Linux Certif

Toute la documentation sur la certification Linux LPI

realcrypt

NAME

realcrypt - manage RealCrypt volumes

SYNOPSIS

realcrypt [OPTIONS] VOLUME_PATH [MOUNT_DIRECTORY]
realcrypt [OPTIONS] -i
realcrypt [OPTIONS] -c | --create | -C | --change [VOLUME_PATH]
realcrypt [OPTIONS] -d | --dismount | -l | --list [MAPPED_VOLUME]
realcrypt [OPTIONS] --backup-headers | --restore-header FILE [VOLUME]
realcrypt [OPTIONS] --properties [VOLUME_PATH]
realcrypt [OPTIONS] --keyfile-create FILE
realcrypt -h | --help | --test | -V | --version

DESCRIPTION

Manages encrypted RealCrypt volumes, which can be mapped as virtual block devices and used as any other standard block device. All data being read from a mapped RealCrypt volume is transparently decrypted and all data being written to it is transparently encrypted.

OPTIONS

VOLUME_PATH [MOUNT_DIRECTORY]

Open a RealCrypt volume specified by VOLUME_PATH and map it as a block device /dev/mapper/realcryptN. N is the first available device number if not otherwise specified with -N. Filesystem of the mapped volume is mounted at MOUNT_DIRECTORY if specified. To open a hidden volume, specify its password and/or keyfiles (the outer volume cannot be mapped at the same time). See also EXAMPLES and options --display-password, --filesystem, -k, -M, -p, -P, --password-tries, -r, -u, --update-time. Note that passing some of the options may affect security (see options -i and -p for more information).

--backup-headers BACKUP_FILE [VOLUME_PATH]

Backup headers of a volume specified by VOLUME_PATH to a file BACKUP_FILE. Volume path is requested from user if not specified on command line. Both normal/outer and hidden volume headers are stored in the backup file even if there is no hidden volume within the volume (to preserve plausible deniability). When restoring the volume header, it is possible to select which header is to be restored. Note that this command drops effective user ID. See also --restore-header.

-c, --create [VOLUME_PATH]

Create a new volume. Most options are requested from user if not specified on command line. Hidden volume can be created only in an existing file or device. Size of the hidden volume should not exceed the free space of the filesystem on the outer volume. Hidden volume protection (see option -P) should be used to update the outer volume contents after the hidden volume is created. WARNING: To prevent data corruption, you should follow the instructions in the EXAMPLES section on how to create a hidden volume. Note that this command drops effective user ID. See also options --cluster, --disable-progress, --display-keys, --encryption, -k, --filesystem, --hash, -p, --random-source, --quick, --size, --type. Note that passing some of the options may affect security (see option -p for more information).

-C, --change [VOLUME_PATH]

Change a password and/or keyfile(s) of a volume. Volume path and passwords are requested from user if not specified on command line. PKCS-5 PRF HMAC hash algorithm can be changed with option --hash. See also options -k, --keyfile-add, -p, --random-source, -v.

-d, --dismount [MAPPED_VOLUME]

Dismount and unmap mapped volumes. If MAPPED_VOLUME is not specified, all volumes are dismounted and unmapped. See below for a description of MAPPED_VOLUME.

-h, --help

Display help information.

-i, --interactive

Map and mount a volume interactively. Options which may affect security are requested from the user. See option -p for more information.

-l, --list [MAPPED_VOLUME]

Display a list of mapped volumes. If MAPPED_VOLUME is not specified, all volumes are listed. By default, the list contains only volume path and mapped device name pairs. A more detailed list can be enabled by verbose output option (-v). See below for a description of MAPPED_VOLUME.

--keyfile-create FILE

Create a new keyfile using the random number generator. FILE argument specifies the output file. Note that this command drops effective user ID.

--properties [VOLUME_PATH]

Display properties of a volume specified by VOLUME_PATH.

--restore-header BACKUP_FILE [VOLUME_PATH]

Restore header of a volume specified by VOLUME_PATH from a file BACKUP_FILE. Volume path is requested from user if not specified on command line. Type of the restored volume header (normal/hidden) is requested from user if not specified with --type. Note that this command drops effective user ID. See also --backup-headers.

--test

Test all internal algorithms used in the process of encryption and decryption.

-V, --version

Display program version and legal notices.

MAPPED_VOLUME:

Specifies a mapped or mounted volume. One of the following forms can be used:

1) Path to the encrypted RealCrypt volume.

2) Mount directory of the volume's filesystem (if mounted).

3) Device number of the mapped volume.

4) Device name of the mapped volume.

--cluster SIZE

Use specified cluster size when creating a new volume. SIZE defines the number of sectors per cluster.

--disable-progress

Disable display of progress information during creation of a new volume.

--display-keys

Display encryption keys generated during creation of a new volume.

--display-password

Display password characters while typing.

--encryption ENCRYPTION_ALGORITHM

Use specified encryption algorithm when creating a new volume.

--filesystem TYPE

Filesystem type to mount. The TYPE argument is passed to mount(8) command with option -t. Default type is 'auto'. When creating a new volume, this option specifies the filesystem to be created on the new volume.

--hash HASH

Use specified hash algorithm when creating a new volume or changing password and/or keyfiles.

-k, --keyfile FILE | DIRECTORY

Use specified keyfile to open a volume to be mapped (or when changing password and/or keyfiles). When a directory is specified, all files inside it will be used (non-recursively). Additional keyfiles can be specified with multiple -k options. Empty keyfile (-k '') disables interactive requests for keyfiles (e.g., when creating a new volume). See also option -K.

-K, --keyfile-protected FILE | DIRECTORY

Use specified keyfile to open a hidden volume to be protected. This option may be used only when mounting an outer volume with hidden volume protected. See also options -k and -P.

--keyfile-add FILE | DIRECTORY

Add specified keyfile to a volume when changing its password and/or keyfiles. This option must be also used to keep all previous keyfiles asigned to a volume. See EXAMPLES for more information.

-M, --mount-options OPTIONS

Filesystem mount options. The OPTIONS argument is passed to mount(8) command with option -o. This option can be specified only by an administrator. See also options -r and -u.

-N, --device-number N

Use device number N when mapping a volume as a block device /dev/mapper/realcryptN. Default is the first available device.

--overwrite

Overwrite files without prompting the user for confirmation.

-p, --password PASSWORD

Use specified password to open a volume. Additional passwords can be specified with multiple -p options. An empty password can also be specified ('' in most shells). Note that passing a password on the command line is potentially insecure as the password may be visible in the process list (see ps(1)) and/or stored in a command history file.

--password-tries NUMBER

Prompt NUMBER of times for a password until the correct password is entered. Default is to prompt three times.

-P, --protect-hidden

Write-protect a hidden volume when mapping an outer volume. Before mapping the outer volume, the user will be prompted for a password to open the hidden volume. The size and position of the hidden volume is then determined and the outer volume is mapped with all sectors belonging to the hidden volume protected against write operations. When a write to the protected area is prevented, the whole volume is switched to read-only mode. Verbose list command (-vl) can be used to query the state of the hidden volume protection. Warning message is displayed when a volume switched to read-only is being dismounted. See also options -r and -i.

--quick

Use quick format when creating a new volume. This option can be used only when creating a device-hosted volume. Quick format is always used when creating a hidden volume.

--random-source FILE

Use FILE as a source of random numbers. Standard input is used if '-' is specified.

-r, --read-only

Map and mount a volume as read-only. Write operations to the volume may not fail immediately due to the write buffering performed by the system, but the physical write will still be prevented.

--size SIZE

Use specified size when creating a new volume. SIZE is defined as number of bytes or, when a size suffix K/M/G is used, Kilobytes/Megabytes/Gigabytes. Note that size must be a multiple of 512 bytes.

--type TYPE

Use specified volume type when creating a new volume or restoring a volume header. TYPE can be 'normal' or 'hidden'.

-u, --user-mount

Set default user and group ID of the filesystem being mounted to the user and group ID of the process which executed RealCrypt. Some filesystems (e.g., FAT) do not support Unix-style access control and, therefore, it is necessary to supply a default user and group ID to the operating system when mounting them. Note that Unix-style filesystems (e.g., ext2) do not support this option.

--update-time

Do not preserve access and modification timestamps of volume containers and access timestamps of keyfiles. By default, timestamps are restored after a volume is unmapped or after a keyfile is closed.

-v, --verbose

Enable verbose output. Multiple -v options can be specified to increase the level of verbosity.

EXAMPLES

realcrypt /root/volume.tc /mnt/tc

Map a volume /root/volume.tc and mount its filesystem at directory /mnt/tc.

realcrypt -u /dev/hda2 /mnt/tc

Map a volume /dev/hda2 (first ATA disk, primary partition 2) and mount its filesystem at /mnt/tc. Default user-id is set, which is useful when mounting a filesystem such as FAT under a non-admin user account.

realcrypt -i

Map and mount a volume. Options are requested interactively.

realcrypt -d

Dismount and unmap all mapped volumes.

realcrypt -d /root/volume.tc

Dismount and unmap a volume /root/volume.tc.

realcrypt -d /mnt/tc

Dismount and unmap a volume mounted at /mnt/tc.

realcrypt -vl

Display a detailed list of all mapped volumes.

realcrypt -N 1 /dev/hdc1 && mkfs /dev/mapper/realcrypt1

Map a volume /dev/hdc1 and create a new filesystem on it.

realcrypt -P /dev/hdc1 /mnt/tc

Map and mount outer volume /dev/hdc1 and protect hidden volume within it.

realcrypt -p '' -p '' -k key1 -k key2 -K key_hidden -P volume.tc

Map outer volume ./volume.tc and protect hidden volume within it. The outer volume is opened with keyfiles ./key1 and ./key2 and the hidden volume with ./key_hidden. Passwords for both volumes are empty.

realcrypt -c

Create a new volume. Options are requested interactively.

realcrypt -c /dev/hda2

Create a new volume hosted at the second primary partition of the first ATA disk.

realcrypt -k keyfile --size 10M --encryption AES --hash SHA-1 -c vol.tc

Create a new volume. Options which are not specified on command line are requested from the user.

realcrypt --keyfile-add keyfile -C volume.tc

Change password and add a new keyfile to volume.

realcrypt -k keyfile -C volume.tc

Change password and remove a keyfile from volume.

realcrypt -k keyfile --keyfile-add keyfile -C volume.tc

Change password and keep previous keyfile.

Creating a hidden volume without risking data corruption:

1) Create an outer volume:

realcrypt --type normal --size 100M -c volume.tc

2) Create a hidden volume:

realcrypt --type hidden --size 50M -c volume.tc

3) Mount the outer volume with the hidden volume protected:

realcrypt -P volume.tc /mnt/tc

4) Copy files to the outer volume:

cp outer_volume_file.txt /mnt/tc

5) Dismount the outer volume:

realcrypt -d volume.tc

6) If a warning message has been displayed in 5), start again from 1). Either a larger outer volume should be created in 1), or less data should be copied to the outer volume in 4).

DIAGNOSTICS

Exit status 0 is returned if all requested actions completed successfully, otherwise 1 is returned. Kernel module reports errors via system log with facility kern. See syslogd(8) for more information.

REPORTING BUGS

Report bugs at <http://qa.mandriva.com/>.

Released under the TrueCrypt Collective License 1.1

COPYRIGHT

Based on TrueCrypt, freely available at http://www.truecrypt.org/
Copyright © 2003-2007 TrueCrypt Foundation. All Rights Reserved.
Copyright © 1998-2000 Paul Le Roux. All Rights Reserved.
Copyright © 1999-2006 Dr. Brian Gladman. All Rights Reserved.
Copyright © 1995-1997 Eric Young. All Rights Reserved.
Copyright © 2001 Markus Friedl. All Rights Reserved.

SEE ALSO

http://wiki.mandriva.com/en/RealCrypt
mount(8), umount(8), losetup(8), fuser(1), mkfs(8), fsck(8), dmsetup(8)