TrueCrypt Automation using Shell Scripts on Mac OS X

TrueCryptThis is probably a fairly unique situation, but I thought I’d post it here just to see how many people might have the same need. I use TrueCrypt almost exclusively as my encryption solution due to the fact that it’s both cross platform and open source, and because it’s highly secure and “just works”. Really, I don’t know why anyone wouldn’t use it; it really is the ideal encryption solution.

That said, I often find myself having to create new volumes, and I find that process to be relatively cumbersome. I prefer to have many smaller volumes than one or two large volumes, primarily because they sync up via Dropbox (actually just recently I switched to Google Drive), and online sync services do much better with smaller files than, say, a 50GB file.

The non-automated way to create and mount a volume seems to take ages; you run through the wizard, wait for the volume to be created, go hunt for the file, mount it, and then you’re finally good to go. It requires entering your password not once but three times, and just gets irritating after having to do it even once a day. To solve this, I looked into TrueCrypt’s command line options, and created a couple of shell scripts to make things much easier. Read on after the break to dive into the scripts.

These shell scripts were specifically built to be used on Mac OS X Lion (my current version is 10.7.3). I would imagine that they most likely work on any recent and forthcoming OS X version, but I have not tested them on anything other than 10.7.3. Most likely these also work (or can be easily adapted to work) on Linux, but again, I have not tested them there.

Let’s jump right into the code for the scripts. The first script I wrote I named “tc-create.sh” with the purpose of creating a new volume, immediately mounting it, and then dismounting it when the user is finished. Here comes the code…

DIR=$(cd "$(dirname "$0")"; pwd)
cd "$DIR"
clear
read -p "Please enter the name of the file to create: " ENCFILE
read -p "Please enter the name of an existing file to use as the random seed: " ENCSEED
read -p "Please enter the password to use for the encrypted file: " ENCPASSWORD
clear
/Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt -t -c "$ENCFILE" --random-source="$ENCSEED" --password="$ENCPASSWORD" --filesystem=FAT --volume-type=normal --encryption=AES --hash=ripemd-160 -k ""
/Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt -t --mount "$ENCFILE" "/Volumes/tc1" --password="$ENCPASSWORD" -k "" --protect-hidden=no
read -p "Copy files and then press Enter to dismount... "
/Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt -t -d
clear

You’ll want to copy and paste this into your favorite text editor and save the file with a “.sh” file extension. After saving the file, there’s a couple of things you need to do in order to make the file executable and easy to open. The first is to change the permissions on the file to allow it to be executed. Open up Terminal and type the following:

chmod 777 "/path/to/tc-create.sh"

Obviously you’ll need to change the path to the file above to the correct path on your machine. You can either use “/path/to” to start in the root of your hard disk, or “~/path/to” to start in your user folder, in case you’re unaware of this feature. If you’re unsure, use the tilde; “~/” refers to your user folder.

After the file is executable, you’ll need to change the file to open up in Terminal when you double-click it. This one’s a bit easier; right-click on the file in Finder and choose “Get Info”. Under “Open With”, either select Terminal from the list if it’s already there or select “Other…” and browse to it to find it (it should in the Utilities folder inside your Applications folder). Once you’ve done this, you should be able to double-click on the file to run it in a Terminal window. Easy as pie, right? ;) (Sure wish Apple could have made that process a bit easier…)

Alright, so now that you know how to set the file up, let’s take a look at that code to see if there’s anything you might want to change. The first two lines simply get the directory of the script file, and change to that directory. This is so the script always defaults to creating and opening files in the same directory that the script is run from, so you don’t have to type long paths; ideally you’d just put the script file in the folder that contains your encrypted files. This way, when creating a new volume, you can just type “new-volume-file-name” instead of “/ridiculously/long/path/to/new-volume-file-name”.

Lines 4, 5, and 6 prompt you for the encrypted file name to create, an existing file to use as a random seed, and the password to use for the file. As stated earlier, for the files you can just type the file name without a path and it will assume it to be in the same folder as the script file itself. You can choose to remove line 5’s random seed request if you so choose (you’ll also have to remove the –random-source=”$ENCSEED” parameter on line 8), but this will make TrueCrypt prompt you to type 320 random characters, which gets annoying really fast, as it’s more characters than you would think (this is in place of the random mouse movements that the GUI asks you to perform). I find that picking a random file is usually faster than typing the characters. Keep in mind that you can drag any existing file over to the Terminal window to populate the file; you don’t have to type it (in fact, I’d recommend this approach).

You’ll notice that when you type the password out with the current script, it displays on the screen in cleartext. The purpose of this was to not require you to type the password twice just to make things faster. However, if you would rather not display the password on screen, you can add a -s switch to line 6 in order to hide your password.

Onto line 8; this is the line that actually calls TrueCrypt to create the new volume. Feel free to modify the filesystem, volume-type, encryption, and hash parameters to use whichever settings you’d like. I’ve defaulted them to the default settings in the GUI (which work great for most users). The -k “” parameters specify that no keyfile will be used; if removed, TrueCrypt will prompt you for a keyfile.

Line 9 mounts the newly created volume. The only things you might want to change on this line would be to remove the -k “” in order to specify a keyfile, or change the “/Volumes/tc1” to use a different mount point for the volume, but you’re not likely going to need to change either of them.

Line 10 simply waits until you hit Enter before dismounting the file. The idea is to let you create and mount the file, move whatever files you need to the volume, and then go back to the Terminal to dismount the file. Line 11 dismounts all open volumes in TrueCrypt, and that’s about it. Whew.

We’re not quite done yet, though; I also created a script called “tc-mount.sh” that simply mounts an existing volume and dismounts it when done. Of course you can use the GUI for this fairly quickly and easily, but I still find this script to be ever-so-slightly faster:

DIR=$(cd "$(dirname "$0")"; pwd)
cd "$DIR"
clear
read -p "Please enter the name of the file to mount: " FILETOMOUNT
clear
/Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt -t --mount "$FILETOMOUNT" "/Volumes/tc1" -k "" --protect-hidden=no --display-password
clear
read -p "Press Enter to dismount... "
clear
/Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt -t -d

This script is much the same as the previous script, just without the volume creation and the password entry has been moved to TrueCrypt itself instead of an external prompt (because TrueCrypt only requires it once for this operation anyway). It is also configured to display the password when typing; to hide it, simply remove the “–display-password” parameter from line 6. Everything else should be fairly straightforward as it resembles what I’ve described above for the previous script. That said, don’t forget to change the permissions on the file and set it to open in Terminal as in the previous script.

If you find this useful, please leave me a comment below to let me know. If you find any issues or have anything to add, of course let me know as well. If I find that this article has a large enough response, I’m thinking I might load up Xcode and build a native app that lets you highlight a set of files, and automatically move them to a new TrueCrypt volume; seems like that would be of significant use. Any thoughts there? I may also look to build scripts for Windows and/or Linux if I see the need…

Thanks for reading and I hope you find it useful. :)

This entry was posted in Encryption, Mac OS X, Shell Scripts, Technology, TrueCrypt. Bookmark the permalink.

Leave a Reply