Technical Overview – How tCrypt2Go and vCrypt2Go work

This is an article for enthusiasts detailing the technical design of tCrypt2Go for TrueCrypt (also applicable to vCrypt2Go for VeraCrypt unless otherwise specified).

(This is a sub-article – click here to view to the list of articles or the main article of tCrypt2Go and vCrypt2Go)

Topics Covered in this Article

  1. Container for Thumb Drive (Removable Media) vs Partition for External Hard Disk (Fixed Disk)
  2. Choosing a File System for the Encrypted Partition
  3. Pros and Cons of Each File System (NTFS, exFAT and FAT32)
  4. The Unlocking Flowchart
  5. Commands for Locking and Unlocking

1. Container for Thumb Drive (Removable Media) vs Partition for External Hard Disk (Fixed Disk)

In the high level, there are two modes from which a user can choose to encrypt their portable drives:
  • Encrypted Partition Mode (Entire Partition Encrypted) for a Hard Drive Setup
  • Encrypted File Container Mode (a Virtual Encrypted Disk within a File) for a Thumb Drive Setup or a Hard Drive Setup
Below comparison picture illustrates the difference between them:



※ 1 : For hard disks only, this would be the first unencrypted partition where the tCrypt2Go utilities are stored and accessed. This place should be as widely accessible as possible. Using exFAT would limit Windows XP from accessing this area. FAT would be most compatible so it is preferred. (Use NTFS if you agree FAT is more prone to file system corruption, however.)

※ 2 : For both thumb drives and hard disks, this is the encrypted area which must be formatted using TrueCrypt Format tool. However, for TrueCrypt, exFAT is not supported by the TrueCrypt formatter; we need to use command:

format {drive letter}: /fs:exfat /q /y (Command available in Windows Vista or later)
    Encrypted Partition Mode
    • This mode requires two separate partitions – a smaller partition for unprotected area for storing lock-and-unlock utilities and a larger partition for protected encrypted data
    • This mode does NOT support devices of a Removable Media type, such as thumb drive or memory card
    • This mode supports devices of a Fixed Disk type, such as a USB external hard disk
        Encrypted File Container Mode
        • This mode requires a single partition for both unprotected and protected areas
        • This mode supports both Removable Media and Fixed Disk device types
        • It involves much fewer configuration steps and has the benefit of unlocking (mounting virtual disk) without admin privileges on certain platforms
          In Other Words…

          Characteristics of a Thumb Drive Setup
          • One unencrypted partition (for storing tCrypt2Go utilities and TrueCrypt as well as encrypted container file)
          • TrueCrypt creates an encrypted container file that fills up the whole partition except tCrypt2Go utilities and TrueCrypt
          • tCrypt2Go utilities and TrueCrypt are stored in the same partition for unlocking (mounting) the encrypted file
          Characteristics of a Hard Disk Setup
          • Two partitions: first partition is unencrypted and small in size (for storing tCrypt2Go utilities and TrueCrypt); second partition is encrypted and large in size (for storing user files)
          • TrueCrypt encrypts the second partition completely
          • tCrypt2Go utilities and TrueCrypt are stored in the unencrypted first partition for unlocking (mounting) the encrypted partition
          Summary
          • If you only have a thumb drive (not an external hard drive), container must be used
          • If you have both types of devices
            • If you are technical (or not afraid of challenges), choose separate modes for different device types – partition for USB hard disks and container for thumb drives
            • If you are non-technical (or have no time for learning), choose container for everything
          Files Stored in the Unprotected Partition

          The below are files extracted from "tCrypt2Go and vCrypt2Go.zip" [Download] and copied to the root of the UNPROTECTED drive.
          • .DO_NOT_DELETE (hidden from Windows with a hidden attribute)
            • TrueCrypt/VeraCrypt for Mac
              • README.txt
              • TrueCrypt.dmg/VeraCrypt.dmg (optional: store the original Mac installer here)
            • TrueCrypt/VeraCrypt for Windows
              • README.txt
              • TrueCrypt Setup.exe/VeraCrypt Setup.exe (optional: store the original Windows installer here)
            • Lock_Mac.command
            • Unlock_Mac.command
            • tc.exe/vc.exe
            • TrueCrypt.sys/VeraCrypt.sys
            • TrueCrypt.sys/VeraCrypt-x64.sys
            • tc-container.tc/vc-container.vc (the encrypted container file built with ‘TrueCrypt Format.exe’ or ‘VeraCrypt Format.exe’ for Removable Media device type only)
          • AUTORUN.INF (to prevent older Windows versions from executing malware triggered via Autorun mechanism; hidden from Windows with a hidden attribute)
          • .Unlock.exe (unlock utility for Windows; hidden from Mac with a preceding dot)
          • .Lock.exe (lock utility for Windows; hidden from Mac with a preceding dot)
          • Lock.app (lock utility for Mac; hidden from Windows with a hidden attribute)
          • Unlock.app (unlock utility for Mac; hidden from Windows with a hidden attribute)
          • ._Lock.app (specifies an icon for Mac; hidden from Windows with a hidden attribute)
          • ._Unlock.app (specifies an icon for Mac; hidden from Windows with a hidden attribute)
          Files with a Hidden Attribute Versus Those with a Preceding Dot



          Selected files above have a hidden attribute (+h) set so that they are hidden in Windows and newer version of Mac OS X.
          1. Hidden attribute vs dot (.)
            • Some folders and files such as .Unlock.exe and .Lock.exe (Windows applications) are named with preceding dot so that they are hidden in older versions of Mac OS X. (The Finder application from newer versions of OS X can hide files and folders with a hidden attribute set, but older OS X versions only support hiding files with a dot.)
            • Hidden attributes are not set on Unlock.app and Lock.app (Mac applications) because doing so would make them invisible in newer versions of Mac OS X. However, that makes them visible in Windows at all times. If Mac OS X support is not required, you may remove them to avoid causing confusion to users.
            • ._Unlock.app and ._Lock.app are for Mac OS X. They contain the applicatin icon and metadata (generated by Finder); whereas on Windows, the icons are embedded in the executables.
          2. AUTORUN.INF (with read-only and hidden attributes) is there to protect the drive from being infected with XP-era autorun viruses.

          2. Choosing a File System for the Encrypted Partition

          The below flowchart helps deciding which file system format to use (FAT32, exFAT or NTFS).



          ※ 1 : exFAT is supported after Windows Vista SP1 and Snow Leopard 10.6.5. For Windows XP to support exFAT, install this update (KB955704): http://support.microsoft.com/kb/955704

          ※ 2 : For USB thumb drives larger than 4GB and formatted in FAT32, the maximum size of TrueCrypt container still can only be 4GB or less. That means the rest of storage space will be wasted, unencrypted and insecure.

          Decide in Another Way –  Answering the Question: On Which Operating System Do You Plan to Use the Portable Drive?

          Windows-only
          • Suggested file system: NTFS
          • For standard users, TrueCrypt preinstallation is required. If TrueCrypt is not detected, users will be prompted to install it. Corporate users will need to acquire approval from their IT administrators to input admin credentials to continue the installation.
          • For users with administrator rights, TrueCrypt is executed automatically in portable mode. There is no need for a TrueCrypt installation.
          Windows and Mac OS X (Mac OS X 10.6.5 and later/Windows Vista SP1 and later)
          • Suggested file system: exFAT
          • For standard users, TrueCrypt preinstallation is required. If TrueCrypt is not detected, users will be prompted to install it. Corporate users need to acquire approval from their IT administrators to input admin credentials to continue the installation.
          • For users with administrator rights, preinstalling TrueCrypt is still suggested to minimize nuisance. (If TrueCrypt is not detected, users will be prompted to install TrueCrypt on first use. There is no need to acquire approval from their IT administrators as their accounts have enough rights to install software.)
          • An one-time visudo command setting is required for standard users to mount partitions.
          • For administrators, there is no need for this as their accounts have enough rights to run applications as administrator via the sudo command.
          Linux
          • Unsupported by tCrypt2Go lock-and-unlock utilities, although TrueCrypt supports Linux. Linux users should have the skills to mount TrueCrypt volumes/partitions without the help of tCrypt2Go utilities. :)

          3. Pros and Cons of Each File System (NTFS, exFAT and FAT32)

          NTFS
          • Compatibility: Windows only
            • Read-only (no write support by default) on Mac OS X. Methods such as NTFS-3G and OSXFuse are required for writing to NTFS, but performance could be poor. Use exFAT instead if Mac support is required.
          • Max volume size: 16TB minus 4KB (for 4KB cluster size)
          • Max per-file size: 2^64 bytes (16 ExaBytes) minus 1KB
          exFAT
          • Compatibility: Cross-platform (Windows and Mac)
          • Supported OS versions:
            • Mac OS X 10.6.5 or later
            • Windows Server 2008/Vista SP1 or later
            • Windows XP and Server 2003 with an update: http://support.microsoft.com/kb/955704
            • By default, TrueCrypt format tool cannot format external drives to exFAT. It is required to the command format {drive letter} /fs:exfat /q /y or use VeraCrypt format tool
          • Max volume size: 128PB
          • Max per-file size: 16EB
          FAT32
          • Compatibility: Cross-platform (Windows and Mac)
          • Supported OS versions: all
          • Max volume size: mostly 32GB (varies among applications and operating systems)
          • Max per-file size: 4GB minus 2 bytes
          Summary
          • Use exFAT if you need NATIVE cross-platform (Windows and Mac) support and do not need support of Windows XP or Server 2003 or earlier and Mac OS X versions earlier than 10.6.5
          • Use NTFS if you do not need Mac OS X support or do not mind installing a few packages to get write-support on Mac OS X
          • Use FAT32 if your drive has a small capacity which is equal to or under the supported maximum size of FAT32
          For users who have chosen partition mode (not container mode): the above are considerations only for the PROTECTED partition containing the encrypted data. For the very small UNPROTECTED partition containing the tCrypt2Go/vCrypt2Go lock-and-unlock utilities (used for unlocking the PROTECTED partition), always use FAT32.

          After you have made a choice of file system, continue with the Installation Guide (step-by-step instructions) to set up your portable drive for use with tCrypt2Go and vCrypt2Go.

          4. The Unlocking Flowchart

          Below flowchart illustrates how the tCrypt2Go unlocker decides how TrueCrypt is run to unlock the protected drive.



          ※ 1 : User will be presented a screen with TrueCrypt setup file and a README.
          ※ 2 : User Account Control (UAC) has to be disabled for TrueCrypt device driver to work, or install TrueCrypt to keep UAC on.
          ※ 3 : During the unlocking (mounting) of TrueCrypt-encrypted partitions under Mac OS, TrueCrypt will sudo (prompt users for admin password). While it is fine for admin users, standard users cannot answer the sudo prompt successfully due to their lack of admin rights. Additional settings are required for standard users to unlock the encrypted partition.

          Note: TrueCrypt-encrypted containers do not require admin rights, but partitions do.

          5. Commands for Locking and Unlocking

          The below commands could be all that you need if you merely need to make your own scripts!

          Windows - Lock
          • TrueCrypt: TrueCrypt.exe /d /f /q
          • VeraCrypt: VeraCrypt.exe /d /f /q
          Windows - Unlock - Removable Media
          • TrueCrypt: TrueCrypt.exe /w /c n /v container.tc
          • VeraCrypt: VeraCrypt.exe /w /c n /v container.vc
          Windows - Unlock - Fixed Disk
          • TrueCrypt: TrueCrypt.exe /w /c n /a devices /q /e
          • VeraCrypt: VeraCrypt.exe /w /c n /a devices /q /e
          Mac OS X - Lock
          • TrueCrypt: /Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt -d –force
          • VeraCrypt: /Applications/VeraCrypt.app/Contents/MacOS/VeraCrypt -d –force
          Mac OS X - Unlock - Removable Media
          • TrueCrypt: TrueCrypt.app/Contents/MacOS/TrueCrypt container.tc /Volumes/TrueCrypt –force
          • VeraCrypt: VeraCrypt.app/Contents/MacOS/VeraCrypt container.vc /Volumes/VeraCrypt –force
          Mac OS - Unlock - Fixed Disk
          • TrueCrypt: /Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt --auto-mount=devices --force
          • VeraCrypt: /Applications/VeraCrypt.app/Contents/MacOS/VeraCrypt --auto-mount=devices --force

          List of Articles on tCrypt2Go/vCrypt2Go

          Welcome to support this project by buying a cup of coffee ☕ if this tool is useful to you. ๐Ÿ˜Š Thanks!

          Comments

          1. McAfee corporate A/V has flagged .Lock.exe & .Unlock.exe as malware and deleted from my device. Can you please advise?

            Action: Infected file deleted.
            Threate Type: Trojan
            Threat Name: Artemis!5E0AC04B4F48

            ReplyDelete
            Replies
            1. Hi,

              Thanks for reporting this issue to me. I have stated the cause here. In short, this is a false-positive. It happens because of the language and/or nature of such utility, requiring us to submit a request in order for it not being falsely identified (which I have not done so yet, until now).

              I just checked VirusTotal where I do see my app being falsely identified by McAfee and a few other companies.

              What I will do now is to submit a false-positive report to McAfee and others to hopefully get the apps whitelisted. It will likely take a few days to weeks sometimes.

              I will keep you updated. Please stay tuned.

              Once again, I appreciate your report. Feel free to supplement more info if you think it would help.

              Delete
            2. So far (a week later since my last reply), the number of detections has been lowered from 12 to 4 in VirusTotal.

              Currently, I see McAfee not being listed in the above VirusTotal URL, which indicates it no longer blocks the exe files.

              Could you please retry?

              Delete

          Post a Comment