table of contents
| TCPLAY(3) | Library Functions Manual | TCPLAY(3) | 
NAME¶
tc_api_init,
    tc_api_uninit, tc_api_has,
    tc_api_cipher_iterate,
    tc_api_prf_iterate,
    tc_api_task_init,
    tc_api_task_uninit,
    tc_api_task_set,
    tc_api_task_do,
    tc_api_task_info_get,
    tc_api_task_get_error —
    TrueCrypt volume management
LIBRARY¶
TrueCrypt-compatible API library (libtcplay, -ltcplay)
SYNOPSIS¶
#include
    <tcplay_api.h>
typedef int
  
  (*tc_api_cipher_iterator_fn)(void
    *priv, const char
    *name, int
    key_length_in_bits, int
    ciphers_in_chain);
typedef int
  
  (*tc_api_prf_iterator_fn)(void
    *priv, const char
    *name);
typedef int
  
  (*tc_api_state_change_fn)(void
    *priv, const char
    *state, int
    enter_state);
int
  
  tc_api_init(int
    verbose);
int
  
  tc_api_uninit(void);
int
  
  tc_api_has(const
    char *feature);
int
  
  tc_api_cipher_iterate(tc_api_cipher_iterator_fn
    fn, void
  *priv);
int
  
  tc_api_prf_iterate(tc_api_prf_iterator_fn
    fn, void
  *priv);
tc_api_task
  
  tc_api_task_init(const
    char *op);
int
  
  tc_api_task_uninit(tc_api_task
    task);
int
  
  tc_api_task_set(tc_api_task
    task, const char
    *key, ...);
int
  
  tc_api_task_do(tc_api_task
    task);
int
  
  tc_api_task_info_get(tc_api_task
    task, const char
    *key, ...);
const char *
  
  tc_api_task_get_error(tc_api_task
    task);
DESCRIPTION¶
The tcplay library provides an interface
    to create, query, map and manage TrueCrypt-compatible volumes.
The
    tc_api_init()
    function initializes the library internals and prepares it for use via the
    API. This function has to be called before using any other API function. If
    the verbose argument is non-zero, then the library
    will output information such as errors via stdout and stderr.
The
    tc_api_uninit()
    function clears up all internal secure memory, such as memory used for
    decrypted headers, passphrases, keyfiles, etc.
The
    tc_api_has()
    function checks whether the loaded tcplay library has the feature specified
    by the feature argument. The current version of the
    tcplay library supports the following features:
| Feature | Description | 
| trim | Allows enabling discards/TRIM when mapping a volume | 
The
    tc_api_cipher_iterate()
    function passes every available cipher chain to the callback provided in the
    fn argument. The priv argument
    is passed on every call of the callback function. The name of the cipher
    chain is passed to the callback function in the name
    argument. Similarly, the ciphers_in_chain argument
    holds the number of ciphers in the current chain, and
    key_length_in_bits holds the total key length for the
    cipher chain, in bits.
The
    tc_api_prf_iterate()
    function passes every available cipher chain to the callback provided in the
    fn argument. The priv argument
    is passed on every call of the callback function. The name of the PKBDF2 PRF
    algorithm is passed to the callback function in the
    name argument.
The
    tc_api_task_init()
    function initializes and returns a tc_api_task opaque
    pointer that can be used to run tcplay commands.
    Each task can be used only for a single
    tc_api_task_do() call, and must be deallocated using
    tc_api_task_uninit().
    The op argument can be one of the following:
- create
- Create a new encrypted TrueCrypt volume.
- map
- Map an existing TrueCrypt volume.
- info
- Request information about an encrypted TrueCrypt volume.
- info_mapped
- Request information about a mapped TrueCrypt volume.
- unmap
- Unmap a mapped TrueCrypt volume.
- modify
- Modify the TrueCrypt volume by changing the passphrase, keyfiles, PRF algorithm, restoring from a backup header, restoring from a header file or saving to a header file.
- restore
- Modify the TrueCrypt volume as modify does, but without changing the passphrase, keyfiles or PRF algorithm.
The
    tc_api_task_set()
    function allows setting a number of different options for the current task.
    The following table shows which keys are available on calls to
    tc_api_task_set() for each of the operations. The
    letter M
    indicates the setting is mandatory, whilst
    * indicates the
    setting is optional.
| Key | create | info | map | unmap | info_mapped | modify | restore | 
| dev | M | M | M | * | M | M | |
| map_name | M | M | M | ||||
| interactive | * | * | * | * | * | ||
| retries | * | * | * | * | * | ||
| timeout | * | * | * | ||||
| state_change_fn | * | * | * | ||||
| weak_keys_and_salt | * | * | * | ||||
| secure_erase | * | ||||||
| prf_algo | * | ||||||
| h_prf_algo | * | ||||||
| cipher_chain | * | ||||||
| h_cipher_chain | * | ||||||
| fde | * | * | |||||
| sys | * | * | ? | ? | |||
| use_backup_header | * | * | * | * | |||
| header_from_file | * | * | * | * | |||
| allow_trim | * | ||||||
| save_header_to_file | * | ||||||
| passphrase | * | * | * | * | * | ||
| h_passphrase | * | * | * | * | * | ||
| keyfiles | * | * | * | * | * | ||
| h_keyfiles | * | * | * | * | * | ||
| new_passphrase | * | ||||||
| new_keyfiles | * | ||||||
| new_prf_algo | * | 
tc_api_task_set() function
  depend on the key being set.
- dev
- The vararg is of type const char *. It sets the device that contains the TrueCrypt volume to operate on.
- map_name
- The vararg is of type const char *. It set the name of the mapped volume.
- interactive
- The vararg is of type int. It determines whether the
      user will be prompted for a passphrase or whether the settings are taken
      from the arguments set using
    tc_api_task_set().
- retries
- The vararg is of type int. It determines the number of passphrase retries if interactive is set.
- weak_keys_and_salt
- The vararg is of type int. It determines whether to use a weak source of entropy for key material and/or the salt.
- secure_erase
- The vararg is of type int. It determines whether a secure erase is performed as part of the volume creation.
- hidden_size_bytes
- The vararg is of type int64_t. If set to 0 it implies no hidden volume will be created. A positive value implies a hidden volume of the specified size in bytes is created.
- prf_algo
- The vararg is of type const char * and must be a valid PBKDF2 PRF algorithm. It determines which PBKDF2 PRF algorithm is used for the outer volume.
- h_prf_algo
- The vararg is of type const char * and must be a valid PBKDF2 PRF algorithm. It determines which PBKDF2 PRF algorithm is used for the hidden volume.
- cipher_chain
- The vararg is of type const char * and must be a
      valid tcplaycipher chain. It determines which cipher chain is used to encrypt the outer volume.
- h_cipher_chain
- The vararg is of type const char * and must be a
      valid tcplaycipher chain. It determines which cipher chain is used to encrypt the hidden volume.
- protect_hidden
- The vararg is of type int. It determines whether the size of the outer volume should be adjusted to protect any hidden volume. Using this mode requires both outer and hidden passphrases and keyfiles.
- sys
- The vararg is of type const char *. It determines
      whether the volume is a system encrypted volume, and if so, which disk is
      the system disk and hence contains the header. If set to
      NULLthe volume will implicitly be treated as a non-system encrypted volume.
- fde
- The vararg is of type int. It determines whether the disk uses full disk encryption or not. If specified, the device pointed to by the dev setting should be a whole disk device, not any partition. The device will be mapped or queried as a whole. To access individual partitions, a utility such as kpartx(8) should be used, which will create additional individual mappings for each partition in the decrypted mapped volume. For more details on full disk encryption, see tcplay(8).
- use_backup_header
- The vararg is of type int. It determines whether the backup header should be used instead of the regular header to access the volume.
- header_from_file
- The vararg is of type const char *. If not
      NULLit forcestcplayto use the header in the specified file instead of the regular outer volume header.
- hidden_header_from_file
- The vararg is of type const char *. If not
      NULLit forcestcplayto use the header in the specified file instead of the regular hidden volume header.
- allow_trim
- The vararg is of type int. It specifies whether the mapped volume should allow discards (TRIM).
- save_header_to_file
- The vararg is of type const char *. If not
      NULLit forcestcplayto write the (modified) header to the specified file instead of replacing the volume headers.
- passphrase
- The vararg is of type const char *. It sets the
      passphrase that tcplayuses to access the volume.
- h_passphrase
- The vararg is of type const char *. It sets the
      passphrase that tcplayuses to unlock the hidden volume header. This option is only used if a hidden volume is being created or the protect_hidden setting is set. Otherwisetcplaywill first use the regular passphrase to try to unlock the outer volume and then try to unlock the hidden volume header with the same passphrase without ever using h_passphrase.
- keyfiles
- The vararg is of type const char *. If not
      NULLthe given keyfile will be added to the keyfile pool. Multiple calls to set this option with a non-NULLargument result add additional keyfiles. IfNULLall keyfiles are cleared.
- h_keyfiles
- The vararg is of type const char *. If not
      NULLthe given keyfile will be added to the keyfile pool. Multiple calls to set this option with a non-NULLargument result add additional keyfiles. IfNULLall keyfiles are cleared. This option is only used if a hidden volume is being created or the protect_hidden setting is set. Otherwisetcplaywill first use the regular keyfiles to try to unlock the outer volume and then try to unlock the hidden volume header with the same keyfiles without ever using h_keyfiles.
- new_passphrase
- The vararg is of type const char *. It specifies the new passphrase to use when modifying the volume header.
- new_keyfiles
- The vararg is of type const char *. If not
      NULLthe given keyfile will be added to the new keyfile pool. Multiple calls to set this option with a non-NULLargument result add additional keyfiles. IfNULLall new keyfiles are cleared. When the volume header is modified, it will be reencrypted using the new keyfiles.
- new_prf_algo
- The vararg is of type const char * and must be a valid PBKDF2 PRF algorithm. It determines which PBKDF2 PRF algorithm is used when reencrypting the (modified) volume header.
- state_change_fn
- The first vararg is of type tc_api_state_change_fn
      and the second vararg is of type void *. It allows
      the consumer to provide a callback function which will be called when
      starting and stopping a time-intensive sub-operation such as collecting
      entropy or erasing a volume. The second vararg is passed as the
      priv argument to the callback. The
      enter_state argument to the callback determines
      whether tcplayis starting or stopping the time-intensive sub-task specified in the state argument.
The
    tc_api_task_do()
    function runs the task specified in the task argument.
    Before running the task, tc_api_task_do() performs a
    simple sanity check of the arguments set previously using
    tc_api_task_set() before performing the actual
    operation. After a call to tc_api_task_do() for the
    info or info_mapped operations, the
    queried information is available to be accessed using
    tc_api_task_info_get().
The
    tc_api_task_info_get()
    function can be used to query the result of a info or
    info_mapped operation. The task
    argument is the task used in a previous
    tc_api_task_do() call. The key
    argument can be one of the following:
| Key | type | Description | 
| device | char * | Corresponding device node | 
| cipher | char * | Used cipher chain | 
| prf | char * | Used PBKDF2 PRF algorithm | 
| key_bits | int * | Number of key bits | 
| size | int64_t * | Volume size in bytes | 
| iv_offset | int64_t * | IV Offset of volume in bytes | 
| block_offset | int64_t * | Block Offset of volume in bytes | 
The second vararg argument must be of the type specified in the above table. The first vararg argument is always the size of the storage provided in the second argument. For a char * argument, the size corresponds to the size of the buffer at the provided location and must be of type size_t. For an int * or int64_t * argument, it should be the size of the underlying type.
The
    tc_api_task_get_error()
    function can be used to get a detailed error message after a failed
    tc_api_task_do call. The task
    argument is the task used in a previous
    tc_api_task_do() call.
NOTES¶
TrueCrypt limits passphrases to 64 characters (including the
    terminating null character). To be compatible with it,
    tcplay does the same. All passphrases (exlcuding
    keyfiles) are trimmed to 64 characters. Similarly, keyfiles are limited to a
    size of 1 MB, but up to 256 keyfiles can be used.
RETURN VALUES¶
All functions except tc_api_task_init()
    and tc_api_task_get_error() return either
    TC_OK to indicate that the operation completed
    successfully, or TC_ERR_UNIMPL to indicate that the
    operation is not implemented , or TC_ERR to indicate
    that any other error occurred.
The tc_api_task_get_error() function
    always return a valid, but possibly empty (or irrelevant, if not called
    after an error occurred) string.
The tc_api_task_init() function returns
    NULL if an error occurred and an opaque
    tc_api_task otherwise.
COMPATIBILITY¶
The tcplay library offers full
    compatibility with TrueCrypt volumes including hidden volumes, system
    encryption (map-only), keyfiles and cipher cascading.
SEE ALSO¶
HISTORY¶
The tcplay library appeared in
    DragonFly 2.11.
AUTHORS¶
Alex Hornung
| January 20, 2014 | Debian |