Linux - Kali Setup

2 Linux - Kali Setup

[TOC]

2.1 准备内核头文件

内核头文件是Linux内核的源代码。 有时候，用户需要编译内核头文件代码，为以后使用内核头文件做准备，本节将介绍编译内核头文件的详细步骤。

准备内核头文件的具体操作步骤如下所示。

(1)更新软件包列表。

执行命令如下所示：

root@Kali:~# apt-get update

or

root@Kali:~# apt-get update
root@Kali:~# apt-get upgrade
root@Kali:~# apt-get dist-upgrade
root@Kali:~# reboot

or

root@Kali:~# apt update && apt full-upgrade

输出的信息是在更新软件源中指定的软件下载链接。 此过程中需要等待一段时间，如果网速好的话，更新的速度会快一点。

(2)安装内核头文件。

执行命令如下所示：

root@Kali:~# apt-get install linux-headers- `uname -r`

正在读取软件包列表… 完成
正在分析软件包的依赖关系树
正在读取状态信息… 完成
Package 'linux-headers' is not installed, so not removed
注意，根据正则表达式 3.12-kali1-686-pae 选中了 nvidia-kernel-3.12-kali1- 686-pae
注意，根据正则表达式 3.12-kali1-686-pae 选中了 linux-image-3.12-kali1-686-pae
注意，根据正则表达式 3.12-kali1-686-pae 选中了 linux-image-3.12-kali1-686- pae-dbg
注意，根据正则表达式 3.12-kali1-686-pae 选中了 linux-modules-3.12-kali1- 686-pae
注意，根据正则表达式 3.12-kali1-686-pae 选中了 linux-latest-modules-3.12- kali1-686-pae
注意，根据正则表达式 3.12-kali1-686-pae 选中了 linux-headers-3.12-kali1- 686-pae
注意，选取 linux-image-3.12-kali1-686-pae 而非 linux-modules-3.12-kali1- 686-pae
注意，选取 linux-image-686-pae 而非 linux-latest-modules-3.12-kali1-686-pae
linux-image-3.12-kali1-686-pae 已经是最新的版本了。
linux-image-3.12-kali1-686-pae 被设置为手动安装。
linux-image-686-pae 已经是最新的版本了。
下列软件包是自动安装的并且现在不需要了：
  libmozjs22d libnfc3 libruby libwireshark2 libwiretap2 libwsutil2 python-apsw
  ruby-crack ruby-diff-lcs ruby-rspec ruby-rspec-core ruby-rspec-
  expectations
  ruby-rspec-mocks ruby-simplecov ruby-simplecov-html xulrunner-22.0
Use 'apt-get autoremove' to remove them.
将会安装下列额外的软件包：
  glx-alternative-mesa glx-alternative-nvidia glx-diversions
  linux-headers-3.12-kali1-common linux-kbuild-3.12 nvidia-alternative
  nvidia-installer-cleanup nvidia-kernel-common
建议安装的软件包：
  nvidia-driver
下列【新】软件包将被安装：
  glx-alternative-mesa glx-alternative-nvidia glx-diversions
  linux-headers-3.12-kali1-686-pae linux-headers-3.12-kali1-common
  linux-image-3.12-kali1-686-pae-dbg linux-kbuild-3.12 nvidia-alternative
  nvidia-installer-cleanup nvidia-kernel-3.12-kali1-686-pae
  nvidia-kernel-common
升级了 0 个软件包，新安装了 11 个软件包，要卸载 0 个软件包，有 5 个软件包未被升级。
需要下载 361 MB 的软件包。
解压缩后会消耗掉 1,812 MB 的额外空间。
您希望继续执行吗？[Y/n]y

输出的信息显示了linux-headers相关软件包的一个信息。 提示将会安装哪些软件包及软件包的大小等信息。 此时输入y，继续安装。安装完后，将退出程序。

(3)检车内核头文件是否安装

root@Kali:~# dpkg-query -s linux-headers-$(uname -r)

(4)复制generated下的所有内容。

执行命令如下所示：

root@Kali:~# cd /usr/src/linux-headers-5.2.0-kali2-amd64/
root@Kali:/usr/src/linux-headers-5.2.0-kali2-amd64# cp -rf include/generated/* include/linux/
(不行🙅)

(5)编译内核头文件代码。

---

2.2 安装并配置NVIDIA显卡驱动

显卡驱动程序就是用来驱动显卡的程序，它是硬件所对应的软件。 驱动程序即添加到操作系统中的一小块代码，其中包含有关硬件设备的信息。 有了此信息，计算机就可以与设备进行通信。

驱动程序是硬件厂商根据操作系统编写的配置文件，可以说没有驱动程序，计算机中的硬件就无法工作。 操作系统不同，硬件的驱动程序也不同。

安装NVIDIA显卡驱动的具体操作步骤如下所示。

1. 安装nvidia驱动 执行命令后重启会进入不了图形界面，需要进入命令行界面Ctrl+Alt+f3

apt install -y ocl-icd-libopencl1 nvidia-driver nvidia-cuda-toolkit

1. 验证nvidia驱动 # nvidia-smi

2. 安装hashcat

   # aptitude search hashcat
   # aptitude install hashcat
   # hashcat --help
   

（1）将开源的NVIDIA驱动nouveau加入黑名单 在blacklist.conf文件中添加了blacklist nouveau一行内容:

root@kali:~# vi /etc/modprobe.d/blacklist.conf
blacklist nouveau

（2）查看当前的系统信息

root@kali:~# uname -a
Linux kali 5.2.0-kali2-amd64 #1 SMP Debian 5.2.9-2kali1 (2019-08-22) x86_64 GNU/Linux

从输出的信息中可以看到当前系统安装的是Kali，其内核版本为5.2.0，系统架构是x86_64位。

（3）安装Linux头文件

root@kali:~# aptitude -r install linux-headers-$(uname -r)

bash: aptitude: command not found(不行🙅)

下列“新”软件包将被安装。
  linux-headers-3.12-kali1-686-pae linux-headers-3.12-kali1-common{a}
  linux-kbuild-3.12{a}
下列软件包将被“删除”：
  firmware-mod-kit{u} libadns1{u} libcrypto++9{u} liblzma-dev{u}
  libsmi2-common{u} libwebkit-dev{u} msgpack-python{u} p7zip{u}
  python-adns{u} python-bs4{u} python-easygui{u} python-ipy{u}
  python-levenshtein{u} python-mechanize{u} python-metaconfig{u}
  python-paramiko{u} python-pycryptopp{u} python-pysnmp4{u}
  python-pysnmp4-apps{u} python-pysnmp4-mibs{u} sqlmap{u} unrar-free{u}
0 个软件包被升级，新安装 3 个，22 个将被删除， 同时 206 个将不升级。
需要获取 4,848 kB 的存档。解包后将释放 55.4 MB。
您要继续吗？[Y/n] y

以上输出信息显示了当前要安装的软件包数、将被删除的软件包和升级的软件包等。此时输入y，继续安装。

（4）安装NVIDIA内核。执行命令如下所示： root@kali:~# apt-get install nvidia-kernel-5.2.0-kali2-amd64 执行以上命令后，将显示安装nvidia-kernel包的安装过程。此时不需要手动设置任何信息，将自动安装完成。

（5）安装NVIDIA驱动nvidia-kernel-dkms包。执行命令如下所示： root@kali:~# aptitude install nvidia-kernel-dkms

下列“新”软件包将被安装。
  dkms{a} glx-alternative-mesa{a} glx-alternative-nvidia{a}
  glx-diversions{a} libgl1-nvidia-glx{a} libvdpau1{a}
  linux-headers-3.12-kali1-686-pae{a} linux-headers-3.12-kali1-common{a}
  linux-headers-686-pae{a} linux-kbuild-3.12{a} nvidia-alternative{a}
  nvidia-driver{a} nvidia-installer-cleanup{a} nvidia-kernel-common{a}
  nvidia-kernel-dkms nvidia-vdpau-driver{a} xserver-xorg-video-nvidia{a}
0 个软件包被升级，新安装 17 个，0 个将被删除， 同时 207 个将不升级。
需要获取 29.4 MB 的存档。解包后将要使用 108 MB。
您要继续吗？[Y/n] y

以上输出信息显示了将安装的软件包及软件包的大小。此时输入y，继续安装。在安装过程中，会出现如图2.1所示的界面。 047-01

图2.1 配置xserver-xorg 该界面提示需要配置xserver-xorg-video-nvidia。在该界面单击OK按钮，后面手动进行配置。

（6）安装NVIDIA显卡驱动应用程序nvidia-xconfig包。执行命令如下所示： root@kali:~# aptitude install nvidia-xconfig （7）生成Xorg服务配置文件。执行命令如下所示： root@kali:~# nvidia-xconfig 执行以上命令后，将输出如下所示的信息。 WARNING: Unable to locate/open X configuration file. New X configuration file written to ‘/etc/X11/xorg.conf’ 输出的信息，表示重新生成了xorg.conf文件。然后，重新启动系统。 （8）检查NVIDIA显卡驱动是否成功安装。首先检查GLX模块，执行命令如下所示： root@kali:~# glxinfo | grep -i “direct rendering” direct rendering: Yes 检查NVIDIA驱动模块。执行命令如下所示： root@kali:~# lsmod | grep nvidia nvidia 9442880 29 i2c_core 24129 2 i2c_i801,nvidia root@kali:~# lsmod | grep nouveau 通过查看以下文件的内容，确定开源的NVIDIA驱动nouveau是否被加入黑名单，如下所示：

root@kali:~# cat /etc/modprobe.d/nvidia.conf
alias nvidia nvidia-current
remove nvidia-current rmmod nvidia
root@kali:~# cat /etc/modprobe.d/nvidia-blacklists-nouveau.conf
# You need to run "update-initramfs -u" after editing this file.
# see #580894
blacklist nouveau
root@kali:~# cat /etc/modprobe.d/nvidia-kernel-common.conf
alias char-major-195* nvidia

options nvidia NVreg_DeviceFileUID=0 NVreg_DeviceFileGID=44 NVreg_Device FileMode=0660
# To enable FastWrites and Sidebus addressing, uncomment these lines
# options nvidia NVreg_EnableAGPSBA=1
# options nvidia NVreg_EnableAGPFW=1

看到以上输出信息，就表示nouveau已被加入黑名单。 为了加快用户破解一些大数据文件，需要安装CUDA（Compute Unified Device Architecture）。CUDA是一种由NVIDIA推出的通用并行计算架构，该架构使GPU能够解决复杂的计算问题。 安装NVIDIA CUDA工具集和NVIDIA openCL。执行命令如下所示： root@kali:~# aptitude install nvidia-cuda-toolkit nvidia-opencl-icd 执行以上命令后，如果输出过程中没有出错的话，表示该软件包安装成功。以后就可以使用CUDA破解加密的大数据文件。

---

2.3 应用更新和配置额外安全工具

Kali软件包不断地更新和发布之间，用户很快发现一套新的工具比最初在DVD ROM上下载的软件包更有用。 本节将通过更新安装的方法，获取Nessus的一个激活码。最后安装Squid。

应用更新和配置额外安全工具的具体操作步骤如下所示。

1. 更新本地软件包列表库。执行命令如下所示： root@Kali:~# apt-get update

2. 升级已存在的包。执行命令如下所示： root@Kali:~# apt-get upgrade

3. 升级到最新版本。执行命令如下所示： root@Kali:~# apt-get dist-upgrade

---

install nessus

1. 获取一个激活码 官网: https://www.nessus.org/products/nessus/nessus-plugins/obtain-an-activation-code Your activation code for Nessus Essentials is:8403-1D7E-394F-EFB0-957D

2. download deb. ``` root@kali:~# cd Downloads root@kali:~/Downloads# dpkg -i Nessus-8.6.0-debian6_amd64.deb Selecting previously unselected package nessus. (Reading database … 359321 files and directories currently installed.) Preparing to unpack Nessus-8.6.0-debian6_amd64.deb … Unpacking nessus (8.6.0) … Setting up nessus (8.6.0) … Unpacking Nessus Scanner Core Components…

• You can start Nessus Scanner by typing /etc/init.d/nessusd start
• Then go to https://kali:8834/ to configure your scanner

Processing triggers for systemd (242-5) …

* start Nessus Scanner by typing /etc/init.d/nessusd start
* Then go to https://kali:8834/ to configure your scanner

3. 输入命令启动Nessus服务：
``root@kali:~/Downloads# /etc/init.d/nessusd start``

4. 打开浏览器
* 访问：https://kali:8834/
* 第一次访问会出现如下提示
* 点击Advanced => Add Exception => Confirm Security Exception
* user info > activation code >



（5）为Nessus网络接口创建一个用户账户。执行命令如下所示：
root@Kali:~# /opt/nessus/sbin/nessus-adduser
Login :admin                                 #输入用户名为admin
Login password :                              #输入用户密码
Login password (again) :                     #输入确认密码
Do you want this user to be a Nessus 'admin' user ? (can upload plugins, etc...) (y/n) [n]: y
User rules                                   #用户规则
----------
nessusd has a rules system which allows you to restrict the hosts
that admin has the right to test. For instance, you may want
him to be able to scan his own host only.
Please see the nessus-adduser manual for the rules syntax
Enter the rules for this user, and enter a BLANK LINE once you are done :
(the user can have an empty rules set)     #按下空格键提交输入
Login            : admin
Password         : ***********
This user will have 'admin' privileges within the Nessus server
Rules            :
Is that ok ? (y/n) [y] y
User added                                  #用户被添加
从输出的信息中可以看到admin用户被添加成功了。

（6）激活Nessus。
``root@Kali:~# /opt/nessus/bin/nessus-fetch --register  XXXX-XXXX-XXXX- XXXX-XXXX(激活码)``

Your Activation Code has been registered properly - thank you. Now fetching the newest plugin set from plugins.nessus.org #等待一段时间 Could not verify the signature of all-2.0.tar.gz #不能证实all-2.0.tar.gz的签名

（7）启动Nessus服务。
``root@Kali:~# /etc/init.d/nessusd start``


在第（6）步骤中激活Nessus时，输出和以上相同的信息，表示没有激活Nessus。这个问题在RHEL上不会出现的。不过，这里有方法来解决这个问题。具体操作步骤如下 所示。
（1）删除文件nessus-fetch.rc。执行命令如下所示：
root@Kali:~# rm /opt/nessus/etc/nessus/nessus-fetch.rc
（2）使用nessus-fetch --challenge获取挑战码。执行命令如下所示：
root@Kali:~# /opt/nessus/bin/nessus-fetch --challenge

Challenge code: xxxxxxxxxxxxxxxxxxxxxxxx

You can copy the challenge code above and paste it alongside your
Activation Code at:
https://plugins.nessus.org/offline.php
其中，xxxxxxxxxxxxxxxxxxxxxxxx是输出的挑战码。
（3）重新登录https://www.nessus.org/products/nessus/nessus-plugins/obtain-an-activation- code网站获取激活码。
（4）登录https://plugins.nessus.org/offline.php网站，在该界面输入生成的挑战码和激活码，如图2.4所示的界面。
051-01

图2.4 获取插件
此时单击Submit按钮，将显示如图2.5所示的界面。
051-02

图2.5 下载插件
从该界面下载nessus-fetch.rc和all-2.0.tar.gz，将其下载到本地。
（5）将下载到的nessus-fetch.rc文件复制到/opt/nessus/etc/nessus/目录下。执行命令如下所示：
root@Kali:~# cp /root/nessus-fetch.rc /opt/nessus/etc/nessus
执行以上命令后，没有任何输出信息。
（6）使用nessus-update-plugins命令将Nessus的插件all-2.0.tar.gz加载。执行命令如下所示：
root@Kali:~# /opt/nessus/sbin/nessus-update-plugins /root/all/all-2.0.tar.gz
Expanding /root/all/all-2.0.tar.gz…
Done. The Nessus server will start processing these plugins within a minute
（7）重新启动Nessus服务。执行命令如下所示：
root@Kali:~# /etc/init.d/nessusd restart
$Shutting down Nessus : .
$Starting Nessus : .
以上步骤操作完成后，Nessus就被激活了。如果不激活Nessus，它是不能使用的。


---

## 安装Squid服务
``root@Kali:~# apt-get install squid3``

设置Squid服务开机不自动启动。执行命令如下所示：
``root@Kali:~# update-rc.d -f squid3 remove``


---


## 2.4 设置ProxyChains
ProxyChains是Linux和其他Unices下的代理工具。
它可以使任何程序通过代理上网，允许TCP和DNS通过代理隧道，支持HTTP、SOCKS4和SOCKS5类型的代理服务器，并且可配置多个代理。
ProxyChains通过一个用户定义的代理列表强制连接指定的应用程序，直接断开接收方和发送方的连接。

### 1. 打开ProxyChains配置文件
``root@Kali:~# vi /etc/proxychains.conf``
执行以上命令后，打开文件的内容如下所示：

proxychains.conf VER 3.1

#

HTTP, SOCKS4, SOCKS5 tunneling proxifier with DNS.

#

The option below identifies how the ProxyList is treated.

only one option should be uncommented at time,

otherwise the last appearing option will be accepted

# #dynamic_chain #

Dynamic - Each connection will be done via chained proxies

all proxies chained in the order as they appear in the list

at least one proxy must be online to play in chain

(dead proxies are skipped)

otherwise EINTR is returned to the app

# strict_chain #

Strict - Each connection will be done via chained proxies

all proxies chained in the order as they appear in the list

all proxies must be online to play in chain

otherwise EINTR is returned to the app

# #random_chain #

Random - Each connection will be done via random proxy

(or proxy chain, see chain_len) from the list.

this option is good to test your IDS :)

http 192.168.39.93 8080

# #

proxy types: http, socks4, socks5

( auth types supported: “basic”-http “user/pass”-socks )

# [ProxyList]

add proxy here …

meanwile

defaults set to “tor”

socks4 127.0.0.1 9050

~ ~ ~ ~ ~ ~ – VISUAL – 65 65,0-1 Bot

### 2.
将proxychains.conf文件中的dynamic_chain前面的注释符取消。要修改的配置项，是上面加粗的部分，如下所示：
``dynamic_chain``


### 3.
添加一些代理服务器到列表（proxychains.conf文件末尾），如下所示：

ProxyList format

type host port [user pass]

(values separated by ‘tab’ or ‘blank’)

# #

Examples:

#

socks5 192.168.67.78 1080 lamer secret

http 192.168.89.3 8080 justu hidden

socks4 192.168.1.49 1080

http 192.168.39.93 8080

# #

proxy types: http, socks4, socks5

( auth types supported: “basic”-http “user/pass”-socks )

# [ProxyList]

add proxy here …

meanwile

defaults set to “tor”

socks4 127.0.0.1 9050 socks5 98.206.2.3 1893 (添加的代理服务器) socks5 76.22.86.170 1658 (添加的代理服务器) – 插入 –

### 4. 通过用户的连接代理解析目标主机

``root@kali:~# proxyresolv www.target.com``

* 默认情况下，执行proxyresolv命令，可能看到该命令没找到错误信息。
* 因为proxyresolv保存在/usr/lib/proxychains3/目录中，而不能被执行。

proxyresolv会被proxychains调用，所以将这两个文件放在一个目录中，如/usr/bin。执行命令如下所示：
``root@kali:~# cp /usr/lib/proxychains3/proxyresolv /usr/bin/``
执行完以上命令后，proxyresolv命令就可以执行了。


### 5. 通过用户想要使用的应用程序运行ProxyChains
例如，启动msfconsole。执行命令如下所示：

``root@kali:~# proxychains msfconsole ``

ProxyChains-3.1 (https://proxychains.sf.net) |DNS-request| 0.0.0.0 |S-chain|-<>-127.0.0.1:9050-<–timeout |DNS-response|: 0.0.0.0 is not exist , , /
((—,,,—)) () O O ()___ \ _ / |
o_o \ M S F |
\ ___ | * ||| WW ||| ||| |||

Tired of typing ‘set RHOSTS’? Click & pwn with Metasploit Pro – type ‘go_pro’ to launch it now.

   =[ metasploit v4.7.0-2013082802 [core:4.7 api:1.0] + -- --=[ 1161 exploits - 641 auxiliary - 180 post + -- --=[ 310 payloads - 30 encoders - 8 nops

msf >

ProxyChains-3.1 (https://proxychains.sf.net) [-] **rTing the Metasploit Framework console…| [-] * WARNING: No database support: No database YAML file [-] **

_ _ / \ /\ __ _ __ // __ | |\ / | ___ \ \ ___ __ | | / \ _ \
| | \/| | | \ |- -| /\ / __\ | -__/ | || | || | |- -| || | | | |__ | | / -\ __\ \ | | | | _/| | | | |/ |/ _\/ /\ \/ \/ _| |_\ _\

   =[ metasploit v5.0.46-dev                          ] + -- --=[ 1921 exploits - 1075 auxiliary - 330 post       ] + -- --=[ 556 payloads - 45 encoders - 10 nops            ] + -- --=[ 4 evasion                                       ]

msf5 > ```

msf> 表示msfconsole启动成功了。表示ProxyChains设置成功。

---

2.5 目录加密

开源的绿色加密卷加密软件，不需要生成任何文件即可在硬盘上建立虚拟磁盘。 用户可以按照盘符进行访问，所以虚拟磁盘上的文件都被自动加密，访问时需要使用密码解密。

TrueCrypt提供多种加密算法，包括AES、Serpent、Twofish、AES-Twofish和AES-Twofish-Serpent等。

安装 truecrypt

1. 启动TrueCrypt工具。

root@kali:~# truecrypt

2. Create Volume

1. choose Slot 1
2. 单击Create Volume按钮，

3.

在该界面选择创建卷容器，这里选择默认的Create an encrypted file container选项，单击Next按钮

4. 该界面选择卷类型

这里选择默认的Standard TrueCrypt volume，单击Next按钮 （5）在该界面单击Select File…按钮 （6）在该界面为新卷指定一个名称和位置，这里创建的卷名称为CryptVolume，保存在/root目录下。然后单击“保存”按钮 （7）在该界面可以看到前面创建的卷的名称和位置。然后单击Next按钮， （8）在该界面选择加密算法，这里选择默认的加密算法AES，然后单击Next按钮， （9）在该界面指定卷的大小为10GB，然后单击Next按钮， （10）在该界面输入一个卷的密码，然后单击Next按钮， （11）该界面提示设置的密码太短，建议大小20个字符。如果确认要使用该密码的话，单击“是”按钮 （12）在该界面选择存储到卷文件的大小，这里选择I will not store files larger than 4GB on the volume。然后单击Next按钮 （13）在该界面选择文件系统类型，默认是FAT。该工具还支持Linux Ext2、Linux EXt3和Linux Ext4文件类型。这里选择Linux Ext4，单击Next按钮 （14）该界面选择挂载该卷的一个平台，这里选择第二种方式I will mount the volume only on Linux，单击Next按钮， （15）现在要格式化前面创建的卷，此时单击Format按钮 （16）该界面显示了格式化的进度、速度和时间等信息。该过程运行完后，将显示如图2.21所示的界面。 （17）看到上面的窗口，表示TrueCrypt卷创建成功了。此时，单击“确定”按钮 （18）此时TrueCrypt卷就创建完成了。如果还想要创建另一个TrueCrypt卷的话，单击Next按钮。否则单击Exit按钮。单击Exit按钮后，将返回到图2.6所示的界面。

2.5.2 文件夹解密

在上一小节中成功创建了加密目录。如果要查看加密的内容，需要将该卷解密后才可访问。为了解密卷，需要从图2.6的列表中选择一个槽。然后单击Select File…按钮，打开刚才创建的CryptVolume卷。这时单击Mount按钮， 在该界面输入创建CryptVolume时设置的密码，单击“确定”按钮 从该界面可以看到CryptVolume卷的挂载信息、大小和卷的位置等。此时，用户可以通过双击在槽中的卷或者挂载点来访问这个卷。当对该文件操作完成后，可以单击Dismount All按钮卸载该卷。

uninstall Truecrypt

using root access truecrypt-uninstall.sh

Downloading and Installing Version We’ll be installing the “console-only” version of TrueCrypt for Linux. There are 32 and 64 bit versions available, so choose the correct one depending on your system. If you are unsure run:

file /sbin/init And the beginning of the output will be (for 64-bit) something like:

/sbin/init: ELF 64-bit LSB shared object or for 32-bit:

/sbin/init: ELF 32-bit LSB shared object The official website does not provide links for specific installations, seeming to force you to choose your version through a .php post form, but you can in fact download the tar directly with a wget command. At the time of writing, to download the 64-bit console only version, run:

sudo wget https://truecrypt.org/download/truecrypt-7.1a-linux-console-x64.tar.gz Check that 7.1a is still the current version before you download (see https://truecrypt.org/downloads where the heading currently reads: Latest Stable Version - 7.1a), and substitute the version number in the command if there is a later one. Simply change the x64 to x32 in the command to download the 32-bit version.

Extract To extract the setup file, run

tar xfvz truecrypt-7.1a-linux-console-x64.tar.gz Again substituting the version number and architecture type if necessary. Don’t worry about where to extract it to: anywhere is fine as the installer will handle the installation path automatically.

Install Again substituting the version and architecture (last time, I promise), run:

./truecrypt-7.1a-linux-console-x64.tar.gz And you’ll be guided through the installation. At first, you should see:

TrueCrypt 7.1a Setup ________

Installation options:

1) Install truecrypt_7.1a_console_amd64.tar.gz

2) Extract package file truecrypt_7.1a_console_amd64.tar.gz and place it to /tmp

To select, enter 1 or 2: Enter 1, and then press Enter to read the terms and conditions. Hold down your Space key for a while, if, like most people, you are not actually intent on reading them. (Enter will also work, but Space goes page by page instead of line by line).

Type y to accept the terms, and then press Enter. You’ll be told about the prerequisites.

Requirements for Running TrueCrypt: FUSE library and tools device mapper tools Press Enter to continue.

Which should already be installed on Ubuntu and Debian systems.

Now you’ll see a message about how to uninstall TrueCrypt (The words “Uninstalling TrueCrypt” may be a bit misleading – but don’t worry, they’re just instructions for how to uninstall should you want to do so). Press Enter to exit the installer. TrueCrypt is now installed on your system.

Usage create a volume To interactively create a new encrypted volume, use the command:

truecrypt -c /path/to/volume/directory/volumename For example, to create a new volume called “mysecrets” in your home directory, run

truecrypt -c /home/mysecrets Note that the “mysecrets” will be created – it should not be an existing file. You can use any file extension that you want or omit it. Note that TrueCrypt will not create the subpath, so make sure the full subpath exists (in this example, /home/) and that the file does not (in this example, mysecrets)

You’ll be asked whether you want to create a “Normal” volume or a “Hidden” one. In this example, we’ll be creating a “Normal” one. A Hidden volume is in essence two TrueCrypt volumes inside each other. These are very useful if someone uses physical force or blackmail to make you open a TrueCrypt volume or give them your password. With a hidden volume, you can pretend to comply, while in reality only giving them access to the outer volume. This is unlikely to be an issue for the average user.

Enter 1 to create a normal volume, and choose a size. e.g., enter:

100M To create a volume of 100 Megabytes. Use, for example, 5G to create a 5 Gigabyte volume, or 100K to create a 100 Kilabyte volume. Think of this volume as a separate storage device, such as a flash drive: whatever size you assign in this step will be its fixed capacity. The larger it is, the longer it will take to create, as it needs to encrypt the entire volume before use, though this isn’t a huge factor as, on my system, creating a volume of 1GB only took a couple of seconds. If you just want to store a few text files (for example, I store all my passwords in a text file inside a TrueCrypt volume) then a few MB will be more than adequate. You cannot create a volume bigger than your storage capacity.

Pick an encryption method. We’ll go with entering 1 again, to have our volume encrypted by AES, and 1 for the next input as well to choose RIPEMD-160 as our hashing algorithm. Any of the three encryption methods and hashing methods is sufficient. For the slightly paranoid, there are options such as Serpent-Twofish-AES which encrypts the volume using AES, encrypts the output of this (with a different key) with Twofish, and the output of this with Serpent. This means that if any of the three encryption methods is “broken” (that is, a way is found to easily decrypt without the key), then your volume is still safe (unless all three are “broken”). Each of the three encryption methods has an article on Wikipedia, so have a look at these to see the latest attack attempts against each. All seem secure for the time being.

You can then pick from a number of file systems. Pick FAT (2) for the best compatibility, if you intend on accessing the volume from other systems. Now pick a password – remember that brute-forcing the password is the only vaguely feasible way for other people to access your files, so pick a long password (recommended more than 20 characters) for security. For this demo we’ll go with 1234 as a password. Don’t try this at home.

Enter 1234, confirm with another Enter that you’re happy with the password of fewer than 20 characters, and re-enter it for confirmation. You’ll now be prompted for a keyfile path. In this example we will not be using a keyfile, which means that we can access our volume in the future using just the password. Keyfiles are more secure than passwords. You can pick an image, a text file, or any other file you want, and you’ll have to use this file every time you want to access your volume. While this is much more secure than a regular password, it does mean that if you ever lose you keyfile or if it becomes corrupted, you will no longer be able to access your TrueCrypt volume (see here for more about keyfiles and how to use them).

Now for the fun bit. Mash your keyboard as randomly as possible, entering at least 320 characters. TrueCrypt will use this to create Entropy. Humans are generally terrible at doing anything random – remember to include as many different keys as possible. You can read about the random number generator method used here.

Press Enter and your volume will have been created.

mounting a volume To mount it, use the command:

truecrypt –mount /home/secret Press Enter to accept the default mount directory (on Ubuntu /media/truecrypt1/), enter your password, and press Enter twice more for the other defaults (no key file, no protect hidden volume).

Your encrypted volume is now mounted. Just like a mounted flash drive, you can copy files to and from it while it is mounted, but after dismount they are inaccessible. Move files to your volume with commands such as:

mv secrettextfile.txt /media/truecrypt1/ dismounting a volume To dismount the volume use:

truecrypt -d Which will dismount all mounted volumes. If you get the error

Error: umount: /media/truecrypt1: device is busy. (In some cases useful info about processes that use the device is found by lsof(8) or fuser(1)) Then it is very likely that it is simply your terminal that is keeping the device busy. If you have your terminal open in the location of your volume, change out with

cd .. And run truecrypt -d again.

Further Information The documentation and tutorials on the official site are exceptionally well-written, clear, and extensive, and they should give you step by step instructions as to all of TrueCrypt’s more advanced uses, should you need them.