz to write my own halfway-portable encryption wrapper myself, I'm stuck with it. That being said, there's still the quest for the optimal filesystem: I'd need a POSIX like filesystem, providing symlinks, honoring ownerships and permissions and perhaps with journaling on top. And I need read and write support.

Let's see:

  • FAT - not a chance
  • NTFS - crappy symlink implementation, no (stable) MacOS driver
  • UFS - it's dead, Jim. Also: no stable write support in the Linux kernel.
  • ZFS - almost! It's even included in MacOS 10.5, but only as a read-only version. There's a ZFS project on macosforge.org, but it lists MacOS 10.5 as a requirement and I'm still on 10.4 on my PowerBook :-\
  • HFS+ - well, that's it I guess. Comes with all the features required, write support under Linux is pretty stable, not sure about journaling support under Linux though.
  • Anyway, the real question was: how do I convince Truecrypt to format my new volume as HFS+, but with journal, case-sensitivity and enabled ownerships?

    Here it is:
  • Create a new volume in TrueCrypt, just choose "none" when it wants to format your volume. Actually, it does not matter, as we're gonna reformat anyway.
  • Use Truecrypt to "mount" the volume, but before doing that click "Options" in the mount-dialog and check "do not mount" - the wording is kinda sucky, yes.
  • Now TrueCrypt should have activated your volume, but not mounted. We'll now format (and partition) our activated device:
  • $ diskutil disk6
    /dev/disk6
       #:                       TYPE NAME                    SIZE       IDENTIFIER
       0:                            disk6                  *931.2 Gi   disk6
    
    $ diskutil partitionDisk disk6 1 GPTFormat "Case-sensitive Journaled HFS+" disk6 100%
    Started partitioning on disk disk6 disk6
    Creating partition map
    Formatting disk6s2 as Mac OS Extended (Case-sensitive, Journaled) with name disk6
    [ + 0%..10%..20%..30%..40%..50%..60%..70%..80%..90%..100% ] 
    Finished partitioning on disk disk6
    /dev/disk6
       #:                       TYPE NAME                    SIZE       IDENTIFIER
       0:      GUID_partition_scheme                        *931.2 Gi   disk6
       1:                        EFI                         200.0 Mi   disk6s1
       2:                  Apple_HFS disk6                   930.9 Gi   disk6s2
    $ diskutil rename /dev/disk6s2 disk6s2
    $ diskutil list disk6
    /dev/disk6
       #:                       TYPE NAME                    SIZE       IDENTIFIER
       0:      GUID_partition_scheme                        *931.2 Gi   disk6
       1:                        EFI                         200.0 Mi   disk6s1
       2:                  Apple_HFS disk6s2                 930.9 Gi   disk6s2
    
    We can now deactivate the device with TrueCrypt ("unmount") and mount it again - this time for real. We still have to enable the ownership model though:
    $ vsdbutil -c /Volumes/disk6s2 
    No entry found for '/Volumes/disk6s2'.
    $ vsdbutil -a /Volumes/disk6s2
    $ vsdbutil -c /Volumes/disk6s2
    Permissions on '/Volumes/disk6s2' are enabled.
    
    $ diskutil info disk6s2
    [...]
       Device Identifier:        disk6s2
       Device Node:              /dev/disk6s2
       Mount Point:              /Volumes/disk6s2
       File System:              Case-sensitive Journaled HFS+
                                 Journal size 81920 KB at offset 0x1d19000
       Owners:                   Enabled
       Partition Type:           Apple_HFS
    
    Now we can really start using it. I still wonder why TrueCrypt (or MacOS X) defaults to case-insensitivity and does not enable the ownership model by itself.