After several nights working on this I've finally found a reliable sequence of commands to create and destroy ext4-formatted Truecrypt volumes.
I arrived at this point after several attempts to use both Tomb and Truecrypt proper before finally switching over to the forked version of Truecrypt called tc-play
Why did I bail on those other two utilities? Tomb, I had reliability issues with. Periodically after a tomb resize operation the tool refused to accept the passphrase I had associated with my tomb keys. I could have fixed it eventually but who wants to debug ksh scripts all day? :) I really like the Tomb project and hope it continues to be successful in the future.
Truecrypt proper? I didn't like having to trust the provided binaries, especially since there were many reports online of people unable to reproduce the same binaries with the same source. I'm glad there is a publicly funded audit of that code in progress. I also wasn't willing to trust my own custom compile from source. I am building a backup system here and didn't want to run the risk that 5 years from now I'd need to do a recompile for some reason and burn up a whole weekend just getting it to build with the updated compilers of the day.
For what it's worth, tc-play is included in the apt repo on Ubuntu 13 (and presumably most other distros/versions). This code assumes the commands are being run as a normal user account with select commands having been whitelisted via sudoers.
Final note: I wanted all this to be scriptable despite the fact that tc-play wants interactive keyboard input for collecting passphrases. I know embedding passwords in scripts is bad form generally but my whole system hinges on having my backup server locked down anyway. If anyone can get to the password in the script, I have bigger problems to worry about.
So with all that preamble out of the way here are my commands. Feel free to copy/paste and season to taste. Feedback welcome and appreciated, if you spot any issues or have any suggestions:
export ARCHIVE=foo.tc
export SIZE_M=20
export PASSWORDBASE=superdupertopsecret
export CLOUD_DIR=/mnt/cloud/r3cgm/
# create archive
dd if=/dev/zero of=$CLOUD_DIR$ARCHIVE bs=1 count=0 seek=${SIZE_M}M
# find free loopback device
LOOPBACK_DEV=$(sudo losetup -f)
# associate loopback device with archive
sudo losetup $LOOPBACK_DEV $CLOUD_DIR$ARCHIVE
# to enable Expect debugging, add this:
# exp_internal 1
# encrypt loopback device
expect -c "spawn sudo tcplay -c -d $LOOPBACK_DEV -a whirlpool -b AES-256-XTS
set timeout 2
expect Passphrase
send $PASSWORDBASE$ARCHIVE\r
expect Repeat
send $PASSWORDBASE$ARCHIVE\r
expect proceed
send y\r
interact
"
# map loopback device with file container
# DEBUG: sometimes this needs to be run twice / fails the first time, why?
expect -c "spawn sudo tcplay -m $ARCHIVE -d $LOOPBACK_DEV
set timeout 1
expect Passphrase
send $PASSWORDBASE$ARCHIVE\r
expect eof
"
# format archive with ext4
sudo mkfs.ext4 /dev/mapper/$ARCHIVE
[[ -d "/mnt/$ARCHIVE" ]] || sudo mkdir /mnt/$ARCHIVE
# mount archive
sudo mount /dev/mapper/$ARCHIVE /mnt/$ARCHIVE
# UNDO
# unmount archive
sudo umount /mnt/$ARCHIVE
# remove volume
sudo dmsetup remove $ARCHIVE
# delete loopback device
sudo losetup -d $LOOPBACK_DEV
# remove the archive
# rm $CLOUD_DIR$ARCHIVE
