Copying truecrypt containers?

Question

I created a 200GB container to store files on my external USB drive. Can I just copy this (empty) container file to create another container of 200GB? I want to do this since it takes about 2 hours to create a 200GB container (NTFS formatted) and I want multiple containers of the same size. Thanks!

Don't do that. It compromises security. – CodesInChaos Feb 04 '11 at 18:26 — CodesInChaos, Feb 04 '11 at 18:26

score 5 · Accepted Answer · answered Dec 28 '10 at 13:36

5

If it's a container then it just behaves as any ordinary file, so yes, you can copy it, you can do just about anything with it.

answered Dec 28 '10 at 13:36

Mircea Chirea

1,403
1
19
26

3

It's possible, but but you SHOULD NOT do that. The encryption mode used by TC doesn't deal well with copying. See http://www.truecrypt.org/docs/?s=how-to-back-up-securely – CodesInChaos Feb 04 '11 at 18:25
2

@Code, yes it does. It's just A FILE, TrueCrypt doesn't store any absolute paths. – Mircea Chirea Feb 04 '11 at 18:59
2

By "doesn't deal well" I mean that the cryptography is weakened considerably by having several containers with the same master-key. For example they strongly discourage copying a container as backup even though that'd be just a convenient file copy. – CodesInChaos Feb 16 '11 at 15:01
@Code, sure, if the key is weak. Otherwise breaking a TC container is impossible - the FBI has tried it. – Mircea Chirea Feb 17 '11 at 04:24
6

Cryptographically if multiple containers exist with the same master key but different data it does make certain types of attacks possible that would not otherwise be possible. This still does not make cracking it easy though, and for many users the risk is acceptable for the convenience of being able to copy and otherwise treat the container as a normal file. – TimothyAWiseman Feb 13 '12 at 17:32
I know I am 3 years late in making a comment, but I am going to do it anyways. This answer, however, is not true. Mircea is almost right. I am experiencing the same problem as the user who asked the question. Although I am able to copy the file to an external usb hardrive I can't, NOW, mount it. In fact, truecrypt won't even let me select the container but the whole usb hardrive. That sucks. It wants to use the whole hardrive as a container. – Nov 20 '13 at 04:45
@ThayananthanNarayanan That sounds completely different issue. To mount a file you need to use the "Select File" button, not the "Select Volume" button in the TrueCrypt UI. – CodesInChaos Feb 05 '14 at 14:16

Moab · Answer 2 · 2010-12-28T17:36:51.603

4

If you are talking about backing up a truecrypt container that has data?

http://www.truecrypt.org/docs/?s=how-to-back-up-securely

edited Dec 28 '10 at 17:36

answered Dec 28 '10 at 13:21

Moab

58,044
21
113
176

what about empty containers? – n1kh1lp Dec 28 '10 at 13:23
Note that I just want to avoid the time it takes to format the containers. – n1kh1lp Dec 28 '10 at 13:29
1

It's certainly possible to copy TrueCrypt volumes. Most of the TrueCrypt manual is written assuming you have adversaries willing and able to use any known methods of attacking your data, your computer, or your person, and therefore is often a little over the top in it's recommendations. – Stephen Jennings Dec 28 '10 at 13:48
All I can suggest it to try it on an experimental basis, see if it works, use it for a while see if any problems crop up. – Moab Dec 28 '10 at 17:37

score 2 · Answer 3 · answered Dec 28 '10 at 14:13

To create a new 200G TrueCrypt volume faster, try this:

Create an uninitialized large file by seek:

# dd of=new-200g.tc bs=1048576 count=0 seek=200000

Clone the header only,

# truecrypt --backup-headers old-200g.tc
(... backup to file header.bak)
(...)
# truecrypt --restore-headers new-200g.tc
(... restore from external file header.bak)

Mount the new volume with no file system

# truecrypt --filesystem none new-200g.tc

Find out which mapper device is used?

# truecrypt -l
4: /tmp/old-200g.tc /dev/mapper/truecrypt4 /tmp/oldfs
5: /tmp/new-200g.tc /dev/mapper/truecrypt5 -

So, the new-200g.tc is mapped by /dev/mapper/truecrypt5

Format the uninitialized volume

# mkfs.ext4 /dev/mapper/truecrypt5
# e2label /dev/mapper/truecrypt5 "My second copy"

Remount with the file system

# truecrypt -d new-200g.tc
# truecrypt new-200g.tc /tmp/newfs

Now, you get it.

thanks. Just copying the container file seems to work. I tried with small containers. Do you think there would be any problems with large containers? Copying the container file automatically copies the headers, right? — n1kh1lp, Dec 28 '10 at 14:20
No problem! Just as you said, it took you 2 hours to create, so this maybe a bit faster to create very large volume. — Lenik, Dec 28 '10 at 14:45

score 2 · Answer 4 · answered Feb 13 '12 at 17:11

The TrueCrypt authors explicitly recommend not doing this. When you copy a container, all copies share the same master-key. While this doesn't allow an attacker to break the encryption itself, it leaks some information.

If you follow the above steps, you will help prevent adversaries from finding out:
Which sectors of the volumes are changing (because you always follow step 1). This is particularly important, for example, if you store the backup volume on a device kept in a bank's safe deposit box (or in any other location that an adversary can repeatedly access) and the volume contains a hidden volume (for more information, see the subsection Security Requirements and Precautions Pertaining to Hidden Volumes in the chapter Plausible Deniability).

From http://www.truecrypt.org/docs/?s=how-to-back-up-securely

And of course you can forget about plausible deniability if you use multiple containers with the same master key.

Copying truecrypt containers?

4 Answers4