Provided by: tcplay_1.1-4_amd64 bug

NAME

     tcplay — tool to manage TrueCrypt volumes

SYNOPSIS

     tcplay -c -d device [-g] [-z] [-w] [-a pbkdf_hash] [-b cipher] [-f keyfile_hidden]
            [-k keyfile] [-x pbkdf_hash] [-y cipher]
     tcplay -i -d device [-e] [-f keyfile_hidden] [-k keyfile] [-s system_device] [--fde]
            [--use-backup]
     tcplay -j mapping
     tcplay -m mapping -d device [-e] [-f keyfile_hidden] [-k keyfile] [-s system_device] [--fde]
            [--use-backup]
     tcplay --modify -d device [-k keyfile] [--new-keyfile new_keyfile]
            [--new-pbkdf-prf pbkdf_hash] [-s system_device] [--fde] [--use-backup] [-w]
     tcplay --modify -d device [-k keyfile] --restore-from-backup-hdr [-w]
     tcplay -u mapping
     tcplay -h | -v

DESCRIPTION

     The tcplay utility provides full support for creating and opening/mapping TrueCrypt-
     compatible volumes.  It supports the following commands, each with a set of options detailed
     further below:

     -c, --create
             Create a new encrypted TrueCrypt volume on the device specified by --device.

     -h, --help
             Print help message and exit.

     -i, --info
             Print out information about the encrypted device specified by --device.

     -j mapping, --info-mapped=mapping
             Print out information about the mapped tcplay volume specified by mapping.
             Information such as key CRC and the PBKDF2 PRF is not available via this command.

     --modify
             Modify the volume header.  This mode allows changing passphrase, keyfiles, PBKDF2
             PRF as well as restoring from a backup header.

     -m mapping, --map=mapping
             Map the encrypted TrueCrypt volume on the device specified by --device as a dm(4)
             mapping called mapping.  The mapping argument should not contain any spaces or
             special characters.

     -u mapping, --unmap=mapping
             Removes (unmaps) the dm(4) mapping specified by mapping as well as any related
             cascade mappings.  If you mapped a volume using full disk encryption and created
             mapping for individual partitions using kpartx(8), you must remove these prior to
             unmapping the volume.

     -v, --version
             Print version message and exit.

     Options common to all commands are:

     -d device, --device=device
             Specifies the disk device on which the TrueCrypt volume resides/will reside.  This
             option is mandatory for all commands.

     -f keyfile_hidden, --keyfile-hidden=keyfile_hidden
             Specifies a keyfile to use in addition to the passphrase when either creating a
             hidden volume or when protecting a hidden volume while mapping or querying the outer
             volume.  If you only intend to map a hidden volume, the --keyfile option has to be
             used.  This option can appear multiple times; if so, multiple keyfiles will be used.
             This option is not valid in the --modify mode.

     -k keyfile, --keyfile=keyfile
             Specifies a keyfile to use in addition to the passphrase.  This option can appear
             multiple times; if so, multiple keyfiles will be used.

     Additional options for the --create command are:

     -a pbkdf_hash, --pbkdf-prf=pbkdf_hash
             Specifies which hash algorithm to use for the PBKDF2 password derivation.  To see
             which algorithms are supported, specify --pbkdf-prf=help.

     -b cipher, --cipher=cipher
             Specifies which cipher algorithm or cascade of ciphers to use to encrypt the new
             volume.  To see which algorithms are supported, specify --cipher=help.

     -g, --hidden
             Specifies that the newly created volume will contain a hidden volume.  The keyfiles
             applied to the passphrase for the hidden volume are those specified by
             --keyfile-hidden.  The user will be prompted for the size of the hidden volume
             interactively.

     -w, --weak-keys
             Use urandom(4) for key material instead of a strong entropy source.  This is in
             general a really bad idea and should only be used for testing.

     -x pbkdf_hash, --pbkdf-prf-hidden=pbkdf_hash
             Specifies which hash algorithm to use for the PBKDF2 password derivation for the
             hidden volume.  Only valid in conjunction with --hidden.  If no algorithm is
             specified, the same as for the outer volume will be used.  To see which algorithms
             are supported, specify --pbkdf-prf-hidden=help.

     -y cipher, --cipher-hidden=cipher
             Specifies which cipher algorithm or cascade of ciphers to use to encrypt the hidden
             volume on the new TrueCrypt volume.  Only valid in conjunction with --hidden.  If no
             cipher is specified, the same as for the outer volume will be used.  To see which
             algorithms are supported, specify --cipher-hidden=help.

     -z, --insecure-erase
             Skips the secure erase of the disk.  Use this option carefully as it is a security
             risk!

     Additional options for the --info, --map and --modify commands are:

     -e, --protect-hidden
             Specifies that an outer volume will be queried or mapped, but its reported size will
             be adjusted accordingly to the size of the hidden volume contained in it.  Both the
             hidden volume and outer volume passphrase and keyfiles will be required.  This
             option only applies to the --info and --map commands.

     -s system_device, --system-encryption=system_device
             This option is required if you are attempting to access a device that uses system
             encryption, for example an encrypted Windows system partition.  It does not apply to
             disks using full disk encryption.  The --device option will point at the actual
             encrypted partition, while the system_device argument will point to the parent
             device (i.e. underlying physical disk) of the encrypted partition.

     --fde   This option is intended to be used with disks using full disk encryption (FDE).
             When a disk has been encrypted using TrueCrypt's FDE, the complete disk is encrypted
             except for the first 63 sectors.  The --device option should point to the whole disk
             device, not to any particular partition.  The resultant mapping will cover the whole
             disk, and will not appear as separate partitions.  To access individual partitions
             after mapping, kpartx(8) can be used.

     --use-backup
             This option is intended to be used when the primary headers of a volume have been
             corrupted.  This option will force tcplay to use the backup headers, which are
             located at the end of the device, to access the volume.

     Additional options only for the --modify command are:

     --new-pbkdf-prf=pbkdf_hash
             Specifies which hash algorithm to use for the PBKDF2 password derivation on
             reencrypting the volume header.  If this option is not specified, the reencrypted
             header will use the current PRF.  To see which algorithms are supported, specify
             --pbkdf-prf=help.

     --new-keyfile=keyfile
             Specifies a keyfile to use in addition to the new passphrase on reencrypting the
             volume header.  This option can appear multiple times; if so, multiple keyfiles will
             be used.

     --restore-from-backup-hdr
             If this option is specified, neither --new-pbkdf-prf nor --new-keyfile should be
             specified.  This option implies --use-backup.  Use this option to restore the volume
             headers from the backup header.

NOTES

     TrueCrypt limits passphrases to 64 characters (including the terminating null character).
     To be compatible with it, tcplay does the same.  All passphrases (excluding keyfiles) are
     trimmed to 64 characters.  Similarly, keyfiles are limited to a size of 1 MB, but up to 256
     keyfiles can be used.

PLAUSIBLE DENIABILITY

     tcplay offers plausible deniability. Hidden volumes are created within an outer volume.
     Which volume is accessed solely depends on the passphrase and keyfile(s) used.  If the
     passphrase and keyfiles for the outer volume are specified, no information about the
     existance of the hidden volume is exposed.  Without knowledge of the passphrase and
     keyfile(s) of the hidden volume its existence remains unexposed.  The hidden volume can be
     protected when mapping the outer volume by using the --protect-hidden option and specifying
     the passphrase and keyfiles for both the outer and hidden volumes.

EXAMPLES

     Create a new TrueCrypt volume on /dev/vn0 using the cipher cascade of AES and Twofish and
     the Whirlpool hash algorithm for PBKDF2 password derivation and two keyfiles, one.key and
     two.key:

           tcplay --create --device=/dev/vn0 --cipher=AES-256-XTS,TWOFISH-256-XTS
           --pbkdf-prf=whirlpool --keyfile=one.key --keyfile=two.key

     Map the outer volume on the TrueCrypt volume on /dev/vn0 as truecrypt1, but protect the
     hidden volume, using the keyfile hidden.key, from being overwritten:

           tcplay --map=truecrypt1 --device=/dev/vn0 --protect-hidden --keyfile-hidden=hidden.key

     Map the hidden volume on the TrueCrypt volume on /dev/vn0 as truecrypt2, using the keyfile
     hidden.key:

           tcplay --map=truecrypt2 --device=/dev/vn0 --keyfile=hidden.key

     Map and mount the volume in the file secvol on Linux:

           losetup /dev/loop1 secvol

           tcplay --map=secv --device=/dev/loop1

           mount /dev/mapper/secv /mnt

     Similarly on DragonFly:

           vnconfig vn1 secvol

           tcplay --map=secv --device=/dev/vn1

           mount /dev/mapper/secv /mnt

     Unmapping the volume truecrypt2 on both Linux and DragonFly after unmounting:

           dmsetup remove truecrypt2

     Or alternatively:

           tcplay --unmap=truecrypt2

     A hidden volume whose existance can be plausibly denied and its outer volume can for example
     be created with

           tcplay --create --hidden --device=/dev/loop0 --cipher=AES-256-XTS,TWOFISH-256-XTS
           --pbkdf-prf=whirlpool --keyfile=one.key --cipher-hidden=AES-256-XTS
           --pbkdf-prf-hidden=whirlpool --keyfile-hidden=hidden.key

     tcplay will prompt the user for the passphrase for both the outer and hidden volume as well
     as the size of the hidden volume inside the outer volume.  The hidden volume will be created
     inside the area spanned by the outer volume.  The hidden volume can optionally use a
     different cipher and prf function as specified by the --cipher-hidden and --pbkdf-prf-hidden
     options.  Which volume is later accessed depends only on which passphrase and keyfile(s) are
     being used, so that the existance of the hidden volume remains unknown without knowledge of
     the passphrase and keyfile it is protected by since it is located within the outer volume.
     To map the outer volume without potentially damaging the hidden volume, the passphrase and
     keyfile(s) of the hidden volume must be known and provided alongside the --protect-hidden
     option.

     A disk encrypted using full disk encryption can be mapped using

           tcplay --map=tcplay_sdb --device=/dev/sdb --fde

     To access individual partitions on the now mapped disk, the following command will generate
     mappings for each individual partition on the encrypted disk:

           kpartx --av /dev/mapper/tcplay_sdb

SEE ALSO

     crypttab(5), cryptsetup(8), dmsetup(8), kpartx(8)

HISTORY

     The tcplay utility appeared in DragonFly 2.11.

AUTHORS

     Alex Hornung