Saturday, February 16, 2013

Mounting and Unmounting Truecrypt file containers straight from Explorer context-menu

I don't have Windows Bitlocker in my laptop so I have to use either EFS or Truecrypt. Truecrypt is a more secure choice.

My laptop has only a small SSD disk. I don't want to create separate partitions for Truecrypt. Using sparse file containers is much easier.

But how to make mounting and unmounting them as easy as possible? Why not have a simple folder that contains Truecrypt encrypted files and you could mount and unmount that directory where it should be, among your other work files?

With NTFS file system you can mount disks as directories. But Truecrypt does not support that. When you mount a Truecrypt disk it is always mounted with drive letter, as a volume. You can't get around that. So in order to get the disk mounted as a directory, you have to mount it also as a volume.

This script is tested in 64-bit Windows 7. It uses Powershell as scripting language. For mounting and unmounting disks Windows7 has built-in command mountvol.exe.

MountVol.exe has to use UAC elevated user access to be able to mount and unmount. Unfortunately there's no simple way to get Elevated Privileges in Powershell scripts. But there is a workaround for that:
New Elevation PowerToys for Windows Vista
Download file Elevation2008_06.exe, start the program and extract the files to C:\Temp. It creates directory C:\Temp\Elevation. Move directory "Elevation" to "C:\Program Files (x86)".

If you haven't used Powershell before, you have to set the Execution Policy. The default is Restricted, it has to be at least RemoteSigned. The ExecutionPolicy can only be changed in Elevated Privileges so it's a good change to test the elevation script works as planned.
Run command:
"C:\Program Files (x86)\Elevation\elevate.cmd" %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe
UAC prompt should appear.

enter command : Get-ExecutionPolicyIf the result is Restricted, enter command : Set-ExecutionPolicy RemoteSigned
Then enter command : exit

Now go to Truecrypt directory. If you have 32-bit version, directory  is  "C:\Program Files (x86)\TrueCrypt"
directory for 64-bit version is "C:\Program Files\TrueCrypt".

Create a file named "Mount.ps1" with notepad. Copy this text into it:
param (
    [string]$file
)

#Split file name
$pathname = split-path $file -Parent;
$filename = split-path $file -Leaf;
$filesplitted = ([regex]::split($filename, '\.|#'));

$mountdir = $filesplitted[0];
$mountdisk = $filesplitted[1];

# Run Truecrypt
&"C:\Program Files\TrueCrypt\truecrypt.exe" '/l'$mountdisk /v $file /q | out-null
if ($LASTEXITCODE -ne 0) {
    write-output 'Exit code: '$LASTEXITCODE
    exit
    }

# Get volume mount point
$volumemountpoint = mountvol.exe $mountdisk':\' /L
if ($LASTEXITCODE -ne 0) {
    write-output $volumemountpoint
    write-output 'Exit code: '$LASTEXITCODE
    exit
    }

# Create mount directory if not found
$DirectoryExists = Test-Path $pathname"\"$mountdir -PathType Container
If (!$DirectoryExists) {
    &mkdir $pathname"\"$mountdir | out-null
    }

mountvol.exe $pathname"\"$mountdir $volumemountpoint.Trim()
exit

If your Trucrypt was 32-bit version, change the Truecrypt directory from the script.

Then create a file named "Unmount.ps1" and copy this text:
param (
    [string]$file
)

#Split file name
$pathname = split-path $file -Parent;
$filename = split-path $file -Leaf;
$filesplitted = ([regex]::split($filename, '\.|#'));

$mountdir = $filesplitted[0];
$mountdisk = $filesplitted[1];

#Run Truecrypt
&"C:\Program Files\TrueCrypt\truecrypt" /q /d $mountdisk /f  | out-null
if ($LASTEXITCODE -ne 0) {
    write-output 'Exit code: '$LASTEXITCODE
    exit
    }

#Unmount directory
mountvol.exe $pathname"\"$mountdir /D
exit
And remember to check the script has the right Truecrypt directory.

Then open Wordpad and copy this text:
 Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TrueCryptVolume]
@="TrueCrypt Volume"
"AppUserModelID"="TrueCryptFoundation.TrueCrypt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TrueCryptVolume\DefaultIcon]
@="C:\\Program Files\\TrueCrypt\\TrueCrypt.exe,1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TrueCryptVolume\Shell]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TrueCryptVolume\Shell\mount]
@="Mount Volume"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TrueCryptVolume\Shell\mount\command]
@="\"C:\\Program Files (x86)\\Elevation\\elevate.cmd\" \"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\"  -file \"C:\\Program Files\\TrueCrypt\\Mount.ps1\" \"%1\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TrueCryptVolume\Shell\unmount]
@="Unmount Volume"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TrueCryptVolume\Shell\unmount\command]
@="\"C:\\Program Files (x86)\\Elevation\\elevate.cmd\" \"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" -file \"C:\\Program Files\\TrueCrypt\\Unmount.ps1\" \"%1\""
Check that Mount.ps1&Unmount.ps1 have the right directories. Then save the file as "Unicode Text Document" format in Truecrypt directory with name "TruecryptMount.reg". Now doubleclick that file and let it save the new settings to registry.

Ok. Now we need something to mount. You (should) already have the Truecrypt file container created and ready. You have to rename the file so it contains the directory name and the volume letter that the container will be mounted. The file name can be two formats:

TopSecret.P.tc
or
TopSecret#P.tc

Now when you mount this file container, Truecrypt first mounts it as drive P .Then the script creates directory TopSecret and mounts the container also there. When you unmount the directory stays but it will be empty.

Now try it. Open the context-menu of the file and you'll see two commands, Mount and Unmount.

Do not try to use Truecrypt GUI to unmount these volumes. There's some kind of bug in the latest version that drive letters are not released properly when you unmount from the GUI and you cannot mount the drive again.

Edit: Truecrypt GUI cannot do mount properly if it was not started with administrator privileges. If you want to have Truecrypt started automatically, you have to do it with Task Scheduler. First go to Explorer and set Truecrypt.exe to be started as administrator Then with Task Scheduler create a task that starts when user logs in and set Truecrypt launch as an action.

No comments:

Post a Comment