< Mount Truecrypt drives with one password >

How to mount several Truecrypt drives/containers using only one password at start-up

    Problem

    One has two, three or more Truecrypt encrypted partitions or containers sharing the same, single password. To mount the drives one has to enter the (same) password several times.

    Solution

    Truecrypt offers an "Auto-Mount" function to automatically identify and mount drives. Alternatively one can use a batch-file (Windows) or a shell script (Linux) at startup. Handling for Mac OS should be similiar to the Linux parameters.

    Environment

    This tutorial assumes a running system with a logged-in user. (If not, please refer to the chapter "about the use of the login password".) All encrypted drives are on one hard-drive. You can have your partitions or containers on several drives also but remember that the names of the mount points may differ from here.
    You should have some basic knowledge of Windows or Linux and how to create a Truecrypt drive. This tutorial explains the "next level".

    Windows Linux
    1 unencrypted operating system (usually drive C:\) unencrypted operating system (here, without Swap-partition)
    \Device\Harddisk0\Partition0 /dev/sda1
    x extended partition
    2 encrypted drive in an extended partition (e.g. D:\) /media/windows_d
    \Device\Harddisk0\Partition2 /dev/sda5
    3 encrypted drive in an extended partition (e.g. E:\) /media/windows_e
    \Device\Harddisk0\Partition3 /dev/sda6

    [img] Verteilung

    Warning/Disclaimer

    Key-logger, Trojan horses and spy-ware might look for passwords on your computer. Using only one password and/or entering the password on the console happens at your own risk and responsibility!

    Linux

    Tested in Ubuntu with Truecrypt 6.x and 7.x. Procedure for Debian, Mandriva, Mint, Red Hat, Fedora, CentOS, SuSE/openSuSE and other should be similar.

    > Preparation (root privileges, mount-points, etc.)

    To mount truecrypt drives in Linux, one needs root privileges. With a little tweak one can avoid the password query and run truecrypt with normal user privileges. (Attention: potential security risk)

    Now, one needs the mount-points to mount the drives on it. These have to be created once using root privileges. e.g.:

    	sudo su
    	mkdir /media/Data
    	mkdir /media/Personal

    If you do not create your own mount points Truecrypt will mount the drives with it's own names: "truecrypt1", "truecrypt2", ...

    > Option 1: The "Auto-Mount" function

    To use auto-mount one has two options. Either Truecrypt looks for devices (hard drives) automatic and tries to open it with a password ...

    	# -> automount_truecrypt_devices.sh
    	truecrypt --auto-mount=devices

    ... or you load a list of favorites. The list has to be created once. This has to be done in the Truecrypt main-window after mounting the volume or device. After, you can add the device to the list of favorites by using the menu > Favorites > Add Selected Volume. The list will be saved as "Favorite Volumes.xml" in ~/.Truecrypt/ (/home/Username/.TrueCrypt/).

    Truecrypt Automount Favorites

    Later you can load this favorites list automatic using a simple shell script.

    	# -> automount_trucrypt_favorites.sh
    	truecrypt --auto-mount=favorites

    > Option 2: Shell script to mount volumes

    After the mount points are ready, one just needs to save the following shell script (mount_truecrypt_volumes.sh) and run it on start up.

    	#!/bin/bash
    
    	echo "1. Please enter password"
    
    	oldConfig=`stty -g`
    	stty -echo
    	read password
    	stty $oldConfig
    
    	echo "2. Mounting volumes ..."
    
    	truecrypt -t /media/windows_c/myData.tc /media/Data --password="$password"  -k "" --protect-hidden=no
    	truecrypt -t /dev/sda5 /media/Personal --password="$password"  -k "" --protect-hidden=no

    Explanation

    -t use the text version of Truecrypt, no graphical user interface (GUI)
    /media/windows_c/myData.tc Truecrypt container on windows drive C:
    /dev/sda5 a logical drive in an extended partition (FAT/NTFS)
    /media/Data mount point
    /media/Personal mount point
    --password= use the following password
    -k "" do not use key-files (otherwise it will ask for them)
    --protect-hidden=no do not use protect-hidden volumes (otherwise it will ask for them)

    You can get more parameters by typing truecrypt --help on the shell.

    Windows

    Tested in Windows XP with Truecrypt 6.x and Truecrypt 7.x. Procedure for Windows 2000, Windows Vista, Windows 7, Windows Server 2003, Server 2008 and other should be similar.

    Mounting a volume

    > Preparation (drive letter in explorer, etc.)

    After creating your encrypted drive (not container) the drive letter remains useless in the system. When clicking on it you get the dangerous question if you want to format the unknown drive (which you don't).

    To clear the drive drive letter, you can use the Control Panel > Computer Management > Storage > Disk Management > right click on the drive > Change drive letter > Delete.

    Attention! Think twice before you delete a drive letter. Do not delete an important drive (like C:\) or drives still in use.

    Windows Control Panel Change Drive Letter

    If you do not clear the drive letter, Truecrypt will use the next free letter in Automount-mode. e.g. If your Windows resides on C:\ and your DVD-drive on D:\ the Truecrypt container/drive gets E:\. If a usb drive was plugged in at start up already, Truecrypt moves to the next letter F:\.

    If you want to start Truecrypt with a specific drive letter, take care to have the drive letter available or you will get the "Drive letter not available" error message.

    > Option 1: The "Auto-Mount" function

    To use auto-mount one has two options. Either Truecrypt looks for devices (hard drives) automatic and tries to open it with a password ...

    	::: automount_truecrypt_devices.bat
    	truecrypt /auto devices

    ... or you load a list of favorites. The list has to be created once. This has to be done in the Truecrypt main-window after mounting the volume or device. After, you can add the device to the list of favorites by using the Menu > Volumes > Save Currently Mounted Volume as Favorite. The list will be saved as "Favorite Volumes.xml" in the user directory.

    Truecrypt Automount Favorites

    Later you can load this favorites list automatic using a simple batch script.

    	::: automount_truecrypt_favorites.bat
    	@echo off
    	echo Loading favorites
    	truecrypt /q /cache y /auto favorites
    	truecrypt /q /s /wipecache
    Explanation
    /q Quits the Truecrypt window after usage.
    /cache y Caches the password to use it several times.
    /auto ... Auto-Mount
    /s Silent mode, no (error-)messages.
    /wipecache Clear the password memory.

    > Option 2: Batch file to mount volumes

    To hide the input, I'm using the "ScriptPW.Password"-function built in the Windows Scripting Host (WSH) of Windows XP and later. A batch file (mount_truecrypt_volumes.bat) creates a VBS file which reads the password, deletes itself afterwards and returns the password to Truecrypt. (Source, German)

    The example mounts a container myData.tc as drive E: and an encrypted partition on the hard drive as drive D:.

    Paths to containers and partitions have to be adapted to your own system!

    	@ECHO OFF & setlocal 
    
    	SET "GetPW=%temp%\GetPW.vbs"
    	ECHO WScript.Echo CreateObject("ScriptPW.Password").GetPassword() > "%GetPW%" 
    
    	ECHO 1. Please enter password
    
    	for /f "delims=" %%i in ('cscript //nologo "%GetPW%"') do set "Pass=%%i" 
    	del "%GetPW%" 
    
    	ECHO 2. Mounting volumes ...
    
    	"C:\Program Files\TrueCrypt\truecrypt" /v C:\myData.tc /le /s /q /p %Pass%
    	"C:\Program Files\TrueCrypt\truecrypt" /v \Device\Harddisk0\Partition2 /ld /s /q /p %Pass%
    Explanation
    SET Sets the variable GetPW which contains the path to the VBS-file.
    ECHO ... > ... Writing the content to file.
    ECHO Output to command prompt.
    for /f ... Read the password.
    del Delete the VBS file (Windows Scripting Host, WSH).
    /v Name of volume. (also via paramter "/volume")
    C:\myData.tc Truecrypt container
    \Device\Harddisk0\Partition2 Logical drive in an extended partition (FAT/NTFS).
    /ld /le Mount drive with letter D: resp. E: (also via paramter "/letter d" and "/letter e")
    /s Silent mode, no (error-)messages. (also via paramter "/silent")
    /q Quit, do not show the Truecrypt window. (also via paramter "/quit")
    /p Use the following password. (also via paramter "/password")

    More parameters can be found in the Truecypt documentation

    Optional tasks

    > Move CD-ROM/DVD drive letter (diskpart, ...)

    It can happen that the CD-ROM or DVD drive gets a drive letter one intends to use for the Truecrypt volume. (e.g.: Drive is supposed to be mounted as D: via option "/ld" resp. "/letter d" but the CD-ROM/DVD drive already owns this drive letter and you get the "Drive letter not available"-error message.)

    One can use the Control Panel > Computer Management > Storage > Disk Management > ... to change the drive letter or a small script and the program "diskpart" on your Windows to manipulate the drive letters and partitions.

    	diskpart /s dp-script.txt

    dp-script.txt:

    	select volume 0
    	remove
    	assign letter=E
    	exit
    Explanation
    diskpart /s dp-script.txt Start diskpart and use the script (/s) "dp-script.txt".
    select volume 0 Select the first volume in the list of devices - this may vary from system to system. Please check on your computer first.
    To do so, please start diskpart on the DOS command prompt and type "list volume". For more information enter "help".
    remove Removes the drive letter of the selected volume.
    assign letter=E Assigns a new drive letter (E:) to the selected volume.
    exit Exits diskpart.

    > Share a directory in the local network (net share, ACL, ...)

    Permissions for shared folders might get lost after mounting a volume and have to be added manually every time. To avoid this, one can use a small batch-file.

    	::: share_folders.bat
    	@echo off
    	net share myPublic=E:\Data\Public_Folder
    	cacls E:\Data\Public_Folder /G Everyone:F /E /T
    Explanation
    net share myPublic=E:\Data\Public_Folder Starts the option share of the net program and shares the folder "E:\Data\Public_Folder" as "myPublic".
    For further options enter "net /?" or "net share /?".
    cacls E:\Data\Public_Folder Changes the "Access Control List" (ACL) of the directory
    /G Everyone:F Gives (F) full access (read, write and delete) to the group "Everyone" (Attention - please change to your needs!)
    /E Edit the ACL only, no replacing.
    /T Change the ACL for the given folder and sub folders.

    > Start programs/software automatic (Batch)

    After mounting the drives one probably wants to start their favourite software. Here you can use a batch-file too.

    	::: start_programs.bat
    	@echo off
    	start "myMessenger" /min "E:\Program Files\Messenger\messenger.exe"
    	start "myBrowser" "E:\Program Files\Mozilla Firefox\firefox.exe"
    Explanation
    start /min Starts the Program in minimised mode. For further options please enter "start /?".
    "myMessenger", "myBrowser" Name given by yourself.
    E:\Program Files\... Path and name of the software.

    This batch file starts your applications right after mounting the drive. If you want to have a small delay to wait, you can check on my startup script.

    Attention! Many applications leave their data on drive C:. If it isn't encrypted, someone else can easily access your data. Either you encrypt your complete system (Whole Disk Encryption/Pre-Boot Authentication), change the location of the user data in the specific software (if possible) or use a portable version of the application.

    > Start all operations automatic (Batch, Autorun)

    The whole procedure can be run at windows startup. The following batch-file needs to be copied into your Autostart-folder to do so. (Usually in > Start > Programs > Startup or in your user directory (2000, XP) C:\Documents and Settings\[Username]\Start Menu\Programs\Startup ) Using the call-command, the files will be executed one by one.

    	::: autostart_truecrypt.bat
    	@echo off
    	call "C:\My Files\move_cd-dvd-drives.bat"
    	call "C:\My Files\(auto)mount_truecrypt_volumes.bat"
    	
    	call "E:\My Hidden Files\share_folders.bat"
    	call "E:\My Hidden Files\start_programs.bat"
    Explanation
    move_cd-dvd-drives.bat Batch-file to move the CD-ROM/DVD drive letter. (optional, see above)
    (auto)mount_truecrypt_volumes.bat Mount the Truecrypt-drive using automount or a batch-file. (see above)
    share_folders.bat Share a folder in the network. (optional, see above)
    start_programs.bat Start more programs. (see above)

    See also my Startup script.

    General: File System, Login, Unmount, Network

    > Choosing the file system (FAT16, FAT32, NTFS vs. ext2, ext3)

    If you're using both, Windows and Linux systems on your computer, you have to decide which file system to give to your Truecrypt drive/container. Obviously Windows has to be based on a FAT/FAT32 or NTFS file system and Linux is most likely to be found on an ext-file system but the rest of your files don't care.

    Both operating systems are able to read the concurrent file systems by adding some driver support. You can use "Ext2 Installable File System For Windows" to access ext2 and ext3 drives in Windows and "ntfs-3g" to access NTFS in Linux. (Ntfs-3g is part of many Linux distributions already and doesn't has to be installed additionaly, so it works right from the beginning. Driver support for ext4 in Windows is unknown to me at the moment and I didn't had the chance to research this topic any further.)

    To choose the best file system for your encrypted drives, try to think about which operating system you are using the most and what for. (e.g.: Linux for Internet -> ext3, Windows for Gaming -> NTFS)

    If you go for a Windows file system, look out how big your drive is and if you want to store big files on it. FAT16 supports 2GB files on a 2GB drive maximum (e.g. USB drive), FAT32 supports 4GB files on up to 8TB drives (e.g. copy DVD-Video files to hard drive) and NTFS allows 16TB files on 16TB drives (e.g. save DVD-ISO images on hard drive). (1TB = 1,000GB [decimal]) The Linux ext3-file system is a better ext2 with some new built-in features like an improved protection of data loss after a system crash. Both ext-file systems are able to handle files of 2TB size, ext3 even more.

    Truecrypt in Windows can create FAT and NTFS-filesystems only while Truecrypt in Linux is able to create both ext2, ext3 and FAT-filesystems.

    > Remark about the use of the login password (Windows/Linux)

    In general you can not "copy" your login password and use it as password for your TrueCrypt drive/container. In fact, this would be a violation of the operating system's security policy if the login password can be easily read out or be found in memory.
    (This doesn't mean, that you can't use the same password twice. However, you have to enter it twice also, at login and for decryption and then hope nobody will crack your login password.)

    Alternatively you can use the "Whole Disk Encryption" (Pre-Boot Authentication) in Windows or Linux and spare the login instead. Or you can mount your Linux-HOME drive with the Pluggable Authentication Module (PAM).

    > Fast unmount of devices (Windows/Linux)

    Usually you can shutdown your computer via the "Shutdown" option of your operating system like there's no encryption installed. (This means to power it down and not just switch it off!)

    If you want to, you can unmount all Truecrypt devices at once, calling Truecrypt with the option "d" resp. "dismount".

    	LINUX:
    	truecrypt --dismount
    	
    	WINDOWS:
    	trucrypt /dismount

    If there are still read-/write operations running on the device, the drive can't be unmounted immediately. If a fast unmount is still necessary, you can bypass this by adding the paramter "force".
    Attention: You may lose some of your data!

    	LINUX:
    	truecrypt --dismount --force
    	
    	WINDOWS:
    	truecrypt /dismount /force

    If you have to unmount a specific drive only, you can enter the name additionally.

    	LINUX:
    	truecrypt --dismount /media/Data
    	truecrypt -d /dev/sda5
    	
    	WINDOWS:
    	truecrypt /dismount Z:
    	truecrypt /d X:

    > Mounting a Truecrypt drive over network

    You can mount a Truecrypt drive on a network share also. It does not matter which operating system you are using on the server or on your computer. There are two ways to mount a shared Truecrypt drive.

    1. Decrypt your container or partition on the server already and share it on the network. Advantage is that all users can access a "common" drive to read and write on it. Disadvantage is that your network connection is unencrypted. Still, you can use technologies like SSL, TLS or VPN to protect the network traffic.

    To mount the drive manual after a server restart you need direct access to the system. If you don't have physical access you can use remote control sofware like VNC. (One can mount the drive automatic at start-up using a batch file or a script also but since the password is written in clear text this would be a security risk.)

    2. Share a container-file in the network and users can mount it by themself. (This does not work with partitions!) Advantage is that the connection is encrypted also, still a network encryption couldn't harm. Disadvantage is that users can access the drive in read-only mode only to prevent data corruption.

    You can find further information in the Truecrypt Documentation.

    If you want to have a file server only, you might want to try out Free NAS or Crypto NAS as a simpler and easier solution. (NAS: Network-Attached Storage)

    Download

    You can download all scripts and batch files for free also.


    Related topics: Downloads Autostart PW-Finder PW-Creator

    Rate page:  
      2.73/5 Points (48 Ratings)
    2.73/5 48