TCPLAY(3) Library Functions Manual TCPLAY(3) NAME tc_api_init, tc_api_uninit, tc_api_has, tc_api_cipher_iterate, tc_api_prf_iterate, tc_api_task_init, tc_api_task_uninit, tc_api_task_set, tc_api_task_do, tc_api_task_info_get, tc_api_task_get_error - TrueCrypt volume management LIBRARY TrueCrypt-compatible API library (libtcplay, -ltcplay) SYNOPSIS #include typedef int (*tc_api_cipher_iterator_fn)(void *priv, const char *name, int key_length_in_bits, int ciphers_in_chain); typedef int (*tc_api_prf_iterator_fn)(void *priv, const char *name); typedef int (*tc_api_state_change_fn)(void *priv, const char *state, int enter_state); int tc_api_init(int verbose); int tc_api_uninit(void); int tc_api_has(const char *feature); int tc_api_cipher_iterate(tc_api_cipher_iterator_fn fn, void *priv); int tc_api_prf_iterate(tc_api_prf_iterator_fn fn, void *priv); tc_api_task tc_api_task_init(const char *op); int tc_api_task_uninit(tc_api_task task); int tc_api_task_set(tc_api_task task, const char *key, ...); int tc_api_task_do(tc_api_task task); int tc_api_task_info_get(tc_api_task task, const char *key, ...); const char * tc_api_task_get_error(tc_api_task task); DESCRIPTION The tcplay library provides an interface to create, query, map and manage TrueCrypt-compatible volumes. The tc_api_init() function initializes the library internals and prepares it for use via the API. This function has to be called before using any other API function. If the verbose argument is non-zero, then the library will output information such as errors via stdout and stderr. The tc_api_uninit() function clears up all internal secure memory, such as memory used for decrypted headers, passphrases, keyfiles, etc. The tc_api_has() function checks whether the loaded tcplay library has the feature specified by the feature argument. The current version of the tcplay library supports the following features: Feature Description trim Allows enabling discards/TRIM when mapping a volume The tc_api_cipher_iterate() function passes every available cipher chain to the callback provided in the fn argument. The priv argument is passed on every call of the callback function. The name of the cipher chain is passed to the callback function in the name argument. Similarly, the ciphers_in_chain argument holds the number of ciphers in the current chain, and key_length_in_bits holds the total key length for the cipher chain, in bits. The tc_api_prf_iterate() function passes every available cipher chain to the callback provided in the fn argument. The priv argument is passed on every call of the callback function. The name of the PKBDF2 PRF algorithm is passed to the callback function in the name argument. The tc_api_task_init() function initializes and returns a tc_api_task opaque pointer that can be used to run tcplay commands. Each task can be used only for a single tc_api_task_do() call, and must be deallocated using tc_api_task_uninit(). The op argument can be one of the following: create Create a new encrypted TrueCrypt volume. map Map an existing TrueCrypt volume. info Request information about an encrypted TrueCrypt volume. info_mapped Request information about a mapped TrueCrypt volume. unmap Unmap a mapped TrueCrypt volume. modify Modify the TrueCrypt volume by changing the passphrase, keyfiles, PRF algorithm, restoring from a backup header, restoring from a header file or saving to a header file. restore Modify the TrueCrypt volume as modify does, but without changing the passphrase, keyfiles or PRF algorithm. The tc_api_task_set() function allows settting a number of different options for the current task. The following table shows which keys are available on calls to tc_api_task_set() for each of the operations. The letter M indicates the setting is mandatory, whilst * indicates the setting is optional. Key create info map unmap info_mapped modify restore dev M M M * M M map_name M M M interactive * * * * * retries * * * * * timeout * * * state_change_fn * * * weak_keys_and_salt * * * secure_erase * hidden_size_bytes * prf_algo * h_prf_algo * cipher_chain * h_cipher_chain * protect_hidden * * fde * * sys * * ? ? use_backup_header * * * * header_from_file * * * * hidden_header_from_file * * * * allow_trim * save_header_to_file * passphrase * * * * * h_passphrase * * * * * keyfiles * * * * * h_keyfiles * * * * * new_passphrase * new_keyfiles * new_prf_algo * The varargs accepted by the tc_api_task_set() function depend on the key being set. dev The vararg is of type const char *. It sets the device that contains the TrueCrypt volume to operate on. map_name The vararg is of type const char *. It set the name of the mapped volume. interactive The vararg is of type int. It determines whether the user will be prompted for a passphrase or whether the settings are taken from the arguments set using tc_api_task_set(). retries The vararg is of type int. It determines the number of passphrase retries if interactive is set. weak_keys_and_salt The vararg is of type int. It determines whether to use a weak source of entropy for key material and/or the salt. secure_erase The vararg is of type int. It determines whether a secure erase is performed as part of the volume creation. hidden_size_bytes The vararg is of type int64_t. If set to 0 it implies no hidden volume will be created. A positive value implies a hidden volume of the specified size in bytes is created. prf_algo The vararg is of type const char * and must be a valid PBKDF2 PRF algorithm. It determines which PBKDF2 PRF algorithm is used for the outer volume. h_prf_algo The vararg is of type const char * and must be a valid PBKDF2 PRF algorithm. It determines which PBKDF2 PRF algorithm is used for the hidden volume. cipher_chain The vararg is of type const char * and must be a valid tcplay cipher chain. It determines which cipher chain is used to encrypt the outer volume. h_cipher_chain The vararg is of type const char * and must be a valid tcplay cipher chain. It determines which cipher chain is used to encrypt the hidden volume. protect_hidden The vararg is of type int. It determines whether the size of the outer volume should be adjusted to protect any hidden volume. Using this mode requires both outer and hidden passphrases and keyfiles. sys The vararg is of type const char *. It determines whether the volume is a system encrypted volume, and if so, which disk is the system disk and hence contains the header. If set to NULL the volume will implicitly be treated as a non-system encrypted volume. fde The vararg is of type int. It determines whether the disk uses full disk encryption or not. If specified, the device pointed to by the dev setting should be a whole disk device, not any partition. The device will be mapped or queried as a whole. To access individual partitions, a utility such as kpartx(8) should be used, which will create additional individual mappings for each partition in the decrypted mapped volume. For more details on full disk encryption, see tcplay(8). use_backup_header The vararg is of type int. It determines whether the backup header should be used instead of the regular header to access the volume. header_from_file The vararg is of type const char *. If not NULL it forces tcplay to use the header in the specified file instead of the regular outer volume header. hidden_header_from_file The vararg is of type const char *. If not NULL it forces tcplay to use the header in the specified file instead of the regular hidden volume header. allow_trim The vararg is of type int. It specifies whether the mapped volume should allow discards (TRIM). save_header_to_file The vararg is of type const char *. If not NULL it forces tcplay to write the (modified) header to the specified file instead of replacing the volume headers. passphrase The vararg is of type const char *. It sets the passphrase that tcplay uses to access the volume. h_passphrase The vararg is of type const char *. It sets the passphrase that tcplay uses to unlock the hidden volume header. This option is only used if a hidden volume is being created or the protect_hidden setting is set. Otherwise tcplay will first use the regular passphrase to try to unlock the outer volume and then try to unlock the hidden volume header with the same passphrase without ever using h_passphrase. keyfiles The vararg is of type const char *. If not NULL the given keyfile will be added to the keyfile pool. Multiple calls to set this option with a non- NULL argument result add additional keyfiles. If NULL all keyfiles are cleared. h_keyfiles The vararg is of type const char *. If not NULL the given keyfile will be added to the keyfile pool. Multiple calls to set this option with a non- NULL argument result add additional keyfiles. If NULL all keyfiles are cleared. This option is only used if a hidden volume is being created or the protect_hidden setting is set. Otherwise tcplay will first use the regular keyfiles to try to unlock the outer volume and then try to unlock the hidden volume header with the same keyfiles without ever using h_keyfiles. new_passphrase The vararg is of type const char *. It specifies the new passphrase to use when modifying the volume header. new_keyfiles The vararg is of type const char *. If not NULL the given keyfile will be added to the new keyfile pool. Multiple calls to set this option with a non- NULL argument result add additional keyfiles. If NULL all new keyfiles are cleared. When the volume header is modified, it will be reencrypted using the new keyfiles. new_prf_algo The vararg is of type const char * and must be a valid PBKDF2 PRF algorithm. It determines which PBKDF2 PRF algorithm is used when reencrypting the (modified) volume header. state_change_fn The first vararg is of type tc_api_state_change_fn and the second vararg is of type void *. It allows the consumer to provide a callback function which will be called when starting and stopping a time-intensive sub-operation such as collecting entropy or erasing a volume. The second vararg is passed as the priv argument to the callback. The enter_state argument to the callback determines whether tcplay is starting or stopping the time-intensive sub-task specified in the state argument. The tc_api_task_do() function runs the task specified in the task argument. Before running the task, tc_api_task_do() performs a simple sanity check of the arguments set previously using tc_api_task_set() before performing the actual operation. After a call to tc_api_task_do() for the info or info_mapped operations, the queried information is available to be accessed using tc_api_task_info_get(). The tc_api_task_info_get() function can be used to query the result of a info or info_mapped operation. The task argument is the task used in a previous tc_api_task_do() call. The key argument can be one of the following: Key type Description device char * Corresponding device node cipher char * Used cipher chain prf char * Used PBKDF2 PRF algorithm key_bits int * Number of key bits size int64_t * Volume size in bytes iv_offset int64_t * IV Offset of volume in bytes block_offset int64_t * Block Offset of volume in bytes The second vararg argument must be of the type specified in the above table. The first vararg argument is always the size of the storage provided in the second argument. For a char * argument, the size corresponds to the size of the buffer at the provided location and must be of type size_t. For an int * or int64_t * argument, it should be the size of the underlying type. The tc_api_task_get_error() function can be used to get a detailed error message after a failed tc_api_task_do call. The task argument is the task used in a previous tc_api_task_do() call. NOTES TrueCrypt limits passphrases to 64 characters (including the terminating null character). To be compatible with it, tcplay does the same. All passphrases (exlcuding keyfiles) are trimmed to 64 characters. Similarly, keyfiles are limited to a size of 1 MB, but up to 256 keyfiles can be used. RETURN VALUES All functions except tc_api_task_init() and tc_api_task_get_error() return either TC_OK to indicate that the operation completed successfully, or TC_ERR_UNIMPL to indicate that the operation is not implemented , or TC_ERR to indicate that any other error occured. The tc_api_task_get_error() function always return a valid, but possibly empty (or irrelevant, if not called after an error occurred) string. The tc_api_task_init() function returns NULL if an error occurred and an opaque tc_api_task otherwise. COMPATIBILITY The tcplay library offers full compatibility with TrueCrypt volumes including hidden volumes, system encryption (map-only), keyfiles and cipher cascading. SEE ALSO tcplay(8), kpartx(8) HISTORY The tcplay library appeared in DragonFly 2.11. AUTHORS Alex Hornung Linux 6.7.9-arch1-1 January 20, 2014 Linux 6.7.9-arch1-1