Provided by: libtcplay-dev_3.3-1_amd64 
NAME
tc_api_init, tc_api_uninit, tc_api_has, tc_api_cipher_iterate, tc_api_prf_iterate, tc_api_task_init,
tc_api_task_uninit, tc_api_task_set, tc_api_task_do, tc_api_task_info_get, tc_api_task_get_error —
TrueCrypt volume management
LIBRARY
TrueCrypt volume management (libtcplay, -ltcplay)
SYNOPSIS
#include <tcplay_api.h>
typedef int
(*tc_api_cipher_iterator_fn)(void *priv, const char *name, int key_length_in_bits, int ciphers_in_chain);
typedef int
(*tc_api_prf_iterator_fn)(void *priv, const char *name);
typedef int
(*tc_api_state_change_fn)(void *priv, const char *state, int enter_state);
int
tc_api_init(int verbose);
int
tc_api_uninit(void);
int
tc_api_has(const char *feature);
int
tc_api_cipher_iterate(tc_api_cipher_iterator_fn fn, void *priv);
int
tc_api_prf_iterate(tc_api_prf_iterator_fn fn, void *priv);
tc_api_task
tc_api_task_init(const char *op);
int
tc_api_task_uninit(tc_api_task task);
int
tc_api_task_set(tc_api_task task, const char *key, ...);
int
tc_api_task_do(tc_api_task task);
int
tc_api_task_info_get(tc_api_task task, const char *key, ...);
const char *
tc_api_task_get_error(tc_api_task task);
DESCRIPTION
The tcplay library provides an interface to create, query, map and manage TrueCrypt-compatible volumes.
The tc_api_init() function initializes the library internals and prepares it for use via the API. This
function has to be called before using any other API function. If the verbose argument is non-zero, then
the library will output information such as errors via stdout and stderr.
The tc_api_uninit() function clears up all internal secure memory, such as memory used for decrypted
headers, passphrases, keyfiles, etc.
The tc_api_has() function checks whether the loaded tcplay library has the feature specified by the feature
argument. The current version of the tcplay library supports the following features:
Feature Description
trim Allows enabling discards/TRIM when mapping a volume
The tc_api_cipher_iterate() function passes every available cipher chain to the callback provided in the fn
argument. The priv argument is passed on every call of the callback function. The name of the cipher
chain is passed to the callback function in the name argument. Similarly, the ciphers_in_chain argument
holds the number of ciphers in the current chain, and key_length_in_bits holds the total key length for the
cipher chain, in bits.
The tc_api_prf_iterate() function passes every available cipher chain to the callback provided in the fn
argument. The priv argument is passed on every call of the callback function. The name of the PKBDF2 PRF
algorithm is passed to the callback function in the name argument.
The tc_api_task_init() function initializes and returns a tc_api_task opaque pointer that can be used to
run tcplay commands. Each task can be used only for a single tc_api_task_do() call, and must be
deallocated using tc_api_task_uninit(). The op argument can be one of the following:
create Create a new encrypted TrueCrypt volume.
map Map an existing TrueCrypt volume.
info Request information about an encrypted TrueCrypt volume.
info_mapped
Request information about a mapped TrueCrypt volume.
unmap Unmap a mapped TrueCrypt volume.
modify Modify the TrueCrypt volume by changing the passphrase, keyfiles, PRF algorithm, restoring from a
backup header, restoring from a header file or saving to a header file.
restore
Modify the TrueCrypt volume as modify does, but without changing the passphrase, keyfiles or PRF
algorithm.
The tc_api_task_set() function allows setting a number of different options for the current task. The
following table shows which keys are available on calls to tc_api_task_set() for each of the operations.
The letter M indicates the setting is mandatory, whilst * indicates the setting is optional.
Key create info map unmap info_mapped modify restore
dev M M M * M M
map_name M M M
interactive * * * * *
retries * * * * *
timeout * * *
state_change_fn * * *
weak_keys_and_salt * * *
secure_erase *
hidden_size_bytes *
prf_algo *
h_prf_algo *
cipher_chain *
h_cipher_chain *
protect_hidden * *
fde * *
sys * * ? ?
use_backup_header * * * *
header_from_file * * * *
hidden_header_from_file * * * *
allow_trim *
save_header_to_file *
passphrase * * * * *
h_passphrase * * * * *
keyfiles * * * * *
h_keyfiles * * * * *
new_passphrase *
new_keyfiles *
new_prf_algo *
The varargs accepted by the tc_api_task_set() function depend on the key being set.
dev The vararg is of type const char *. It sets the device that contains the TrueCrypt volume to
operate on.
map_name
The vararg is of type const char *. It set the name of the mapped volume.
interactive
The vararg is of type int. It determines whether the user will be prompted for a passphrase or
whether the settings are taken from the arguments set using tc_api_task_set().
retries
The vararg is of type int. It determines the number of passphrase retries if interactive is set.
weak_keys_and_salt
The vararg is of type int. It determines whether to use a weak source of entropy for key material
and/or the salt.
secure_erase
The vararg is of type int. It determines whether a secure erase is performed as part of the volume
creation.
hidden_size_bytes
The vararg is of type int64_t. If set to 0 it implies no hidden volume will be created. A
positive value implies a hidden volume of the specified size in bytes is created.
prf_algo
The vararg is of type const char * and must be a valid PBKDF2 PRF algorithm. It determines which
PBKDF2 PRF algorithm is used for the outer volume.
h_prf_algo
The vararg is of type const char * and must be a valid PBKDF2 PRF algorithm. It determines which
PBKDF2 PRF algorithm is used for the hidden volume.
cipher_chain
The vararg is of type const char * and must be a valid tcplay cipher chain. It determines which
cipher chain is used to encrypt the outer volume.
h_cipher_chain
The vararg is of type const char * and must be a valid tcplay cipher chain. It determines which
cipher chain is used to encrypt the hidden volume.
protect_hidden
The vararg is of type int. It determines whether the size of the outer volume should be adjusted
to protect any hidden volume. Using this mode requires both outer and hidden passphrases and
keyfiles.
sys The vararg is of type const char *. It determines whether the volume is a system encrypted volume,
and if so, which disk is the system disk and hence contains the header. If set to NULL the volume
will implicitly be treated as a non-system encrypted volume.
fde The vararg is of type int. It determines whether the disk uses full disk encryption or not. If
specified, the device pointed to by the dev setting should be a whole disk device, not any
partition. The device will be mapped or queried as a whole. To access individual partitions, a
utility such as kpartx(8) should be used, which will create additional individual mappings for each
partition in the decrypted mapped volume. For more details on full disk encryption, see tcplay(8).
use_backup_header
The vararg is of type int. It determines whether the backup header should be used instead of the
regular header to access the volume.
header_from_file
The vararg is of type const char *. If not NULL it forces tcplay to use the header in the
specified file instead of the regular outer volume header.
hidden_header_from_file
The vararg is of type const char *. If not NULL it forces tcplay to use the header in the
specified file instead of the regular hidden volume header.
allow_trim
The vararg is of type int. It specifies whether the mapped volume should allow discards (TRIM).
save_header_to_file
The vararg is of type const char *. If not NULL it forces tcplay to write the (modified) header to
the specified file instead of replacing the volume headers.
passphrase
The vararg is of type const char *. It sets the passphrase that tcplay uses to access the volume.
h_passphrase
The vararg is of type const char *. It sets the passphrase that tcplay uses to unlock the hidden
volume header. This option is only used if a hidden volume is being created or the protect_hidden
setting is set. Otherwise tcplay will first use the regular passphrase to try to unlock the outer
volume and then try to unlock the hidden volume header with the same passphrase without ever using
h_passphrase.
keyfiles
The vararg is of type const char *. If not NULL the given keyfile will be added to the keyfile
pool. Multiple calls to set this option with a non- NULL argument result add additional keyfiles.
If NULL all keyfiles are cleared.
h_keyfiles
The vararg is of type const char *. If not NULL the given keyfile will be added to the keyfile
pool. Multiple calls to set this option with a non- NULL argument result add additional keyfiles.
If NULL all keyfiles are cleared. This option is only used if a hidden volume is being created or
the protect_hidden setting is set. Otherwise tcplay will first use the regular keyfiles to try to
unlock the outer volume and then try to unlock the hidden volume header with the same keyfiles
without ever using h_keyfiles.
new_passphrase
The vararg is of type const char *. It specifies the new passphrase to use when modifying the
volume header.
new_keyfiles
The vararg is of type const char *. If not NULL the given keyfile will be added to the new keyfile
pool. Multiple calls to set this option with a non- NULL argument result add additional keyfiles.
If NULL all new keyfiles are cleared. When the volume header is modified, it will be reencrypted
using the new keyfiles.
new_prf_algo
The vararg is of type const char * and must be a valid PBKDF2 PRF algorithm. It determines which
PBKDF2 PRF algorithm is used when reencrypting the (modified) volume header.
state_change_fn
The first vararg is of type tc_api_state_change_fn and the second vararg is of type void *. It
allows the consumer to provide a callback function which will be called when starting and stopping
a time-intensive sub-operation such as collecting entropy or erasing a volume. The second vararg
is passed as the priv argument to the callback. The enter_state argument to the callback
determines whether tcplay is starting or stopping the time-intensive sub-task specified in the
state argument.
The tc_api_task_do() function runs the task specified in the task argument. Before running the task,
tc_api_task_do() performs a simple sanity check of the arguments set previously using tc_api_task_set()
before performing the actual operation. After a call to tc_api_task_do() for the info or info_mapped
operations, the queried information is available to be accessed using tc_api_task_info_get().
The tc_api_task_info_get() function can be used to query the result of a info or info_mapped operation.
The task argument is the task used in a previous tc_api_task_do() call. The key argument can be one of the
following:
Key type Description
device char * Corresponding device node
cipher char * Used cipher chain
prf char * Used PBKDF2 PRF algorithm
key_bits int * Number of key bits
size int64_t * Volume size in bytes
iv_offset int64_t * IV Offset of volume in bytes
block_offset int64_t * Block Offset of volume in bytes
The second vararg argument must be of the type specified in the above table. The first vararg argument is
always the size of the storage provided in the second argument. For a char * argument, the size
corresponds to the size of the buffer at the provided location and must be of type size_t. For an int * or
int64_t * argument, it should be the size of the underlying type.
The tc_api_task_get_error() function can be used to get a detailed error message after a failed
tc_api_task_do call. The task argument is the task used in a previous tc_api_task_do() call.
NOTES
TrueCrypt limits passphrases to 64 characters (including the terminating null character). To be compatible
with it, tcplay does the same. All passphrases (exlcuding keyfiles) are trimmed to 64 characters.
Similarly, keyfiles are limited to a size of 1 MB, but up to 256 keyfiles can be used.
RETURN VALUES
All functions except tc_api_task_init() and tc_api_task_get_error() return either TC_OK to indicate that
the operation completed successfully, or TC_ERR_UNIMPL to indicate that the operation is not implemented ,
or TC_ERR to indicate that any other error occurred.
The tc_api_task_get_error() function always return a valid, but possibly empty (or irrelevant, if not
called after an error occurred) string.
The tc_api_task_init() function returns NULL if an error occurred and an opaque tc_api_task otherwise.
COMPATIBILITY
The tcplay library offers full compatibility with TrueCrypt volumes including hidden volumes, system
encryption (map-only), keyfiles and cipher cascading.
SEE ALSO
tcplay(8), kpartx(8)
HISTORY
The tcplay library appeared in DragonFly 2.11.
AUTHORS
Alex Hornung