monline

Googling in the subject and reading the user manual of TrueCrypt you get the feeling that TrueCrypt is only usable with root privileges, thus normal users are left in the cold. However, this is only partly true. The system administrator can set things up so that normal users are able to mount TrueCrypt volumes too and without opening up serious security holes.

The problem is this: TrueCrypt (referred to as TC later on) uses various commands to set up the mount of the encrypted filesystem and many of these require root privileges (eg. losetup, dmsetup and mount). The developers solved this by checking the current user's privileges and if the effective user ID is not that of the root user, then they ask for the user's or the administrator's password. Behind the scenes the already running TC instance tries to start a new TC instance via sudo. First it tries this with the following command:
(Note: actually it does not execute an "echo", but pipes the "dummy" string into the new TC instance's standard input)
The point of this is to check whether the user can execute TC via sudo without entering his/her password or not. If this fails, then the already running TC instance asks you for a password and tries to launch a new TC instance by piping the password into sudo's standard input.

Knowing this we can edit /etc/sudoers (by executing visudo) and add the following line:

This will allow members of the users group to transparently (ie. without entering their passwords in TC) use TC to mount encrypted volumes. The only small security hole is that users can now specify (manually) any path for the volume that is to be mounted and TC will have access to it (since the commands needed for the mount will run as root). However, since TC does not modify the specified file (or device) before the user enters the correct decryption password, this is not much of a threat. Ie. users will not have access to any file/data that they're not supposed to.

In case of LTSP and USB drives there's one more obstacle. LTSP mounts USB drives (that are attached to the thin client) using LTSPFS, a FUSE based filesystem. Thus by default only the current user can see the contents of the mounted filesystem. To put a TC volume on an LTSPFS mounted filesystem and mount the encrypted volume, we need the USB drive's LTSPFS accessible to the root user too (since TC mounts the volume container file as root). To achieve this we've to edit the /usr/sbin/ltspfsmounter script on the terminal server. In the definition of the add_ltspfsmount() function change the following line:
Into this:

(Unfortunately the ltspfsmounter script does not allow customization through a config file, thus you've to edit the hard-coded values in the script.)

And add the following option to /etc/fuse.conf:
(In case of Ubuntu this option is already there, you just have to remove the comment sign from before it.)

The implication of this change is that processes with root's privileges will be able to access (read+write) the contents of any user's USB drives. In our case this means that eg. users can try to mount with TC volume container files on other user's mounted USB drives. It's up to you to decide whether you can live with that. (If a user knows the password to a TC container, she/he is already entitled to access it.)

That's all. Now users can use TrueCrypt without much hassle and including the option to store encrypted volume container files on LTSPFS mounted USB drives.

P.S.: the above instructions were tested with TrueCrypt 6.3a and Ubuntu Karmic (9.10). On 19th July TrueCrypt 7.0 was announced and reading through the "what's new" description it seems that nothing was changed that would break the instructions in this post (but I've not tested it yet).