0

I have a script that mounts a truecrypt volume and the password is given as an argument. Any user on the system may issue the command ps -aux | grep truecrypt which will reveal the password to the encrypted volume. Moreover, by traversing the proc directory, again the password can be revealed. I have root access to my machine, but I am sure that changing the permissions of the ps command and the proc directory will brake functionality in other parts of the system. On one hand I want to mount the volumes automatically without requiring user interaction, on the other hand, compromising the password of the truecrypt volume is out of the question. I might be able to find some acceptable solution using expect but before doing so I wanted to ask if anybody has a better idea?

e271p314
  • 3,841
  • 7
  • 36
  • 61
  • 1
    What's the problem by using "expect"? – Martin Rosenau Sep 03 '13 at 15:06
  • 1
    why can you not save the passphrase to a file with restricted access and supply the file to the command instead of the passphrase with the -p argument. Like this: [link](https://wiki.archlinux.org/index.php/TrueCrypt#Automatic_mount_on_login) ... they are talking about startup scripts but you could do that in any other script as well. – 0range Sep 03 '13 at 15:56
  • I guess eventually I will go with expect since my main concern is that some user will be able to obtain root access. In that case files with root permissions will not be sufficient and I must be sure that it will not be easy to find the truecrypt passwords (e.g. ps command). The expect script will solve my problem, its main problem is that it doesn't exist yet so I am looking for more suggestions. – e271p314 Sep 03 '13 at 19:49

1 Answers1

1

I used pexpect to solve my problem in a python script, equivalent shell scripts should look similar conceptually

Instead of

mntMyDir = '/mnt/' + myDir
os.system('truecrypt ' + mntMyDir + '.tc ' + mntMyDir + ' --password=' + myPassword + ' --keyfiles= --protect-hidden=no')
os.chdir(mntMyDir + '/tree')

I used

mntMyDir = '/mnt/' + myDir
truecryptCmd = 'truecrypt ' + mntMyDir + '.tc ' + mntMyDir + ' --keyfiles= --protect-hidden=no'
child = pexpect.spawn(truecryptCmd)
child.expect('Enter password for ' + mntMyDir + '.tc: ')
child.sendline(myPassword)
child.wait()
os.chdir(mntMyDir + '/tree')
e271p314
  • 3,841
  • 7
  • 36
  • 61