Provided by: tcplay_1.1-4_amd64 
NAME
tcplay — tool to manage TrueCrypt volumes
SYNOPSIS
tcplay -c -d device [-g] [-z] [-w] [-a pbkdf_hash] [-b cipher] [-f keyfile_hidden] [-k keyfile]
[-x pbkdf_hash] [-y cipher]
tcplay -i -d device [-e] [-f keyfile_hidden] [-k keyfile] [-s system_device] [--fde] [--use-backup]
tcplay -j mapping
tcplay -m mapping -d device [-e] [-f keyfile_hidden] [-k keyfile] [-s system_device] [--fde] [--use-backup]
tcplay --modify -d device [-k keyfile] [--new-keyfile new_keyfile] [--new-pbkdf-prf pbkdf_hash]
[-s system_device] [--fde] [--use-backup] [-w]
tcplay --modify -d device [-k keyfile] --restore-from-backup-hdr [-w]
tcplay -u mapping
tcplay -h | -v
DESCRIPTION
The tcplay utility provides full support for creating and opening/mapping TrueCrypt-compatible volumes. It
supports the following commands, each with a set of options detailed further below:
-c, --create
Create a new encrypted TrueCrypt volume on the device specified by --device.
-h, --help
Print help message and exit.
-i, --info
Print out information about the encrypted device specified by --device.
-j mapping, --info-mapped=mapping
Print out information about the mapped tcplay volume specified by mapping. Information such as key
CRC and the PBKDF2 PRF is not available via this command.
--modify
Modify the volume header. This mode allows changing passphrase, keyfiles, PBKDF2 PRF as well as
restoring from a backup header.
-m mapping, --map=mapping
Map the encrypted TrueCrypt volume on the device specified by --device as a dm(4) mapping called
mapping. The mapping argument should not contain any spaces or special characters.
-u mapping, --unmap=mapping
Removes (unmaps) the dm(4) mapping specified by mapping as well as any related cascade mappings.
If you mapped a volume using full disk encryption and created mapping for individual partitions
using kpartx(8), you must remove these prior to unmapping the volume.
-v, --version
Print version message and exit.
Options common to all commands are:
-d device, --device=device
Specifies the disk device on which the TrueCrypt volume resides/will reside. This option is
mandatory for all commands.
-f keyfile_hidden, --keyfile-hidden=keyfile_hidden
Specifies a keyfile to use in addition to the passphrase when either creating a hidden volume or
when protecting a hidden volume while mapping or querying the outer volume. If you only intend to
map a hidden volume, the --keyfile option has to be used. This option can appear multiple times;
if so, multiple keyfiles will be used. This option is not valid in the --modify mode.
-k keyfile, --keyfile=keyfile
Specifies a keyfile to use in addition to the passphrase. This option can appear multiple times;
if so, multiple keyfiles will be used.
Additional options for the --create command are:
-a pbkdf_hash, --pbkdf-prf=pbkdf_hash
Specifies which hash algorithm to use for the PBKDF2 password derivation. To see which algorithms
are supported, specify --pbkdf-prf=help.
-b cipher, --cipher=cipher
Specifies which cipher algorithm or cascade of ciphers to use to encrypt the new volume. To see
which algorithms are supported, specify --cipher=help.
-g, --hidden
Specifies that the newly created volume will contain a hidden volume. The keyfiles applied to the
passphrase for the hidden volume are those specified by --keyfile-hidden. The user will be
prompted for the size of the hidden volume interactively.
-w, --weak-keys
Use urandom(4) for key material instead of a strong entropy source. This is in general a really
bad idea and should only be used for testing.
-x pbkdf_hash, --pbkdf-prf-hidden=pbkdf_hash
Specifies which hash algorithm to use for the PBKDF2 password derivation for the hidden volume.
Only valid in conjunction with --hidden. If no algorithm is specified, the same as for the outer
volume will be used. To see which algorithms are supported, specify --pbkdf-prf-hidden=help.
-y cipher, --cipher-hidden=cipher
Specifies which cipher algorithm or cascade of ciphers to use to encrypt the hidden volume on the
new TrueCrypt volume. Only valid in conjunction with --hidden. If no cipher is specified, the
same as for the outer volume will be used. To see which algorithms are supported, specify
--cipher-hidden=help.
-z, --insecure-erase
Skips the secure erase of the disk. Use this option carefully as it is a security risk!
Additional options for the --info, --map and --modify commands are:
-e, --protect-hidden
Specifies that an outer volume will be queried or mapped, but its reported size will be adjusted
accordingly to the size of the hidden volume contained in it. Both the hidden volume and outer
volume passphrase and keyfiles will be required. This option only applies to the --info and --map
commands.
-s system_device, --system-encryption=system_device
This option is required if you are attempting to access a device that uses system encryption, for
example an encrypted Windows system partition. It does not apply to disks using full disk
encryption. The --device option will point at the actual encrypted partition, while the
system_device argument will point to the parent device (i.e. underlying physical disk) of the
encrypted partition.
--fde This option is intended to be used with disks using full disk encryption (FDE). When a disk has
been encrypted using TrueCrypt's FDE, the complete disk is encrypted except for the first 63
sectors. The --device option should point to the whole disk device, not to any particular
partition. The resultant mapping will cover the whole disk, and will not appear as separate
partitions. To access individual partitions after mapping, kpartx(8) can be used.
--use-backup
This option is intended to be used when the primary headers of a volume have been corrupted. This
option will force tcplay to use the backup headers, which are located at the end of the device, to
access the volume.
Additional options only for the --modify command are:
--new-pbkdf-prf=pbkdf_hash
Specifies which hash algorithm to use for the PBKDF2 password derivation on reencrypting the volume
header. If this option is not specified, the reencrypted header will use the current PRF. To see
which algorithms are supported, specify --pbkdf-prf=help.
--new-keyfile=keyfile
Specifies a keyfile to use in addition to the new passphrase on reencrypting the volume header.
This option can appear multiple times; if so, multiple keyfiles will be used.
--restore-from-backup-hdr
If this option is specified, neither --new-pbkdf-prf nor --new-keyfile should be specified. This
option implies --use-backup. Use this option to restore the volume headers from the backup header.
NOTES
TrueCrypt limits passphrases to 64 characters (including the terminating null character). To be compatible
with it, tcplay does the same. All passphrases (excluding keyfiles) are trimmed to 64 characters.
Similarly, keyfiles are limited to a size of 1 MB, but up to 256 keyfiles can be used.
PLAUSIBLE DENIABILITY
tcplay offers plausible deniability. Hidden volumes are created within an outer volume. Which volume is
accessed solely depends on the passphrase and keyfile(s) used. If the passphrase and keyfiles for the
outer volume are specified, no information about the existance of the hidden volume is exposed. Without
knowledge of the passphrase and keyfile(s) of the hidden volume its existence remains unexposed. The
hidden volume can be protected when mapping the outer volume by using the --protect-hidden option and
specifying the passphrase and keyfiles for both the outer and hidden volumes.
EXAMPLES
Create a new TrueCrypt volume on /dev/vn0 using the cipher cascade of AES and Twofish and the Whirlpool
hash algorithm for PBKDF2 password derivation and two keyfiles, one.key and two.key:
tcplay --create --device=/dev/vn0 --cipher=AES-256-XTS,TWOFISH-256-XTS --pbkdf-prf=whirlpool
--keyfile=one.key --keyfile=two.key
Map the outer volume on the TrueCrypt volume on /dev/vn0 as truecrypt1, but protect the hidden volume,
using the keyfile hidden.key, from being overwritten:
tcplay --map=truecrypt1 --device=/dev/vn0 --protect-hidden --keyfile-hidden=hidden.key
Map the hidden volume on the TrueCrypt volume on /dev/vn0 as truecrypt2, using the keyfile hidden.key:
tcplay --map=truecrypt2 --device=/dev/vn0 --keyfile=hidden.key
Map and mount the volume in the file secvol on Linux:
losetup /dev/loop1 secvol
tcplay --map=secv --device=/dev/loop1
mount /dev/mapper/secv /mnt
Similarly on DragonFly:
vnconfig vn1 secvol
tcplay --map=secv --device=/dev/vn1
mount /dev/mapper/secv /mnt
Unmapping the volume truecrypt2 on both Linux and DragonFly after unmounting:
dmsetup remove truecrypt2
Or alternatively:
tcplay --unmap=truecrypt2
A hidden volume whose existance can be plausibly denied and its outer volume can for example be created
with
tcplay --create --hidden --device=/dev/loop0 --cipher=AES-256-XTS,TWOFISH-256-XTS
--pbkdf-prf=whirlpool --keyfile=one.key --cipher-hidden=AES-256-XTS --pbkdf-prf-hidden=whirlpool
--keyfile-hidden=hidden.key
tcplay will prompt the user for the passphrase for both the outer and hidden volume as well as the size of
the hidden volume inside the outer volume. The hidden volume will be created inside the area spanned by
the outer volume. The hidden volume can optionally use a different cipher and prf function as specified by
the --cipher-hidden and --pbkdf-prf-hidden options. Which volume is later accessed depends only on which
passphrase and keyfile(s) are being used, so that the existance of the hidden volume remains unknown
without knowledge of the passphrase and keyfile it is protected by since it is located within the outer
volume. To map the outer volume without potentially damaging the hidden volume, the passphrase and
keyfile(s) of the hidden volume must be known and provided alongside the --protect-hidden option.
A disk encrypted using full disk encryption can be mapped using
tcplay --map=tcplay_sdb --device=/dev/sdb --fde
To access individual partitions on the now mapped disk, the following command will generate mappings for
each individual partition on the encrypted disk:
kpartx --av /dev/mapper/tcplay_sdb
SEE ALSO
crypttab(5), cryptsetup(8), dmsetup(8), kpartx(8)
HISTORY
The tcplay utility appeared in DragonFly 2.11.
AUTHORS
Alex Hornung