VeraCrypt/TrueCrypt support in GNOME Disks

Vratislav Podzimek vpodzime at redhat.com
Tue Nov 14 15:23:27 UTC 2017 

On Tue, 2017-11-14 at 17:36 +0900, Kai Lüke wrote:
> Hello,
> 
> of course there is more than one way to do it, but this is how I quickly
> thought about this:
> 
> * use the cryptsetup support for locking/unlocking in libblockdev and
> make it work from the UDisks2.Encrypted interface
> * add the UDisks2.Encrypted interface in UDisks if the block device
> content could not be identified
Please note that a TC/VC device can easily be identified as something else
-- having the first few random bits accidentally being recognized as some
other format's signature.

> * GNOME Disks needs some changes in terms of how to present such a
> device in a different way from normal LUKS devices since for most people
> the block device is indeed empty and it would be confusing to confront
> everybody with failing decryption actions (maybe call the action
> "attempt to unlock hidden volume")
> * GNOME Disks and GIO/GVFs need to make use of the keyfiles parameter in
> UDisks (currently lacking for LUKS as well) and a way to select a
> keyfile from GNOME Shell is needed. One could also decide to explicitly
> ignore them there and only offer unlocking via GNOME Disks.
Correct me if I'm wrong, but key files in TC/VC are a little bit different
concept than key files in LUKS where they are simply files containing the
passphrase (binary) data.

> 
> This should give support for existing containers/partitions. I would
> treat containers as normal filesystem images. When opened from nautilus
> they are mounted read-only by default with gnome-disk-image-mounter →
> need to expose writeable mount there.
> 
> If desired at some point: Formatting a partition/block device with
> veracrypt needs to be added to libblockdev (maybe cryptsetup can't do it
> but 3rd party binaries like zulucrypt-cli). This has to be made
> available from UDisks2.Block.Format()
> Then, to create a new container, one would open GNOME Disks, create an
> empty disk image and format it.
> Currently the format dialog offers no encryption option for NTFS/FAT →
> add veracrypt here. The dialog page with other filesystems  could also
> expose veracrypt if that is really needed.
> 
> Please give some feedback if this rough plan fits the needs. Not all can
> be planned in advance but discussing things now raises the chances to
> consider some corner cases before code lands.
> The best is to open issues for each needed part in every involved
> project, I will review the parts for GNOME Disks and also have time to
> work on something from January/Feburary if needed.
Sounds great to me otherwise. Thanks for working and willing to work on
this, everybody!

-- 
Vratislav Podzimek
Senior Software Engineer
Kernel Storage
Red Hat Czech, Brno

More information about the devkit-devel mailing list