TCPLAY(3) Library Functions Manual TCPLAY(3)

tc_api_init, tc_api_uninit, tc_api_has, tc_api_cipher_iterate, tc_api_prf_iterate, tc_api_task_init, tc_api_task_uninit, tc_api_task_set, tc_api_task_do, tc_api_task_info_get, tc_api_task_get_errorTrueCrypt volume management

TrueCrypt-compatible API library (libtcplay, -ltcplay)

#include <tcplay_api.h>

typedef int
(*tc_api_cipher_iterator_fn)(void *priv, const char *name, int key_length_in_bits, int ciphers_in_chain);

typedef int
(*tc_api_prf_iterator_fn)(void *priv, const char *name);

typedef int
(*tc_api_state_change_fn)(void *priv, const char *state, int enter_state);

int
tc_api_init(int verbose);

int
tc_api_uninit(void);

int
tc_api_has(const char *feature);

int
tc_api_cipher_iterate(tc_api_cipher_iterator_fn fn, void *priv);

int
tc_api_prf_iterate(tc_api_prf_iterator_fn fn, void *priv);

tc_api_task
tc_api_task_init(const char *op);

int
tc_api_task_uninit(tc_api_task task);

int
tc_api_task_set(tc_api_task task, const char *key, ...);

int
tc_api_task_do(tc_api_task task);

int
tc_api_task_info_get(tc_api_task task, const char *key, ...);

const char *
tc_api_task_get_error(tc_api_task task);

The tcplay library provides an interface to create, query, map and manage TrueCrypt-compatible volumes.

The () function initializes the library internals and prepares it for use via the API. This function has to be called before using any other API function. If the verbose argument is non-zero, then the library will output information such as errors via stdout and stderr.

The () function clears up all internal secure memory, such as memory used for decrypted headers, passphrases, keyfiles, etc.

The () function checks whether the loaded tcplay library has the feature specified by the feature argument. The current version of the tcplay library supports the following features:

Allows enabling discards/TRIM when mapping a volume

The () function passes every available cipher chain to the callback provided in the fn argument. The priv argument is passed on every call of the callback function. The name of the cipher chain is passed to the callback function in the name argument. Similarly, the ciphers_in_chain argument holds the number of ciphers in the current chain, and key_length_in_bits holds the total key length for the cipher chain, in bits.

The () function passes every available cipher chain to the callback provided in the fn argument. The priv argument is passed on every call of the callback function. The name of the PKBDF2 PRF algorithm is passed to the callback function in the name argument.

The () function initializes and returns a tc_api_task opaque pointer that can be used to run tcplay commands. Each task can be used only for a single tc_api_task_do() call, and must be deallocated using (). The op argument can be one of the following:

Create a new encrypted TrueCrypt volume.
Map an existing TrueCrypt volume.
Request information about an encrypted TrueCrypt volume.
Request information about a mapped TrueCrypt volume.
Unmap a mapped TrueCrypt volume.
Modify the TrueCrypt volume by changing the passphrase, keyfiles, PRF algorithm, restoring from a backup header, restoring from a header file or saving to a header file.
Modify the TrueCrypt volume as modify does, but without changing the passphrase, keyfiles or PRF algorithm.

The () function allows settting a number of different options for the current task. The following table shows which keys are available on calls to tc_api_task_set() for each of the operations. The letter indicates the setting is mandatory, whilst indicates the setting is optional.

M M M * M M
M M M
* * * * *
* * * * *
* * *
* * *
* * *
*
*
*
*
*
*
* *
* *
* * ? ?
* * * *
* * * *
* * * *
*
*
* * * * *
* * * * *
* * * * *
* * * * *
*
*
*
The varargs accepted by the tc_api_task_set() function depend on the key being set.
dev
The vararg is of type const char *. It sets the device that contains the TrueCrypt volume to operate on.
map_name
The vararg is of type const char *. It set the name of the mapped volume.
interactive
The vararg is of type int. It determines whether the user will be prompted for a passphrase or whether the settings are taken from the arguments set using tc_api_task_set().
retries
The vararg is of type int. It determines the number of passphrase retries if interactive is set.
weak_keys_and_salt
The vararg is of type int. It determines whether to use a weak source of entropy for key material and/or the salt.
secure_erase
The vararg is of type int. It determines whether a secure erase is performed as part of the volume creation.
hidden_size_bytes
The vararg is of type int64_t. If set to 0 it implies no hidden volume will be created. A positive value implies a hidden volume of the specified size in bytes is created.
prf_algo
The vararg is of type const char * and must be a valid PBKDF2 PRF algorithm. It determines which PBKDF2 PRF algorithm is used for the outer volume.
h_prf_algo
The vararg is of type const char * and must be a valid PBKDF2 PRF algorithm. It determines which PBKDF2 PRF algorithm is used for the hidden volume.
cipher_chain
The vararg is of type const char * and must be a valid tcplay cipher chain. It determines which cipher chain is used to encrypt the outer volume.
h_cipher_chain
The vararg is of type const char * and must be a valid tcplay cipher chain. It determines which cipher chain is used to encrypt the hidden volume.
protect_hidden
The vararg is of type int. It determines whether the size of the outer volume should be adjusted to protect any hidden volume. Using this mode requires both outer and hidden passphrases and keyfiles.
sys
The vararg is of type const char *. It determines whether the volume is a system encrypted volume, and if so, which disk is the system disk and hence contains the header. If set to NULL the volume will implicitly be treated as a non-system encrypted volume.
fde
The vararg is of type int. It determines whether the disk uses full disk encryption or not. If specified, the device pointed to by the dev setting should be a whole disk device, not any partition. The device will be mapped or queried as a whole. To access individual partitions, a utility such as kpartx(8) should be used, which will create additional individual mappings for each partition in the decrypted mapped volume. For more details on full disk encryption, see tcplay(8).
use_backup_header
The vararg is of type int. It determines whether the backup header should be used instead of the regular header to access the volume.
header_from_file
The vararg is of type const char *. If not NULL it forces tcplay to use the header in the specified file instead of the regular outer volume header.
hidden_header_from_file
The vararg is of type const char *. If not NULL it forces tcplay to use the header in the specified file instead of the regular hidden volume header.
allow_trim
The vararg is of type int. It specifies whether the mapped volume should allow discards (TRIM).
save_header_to_file
The vararg is of type const char *. If not NULL it forces tcplay to write the (modified) header to the specified file instead of replacing the volume headers.
passphrase
The vararg is of type const char *. It sets the passphrase that tcplay uses to access the volume.
h_passphrase
The vararg is of type const char *. It sets the passphrase that tcplay uses to unlock the hidden volume header. This option is only used if a hidden volume is being created or the protect_hidden setting is set. Otherwise tcplay will first use the regular passphrase to try to unlock the outer volume and then try to unlock the hidden volume header with the same passphrase without ever using h_passphrase.
keyfiles
The vararg is of type const char *. If not NULL the given keyfile will be added to the keyfile pool. Multiple calls to set this option with a non- NULL argument result add additional keyfiles. If NULL all keyfiles are cleared.
h_keyfiles
The vararg is of type const char *. If not NULL the given keyfile will be added to the keyfile pool. Multiple calls to set this option with a non- NULL argument result add additional keyfiles. If NULL all keyfiles are cleared. This option is only used if a hidden volume is being created or the protect_hidden setting is set. Otherwise tcplay will first use the regular keyfiles to try to unlock the outer volume and then try to unlock the hidden volume header with the same keyfiles without ever using h_keyfiles.
new_passphrase
The vararg is of type const char *. It specifies the new passphrase to use when modifying the volume header.
new_keyfiles
The vararg is of type const char *. If not NULL the given keyfile will be added to the new keyfile pool. Multiple calls to set this option with a non- NULL argument result add additional keyfiles. If NULL all new keyfiles are cleared. When the volume header is modified, it will be reencrypted using the new keyfiles.
new_prf_algo
The vararg is of type const char * and must be a valid PBKDF2 PRF algorithm. It determines which PBKDF2 PRF algorithm is used when reencrypting the (modified) volume header.
state_change_fn
The first vararg is of type tc_api_state_change_fn and the second vararg is of type void *. It allows the consumer to provide a callback function which will be called when starting and stopping a time-intensive sub-operation such as collecting entropy or erasing a volume. The second vararg is passed as the priv argument to the callback. The enter_state argument to the callback determines whether tcplay is starting or stopping the time-intensive sub-task specified in the state argument.

The () function runs the task specified in the task argument. Before running the task, tc_api_task_do() performs a simple sanity check of the arguments set previously using tc_api_task_set() before performing the actual operation. After a call to tc_api_task_do() for the info or info_mapped operations, the queried information is available to be accessed using tc_api_task_info_get().

The () function can be used to query the result of a info or info_mapped operation. The task argument is the task used in a previous tc_api_task_do() call. The key argument can be one of the following:

char * Corresponding device node
char * Used cipher chain
char * Used PBKDF2 PRF algorithm
int * Number of key bits
int64_t * Volume size in bytes
int64_t * IV Offset of volume in bytes
int64_t * Block Offset of volume in bytes

The second vararg argument must be of the type specified in the above table. The first vararg argument is always the size of the storage provided in the second argument. For a char * argument, the size corresponds to the size of the buffer at the provided location and must be of type size_t. For an int * or int64_t * argument, it should be the size of the underlying type.

The () function can be used to get a detailed error message after a failed tc_api_task_do call. The task argument is the task used in a previous tc_api_task_do() call.

TrueCrypt limits passphrases to 64 characters (including the terminating null character). To be compatible with it, tcplay does the same. All passphrases (exlcuding keyfiles) are trimmed to 64 characters. Similarly, keyfiles are limited to a size of 1 MB, but up to 256 keyfiles can be used.

All functions except tc_api_task_init() and tc_api_task_get_error() return either TC_OK to indicate that the operation completed successfully, or TC_ERR_UNIMPL to indicate that the operation is not implemented , or TC_ERR to indicate that any other error occured.

The tc_api_task_get_error() function always return a valid, but possibly empty (or irrelevant, if not called after an error occurred) string.

The tc_api_task_init() function returns NULL if an error occurred and an opaque tc_api_task otherwise.

The tcplay library offers full compatibility with TrueCrypt volumes including hidden volumes, system encryption (map-only), keyfiles and cipher cascading.

tcplay(8), kpartx(8)

The tcplay library appeared in DragonFly 2.11.

Alex Hornung

January 20, 2014 Linux 6.7.9-arch1-1