What The Frack, Truecrypt?

Yesterday I've bought myself a new 250GB USB bus powered external hard-disk for my NSLU2. It replaces my bigger one which lives in a case and requires a separate AC adapter. I hope to safe some energy with this and get rid of the noise the bigger one made during the night.

Because the main purpose of the disk is to keep my backups and my digital audio library on it I went on to encrypt the disk using truecrypt, just like I did for the one before. I've never used truecrypt for anything else than mounting my old HD on my NSLU2, on which I run a self compiled 4.1 version of the software (at the time I encrypted my old disk there was no truecrypt package for the Debian arm port), so I never experienced the changes they'd made in the 5.1 version.

What should I say, IMHO the new version is a nightmare in terms of usability. It has a new Tcl/Tk GUI which should ease the management of encrypted devices. That might be the case for the Windows port but on Linux it results in just the opposite, especially on a headless machine.

If you want to use the text mode interface you have to explicitly force it on the command line by adding the -t option. Creating new encrypted devices also requires -t, if you omit it you'll get an error :-S. C'mon that really sounds like bad programming to me. The former cli interface of truecrypt was perfect IMO. I really don't know what has caused them to change it so dramatically. OK, there's a trick by putting an alias into your $shellrc to save you from future surprises and the ugly help window.

alias truecrypt='truecrypt -t'

Anyway, assuming that every user wants to use the crappy GUI by default is just plain wrong. Another example, in the old version you could mount the encrypted device without mounting its filesystem, for example if you wanted to format it with a different filesystem than FAT32, by omitting the destination mount point.

% truecrypt /dev/sdb1
Enter passwort:
% ls -1 /dev/mapper/
/dev/mapper/truecrypt0
% mkfs.ext3 /dev/mapper/truecrypt0

The new version isn't as clever. You have to omit the destination mount point and tell truecrypt not to mount it, or in other words tell it not to ask for a destination mount point because you didn't give one. Did they think: OK most users are not that smart, if they forget to provide a destination mount point we just keep asking them until we get one. Oh, and those who know what they do - well - lets add another cli switch so they can tell us that they really don't want to really mount the volume? The question about the missing destination mount point is not the only one. You're also asked for an optional key file and whether or not you like to protect the hidden volume.

To get the same effect as the above example you now have to use this easy to remember combination:

% truecrypt -t --keyfiles="" --protect-hidden=no --filesystem=none /dev/sdb1

As a side note: Since truecrypt uses FUSE now the devices don't appear in /dev/mapper anymore. You can use the following to list them.

% truecrypt -t -l
1: /dev/sdb1 /dev/loop0 - 
% mkfs.ext3 /dev/loop0

But the story doesn't end here, truecrypt now ships with another nifty gimmick.

I also wanted to create a hidden volume on the new hard-disk, the possibility to have hidden containers is what IMHO makes truecrypt a good choice for encryption. I know there are some controversial opinions on this matter, but anyway, check this out:

% truecrypt -t -c /dev/sdb1 
Volume type:
 1) Normal
 2) Hidden
Select [1]: 2
Error: The selected feature is currently not supported on your platform.

Erm what? I mean WHAT!? Are they kidding me? This worked versions ago. Although I bet this has something to do with the switch to FUSE, it seems that they decided to get the new fancy GUI version out in time (along with the added support for bootable encrypted devices on Windows) but also decided to ship the yet obviously unfinished rewrite of the Linux version.

I am sorry, but this just sucks!