EDIT: Warning, looks like there's a bit of a mistake in these instructions and wxWidgets is still required in part for the command line version - turns out I had some remnants of wxWidgets source on my ReadyNAS which is why this worked ... it may still be necessary to grab the wxwidgets source even if compiling GUI only. http://ubuntuforums.org/showthread.php?t=812350 has some more details.
I've figured out how to get Truecrypt 7.1a running locally on my NV+ v2 - not being an x86 and without precompiled ARM binaries, compiling from source is the only option.
Note that this howto assumes you're familiar with Linux, at least vaguely familiar with compiling under Linux, and can work your way around the command line version of Truecrypt (no GUI here!).
Of course the onboard Marvell ARM processor isn't the fastest thing in the world and usually the encrypted containers would be decrypted by the client but I wanted to also be able to decrypt them on the NAS in the event that I couldn't mount the volume remotely (eg. I'm accessing through my cellphone - which has an SSH client but no truecrypt).
I'm pretty certain I'm not the first to get Truecrypt running on an NV+ v2 but looking around the forum it seems I might be the first to post how it's done. It isn't actually that hard to do, it's a straightforward compile from source.
Note that I followed several dead-ends and the steps I list here have been pruned of those so while they *should* work they're not exactly what I followed. It'll be good if someone does follow this to report if there are any oddities I didn't pick up.
- Get SSH root to the box
- Install the development libraries using apt-get. Note that the following are probably not all necessary.
apt-get install libc6-dev gcc g++ gdb libtag1-dev uuid-dev pkg-config make libfuse-dev
- Get the source .tar.gz from http://www.truecrypt.org/downloads2 - this is tested on Truecrypt 7.1a.
- Decompress the source and change to its directory
tar -xzvf TrueCrypt\ 7.1a\ Source.tar.gz
- Get the header files (all the ".h" files) for RSA's Cryptoki 2.2 from ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20. Put them somewhere sensible (I put them in /c/NasDev/RSACryptoki)
- Export the location of the cryptoki files
- Compile Truecrypt!
At this point the truecrypt executable should be in the Main directory. Copy it to somewhere sensible (I picked /usr/bin)
cp Main/truecrypt /usr/bin/
- To get help:
truecrypt -h | less
A couple of gotchas that cost me some time.
- I first tried to use opencryptoki (which you can grab via apt-get) but they didn't play nice. Not sure why.
- The readme for Truecrypt is a little bit odd ... it says to make a console only you use "NOGUI=1" and then you don't need wxWidgets - but then all of its examples either use "WXSTATIC=1" or "WX_ROOT=...", which of course doesn't work if you don't have wxWidgets (and I couldn't get wxWidgets installed in such a way that it all worked). Turns out all you need is NOGUI=1 and it all seems to work.
- The ReadyNAS doesn't have the right kernel crypto installed so you need to tell Truecrypt not to use it. For instance, to mount a volume: "truecrypt -m=nokernelcrypto <path to your truecrypt container> <location where you want to mount it>"
Now to actually access the mounted Truecrypt volume there are a few issues, mainly around permissions, that I still haven't solved to my complete satisfaction (among other things, it relies on giving any user who needs to mount a truecrypt volume root access to the whole box). I suspect this is largely because I'm still not familiar with manipulating permissions in odd ways under Linux. Here's the way I've made it work for now. It's definitely not ideal, not least from a security perspective so any suggestions here are welcome.
- Give the user who will be accessing the share login rights by editing "/etc/passwd" and changing their shell from "/bin/false" to "/bin/bash"
- Give that user sudo access (edit the sudoers file using "visudo" and add the line "<username> ALL=(ALL) ALL"). Note that I should figure out how to specifically allow just Truecrypt elevated rights rather than adding the user to sudoers (I tried a couple of things and it didn't like it, I haven't dug too much more yet).
- Log in as the user, create the mount point (eg. /c/Decrypted/mount )
- Mount the volume as the user. Note that you'll be asked for the passphrase (the command line version calls it a password) and, later, the user password because it needs root access.
truecrypt -m=nokernelcrypto <path to container file> <path to mount point>
- You should now be able to browse to the volume through the standard channels (Windows sharing, web interface, etc.).
- Once you're done, log in as the user and dismount - again you'll need your user password for root access.
(this dismounts all volumes, use "truecrypt -d <container file>" to dismount a single volume)
I hope that helps save someone a little bit of time! Of course this setup isn't perfect, it just happens to be working for me (although I've also only had this working for about an hour so it's definitely not stress tested). Any suggestions for improvements welcome!
Edit: Fixed spelling