Re: cryptsetup: encrypted filesystem on your N900
 

When I formated my microSDHC as ext3 I started to get those annoying messages, too. i only got rid of them when I've changed the "mmc-mount" and "osso-mmc-mount.sh" scripts.

It seems that "osso-mmc-mount.sh" verifies for each file system if it is in a supported list (which only have a few allowed IDs). When I included id "83" there, and changed mmc-mount it stopped complaining. The n900 also started to mount the microSDHC automatically.

It might be the same script in your case. It might be going through all available partitions and feeding them to this script or similar...

Re: cryptsetup: encrypted filesystem on your N900
 

Has any futher progress been made with this?

I'm in need of encrypting my eMMC (pictures, videos, texts etc); I only have a small SD card atm which I'm using to dualboot so I can't really use that.

Re: cryptsetup: encrypted filesystem on your N900
 

How to make Jebba's kernel modules stay active?

I followed the instructions given in

http://wiki.maemo.org/User:Jebba/Ker..._custom_kernel

to the line
Enjoy :)

after having done that, I put in the n900 my SD-card (partitioned in vfat and Luks-ext3 part), vfat mounted automatically and then I used the cryptsetup luksOpen command, gave password and mounted ext3. All worked nicely.
Then I rebooted the device and although the cryptsetup command was there, the needed modules were no longer available.
So I used again the 2 x dpkg commands given by Jebba and rebooted.All worked again as it should. Reboot again made the needed modules disappear again.

BTW: I also changed /etc/fstab and the reboot put the original /etc/fstab in its place again.

What happened, why do the modules disppear and why is /etc/fstab restored?

Re: cryptsetup: encrypted filesystem on your N900
 

Dual boot your N900?? How and with what?

Re: cryptsetup: encrypted filesystem on your N900
 

By chance I found a mention in Internet that booting with the keyboard uncovered or covered makes a difference. So I tried booting with the keyboard open and was pleased to see that now the cryptsetup modules are available.
Conclusion: keeping the keyboard closed will also keep the extra modules inaccessible.

However, /etc/fstab remains the original one, not the one with my changes, so that one is not influenced by having the keyboard open or closed.

Re: cryptsetup: encrypted filesystem on your N900
 

Hello,
I have managed to somehow set up encrypted /home/user using truecrypt, using the internal flash partition /dev/mmcblk0p1, which is normally mounted as /home/user/MyDocs.

First step is to back up /home/user/MyDocs contents, as they will be overwritten!

Second step was to unmount the partition, and encrypting it using truecrypt, with ext3 filesystem. After that, mount it some place as /mnt, set the correct ownership and permisions (owner user.users), and copy the contents of /home/user (including the hidden folders) to the new truecrypt encrypted partition.

Now, a tricky part comes in. Somehow, the N900 will not be able to browse the /home/user/MyDocs folder, unless it is mounted directly. The only workaround i could find, is to create an image under the new /home/user folder (which will be encrypted) , and mount it separate under /home/user/MyDocs , as a loop device. It does not matter which type of filesystem you use , as the N900 can accept both fat32 and ext3 fs under MyDocs folder.

The interesting part is that you get somehow plausible deniability, as when you first start the phone, it will not show the contacts, pictures, user accounts, documents, until you use the following script to mount the encrypted partition:
(after encryption, at start-up you will get a message stating "unsupported filesystem" and the /dev/mmcblk0p1 will not be mounted)

#!/bin/bash
truecrypt --filesystem=none /dev/mmcblk0p1
mount /dev/loop0 /home/user
#if i don't mount it like this, it takes too long to mount
losetup /dev/loop5 /home/user/docs.img
mount /dev/loop5 /home/user/MyDocs
#workaround to be able to "see" the MyDocs folder using the #filemanager.
truecrypt -l
sleep 2
killall signond
#restart the daemon that manages IM user accounts (and maybe #e-mail accounts?)
sleep 2
killall mission-control rtcom-messaging-ui rtcom-call-ui rtcom-accounts-ui
#restart the messaging services, to re-read messaging accounts
sleep 2
killall hildon-desktop hildon-home hildon-status-menu
#restart the better part of hildon, to re-read desktop, calendar, #shortcuts, etc from the new /home/user encrypted partition.

Script has to run as root.

This actually works, by replacing /home/user folder with an encrypted one, and the /home/user/MyDocs with a loop image (you can choose the size). There is no significant performance decrease, and does not affect the battery. Also, you do not need to modify the kernel.
Works perfect on the N900 with last version of firmware and kernel,
and last version of tryuecrypt ported on N900 Maemo 5.

Now, there is also a method of encrypting the swap partition, using truecrypt with one-time key files. Here is the script:
(has to be ran after mounting the encrypted /home/user partition)

#!/bin/bash
swapoff -a
#disable swap
cd /home/user
dd if=/dev/urandom of=key1.txt bs=1024K count=1
dd if=/dev/urandom of=key2.txt bs=1024K count=1
dd if=/dev/urandom of=key3.txt bs=1024K count=1
dd if=/dev/urandom of=key4.txt bs=1024K count=1
dd if=/dev/urandom of=key5.txt bs=1024K count=1
#create 5 one time use key-files under the encrypted /home/user
truecrypt -t -c --random-source=/dev/urandom --quick --encryption=AES --hash=SHA-512 --volume-type=normal --filesystem=none -k key1.txt,key2.txt,key3.txt,key4.txt,key5.txt -p="" /dev/mmcblk0p3
truecrypt -t -p="" -k key1.txt,key2.txt,key3.txt,key4.txt,key5.txt --protect-hidden=no --filesystem=none /dev/mmcblk0p3
rm -f key*.txt
#create a truecrypt partition on the /dev/mmcblk0p3 and remove #the temporary key files
mkswap /dev/loop1
swapon /dev/loop1
#format and activate the swap

However, this has not been tested.

Once again, this method works by replacing the entire /home/user folder, along with all its contents, including calendar entries, email and IM accounts, emails and conversations. If you decide to try it, make sure you back up the important stuff first.

I could not find a reliable way to encrypt the swap, the /tmp and the /var/tmp folders, yet. Maybe someone else will.

Cheers,
J

Re: cryptsetup: encrypted filesystem on your N900
 

Did anyone try this? would be great if you could share your experiences in this thread.

A LUKS how-to guide for the SD card
 

After puzzling through the various options for securing the N900, I decided to go with cryptsetup/dmcrypt/LUKS for the SD card 'mmc1' and to skip trying to encrypt /home and /MyDocs for the time being (1, it's a PITA and 2, simply locking your phone will deter thieves from getting at your data on the internal RAM (yes, the bug that exposed it to the USB port when powered down has been fixed in PR 1.2)

But the SD card, anyone can pull it out of the phone. So why not use Linux-native LUKS filesystem encryption to secure it?

I've seen bits and pieces of how to use cryptsetup to secure your SD card on this and other forums but never a full 'cut and paste' guide n00bs like me could use. So here goes.

(It's worth mentioning first that I'm using the Kernel Power kernel replacement http://wiki.maemo.org/Kernel_Power
This may or may not be necessary.
For root shell access, I've got sudser and rootsh and bash3 from the applications manager. For more see here http://wiki.maemo.org/Root_access)
Substitute your fave editor for nano, which I think I also installed seperately, in the steps below.

1. Install cryptsetup
2. Backup your SD-card contents
- I put the SD card in my Linux desktop's media reader and simply copied the directory to a safe place

3(a). Format your SD-card for LUKs - OPTION1 use Linux desktop
- I actually just used Ubuntu's Nautilus file manager to view the computer's drives, then right-clicked on the SD card, picked Format, and chose 'Encrypted, Compatible with Linux (FAT)' It then asks you to enter your passphrase.

After putting the card back in the N900 I did the following just to make sure the filesystem is ext3 (why not use a journalled file system)

3(b). Format your SD-card for LUKs - OPTION 2 use N900 console
- You could instead use the N900's console with the SD card in the phone (see here)

4. Make a script to help automate the process
- I didn't find anything conclusive to automount the SD card on startup in these forums, but was able to modify a script I found here to make it pretty painless.

Paste the following in

CTRL-O and CTRL-X to save and exit nano

finally,

5. (Optional) Edit the system mount script to remove annoying 'filesystem not supported' error message that happens when SD card crypt is first opened in script above. You can just ignore it though if you want.

Look for the line that reads
b | c | e | 4 | 6 | 14 | 16 | 1b | 1c | 1e)
and change it to
b | c | e | 4 | 6 | 14 | 16 | 83 | 1b | 1c | 1e)
and press CTRL-O, CTRL-X to save and exit.

6. To open the SD card, you can now type (from the shell)
To close the SD card, type
Huzzah! Hope that helps someone out.

Re: cryptsetup: encrypted filesystem on your N900
 

Quick question.. does this mount the encrypted partition on a pc when you plug in in usb mode? (with the partition decrypted and mounted, of course)

Re: cryptsetup: encrypted filesystem on your N900
 

If you mean encrypting the SD card as above, then any recent Linux installation on your desktop should ask you for the password before mounting the SD card. That's what happens in Ubuntu 11.04 at least.