linuxtruecrypt

How to prevent exposing truecrypt arguments?


I have a script that mounts a truecrypt volume and the password is given as an argument. Any user on the system may issue the command ps -aux | grep truecrypt which will reveal the password to the encrypted volume. Moreover, by traversing the proc directory, again the password can be revealed. I have root access to my machine, but I am sure that changing the permissions of the ps command and the proc directory will brake functionality in other parts of the system. On one hand I want to mount the volumes automatically without requiring user interaction, on the other hand, compromising the password of the truecrypt volume is out of the question. I might be able to find some acceptable solution using expect but before doing so I wanted to ask if anybody has a better idea?


Solution

  • I used pexpect to solve my problem in a python script, equivalent shell scripts should look similar conceptually

    Instead of

    mntMyDir = '/mnt/' + myDir
    os.system('truecrypt ' + mntMyDir + '.tc ' + mntMyDir + ' --password=' + myPassword + ' --keyfiles= --protect-hidden=no')
    os.chdir(mntMyDir + '/tree')
    

    I used

    mntMyDir = '/mnt/' + myDir
    truecryptCmd = 'truecrypt ' + mntMyDir + '.tc ' + mntMyDir + ' --keyfiles= --protect-hidden=no'
    child = pexpect.spawn(truecryptCmd)
    child.expect('Enter password for ' + mntMyDir + '.tc: ')
    child.sendline(myPassword)
    child.wait()
    os.chdir(mntMyDir + '/tree')