![]() |
cryptsetup: encrypted filesystem on your N900
I have built a kernel package and the userspace tool for using encrypted filesystems on the N900.
See: http://wiki.maemo.org/User:Jebba/Cryptsetup Have fun. |
Re: cryptsetup: encrypted filesystem on your N900
Nice. How is the file system performance when using this (relative to no encryption)?
|
Re: cryptsetup: encrypted filesystem on your N900
Quote:
but really I think he intends it to be used to store the naked pictures your girlfriend MMS's you or the photos you've been saving of that girl you've been stalking on facebook. you know, stuff you don't use all the time. |
Re: cryptsetup: encrypted filesystem on your N900
On the line
dd if=/dev/urandom of=$CRYPTFILE bs=1M count=$CRYPTSIZE why not /dev/random instead? Isn't that more secure? |
Re: cryptsetup: encrypted filesystem on your N900
Thanks. The n900 really could use some encryption software. I hope eventually there will be some easy-to-use application for the end user to at least create password-protected vaults.
|
Re: cryptsetup: encrypted filesystem on your N900
Quote:
|
Re: cryptsetup: encrypted filesystem on your N900
Quote:
Encrypted root filesystem (e.g. the *entire* system is encrypted), would be cool, but likely quite difficult with Maemo. |
Re: cryptsetup: encrypted filesystem on your N900
Quote:
random is generally used for cert generation and one off stuff like that |
Re: cryptsetup: encrypted filesystem on your N900
Quote:
On the N900, producing even 1 kilobyte of random data with /dev/random takes ages (it just sits there waiting for environment "noise") /dev/urandom takes less a second to fill 1 MB of random data Unless you are exchanging above top secret government documents, /dev/urandom is good enough. |
Re: cryptsetup: encrypted filesystem on your N900
Quote:
Anyhow, I've been testing Jebba's packages and kernel, and they work really well for cryptsetup encryption. Basically, I use it to encrypt the whole SD card, therefore protecting everything that's on it. That's where your data is to be stored, that's the best protection you can have and it's OTF, you just mount it and then use it as normal. You can do the same for the free space on the internal drive. BTW, anyone tried mounting encrypted partitions via fstab/crypttab on boottime on the N900 with this? I'm thinking of trying, but had to reflash a couple of times this past day, due to setting this up, and am not sure I wanna reflash again, in case it coughs up some prob when booting. Though it shouldn't and should probably boot... Any thoughts on this? Or rather anyone tried yet? |
Re: cryptsetup: encrypted filesystem on your N900
Hi,
cryptsetup seems to work fine, but with your kernel cameras are not working. (mplayer show only green screen, build-in camera tool report "failed to start") n. |
Re: cryptsetup: encrypted filesystem on your N900
please have a look at this brainstorm http://talk.maemo.org/showthread.php?t=34563
|
Re: cryptsetup: encrypted filesystem on your N900
Quote:
|
Re: cryptsetup: encrypted filesystem on your N900
Overwriting the file with urandom is unnecessary and not really helpful. The underlying device uses wear leveling, so your data remains on the physical device. What yoou gain is that the data is not accessible by simply reading blocks of the mmc. But you gain this, no matter what you write, even all zeros. It is actually best to write all ones, as that requires no write to flash (only erase), so causes the least wear for the device. If the mmc controller is smart, it might even improve the chance that it will erase the actual nand sectors that contain the data you want to wipe.
In short - write /dev/zero or all ones, but don't use /dev/urandom, it is a waste of good entropy. |
Re: cryptsetup: encrypted filesystem on your N900
Quote:
|
Re: cryptsetup: encrypted filesystem on your N900
Quote:
Or have I completely misunderstood what one does when mounting and supplying the passphrase/key? |
Re: cryptsetup: encrypted filesystem on your N900
Quote:
Second, by analyzing the exact size it is possible to help to infer what kind of information is there. Third, it is a lot easier to perform cryptanalysis when the exact size is known. |
Re: cryptsetup: encrypted filesystem on your N900
@jebba
Did you try to store N900 personal data in the encrypted file? In other words, did you try to encrypt the partition that N900 stores personal information? My idea is simple. I want my personal info (contacts, alarms, emails, pins, etc) to be unavailable if my device is stolen or lost. Since there is nothing big deal (I just don't want my pictures, PINs and contacts being posted to the Internet or to credit card scammers), i could use a really fast but not so state of the art encryption... |
Re: cryptsetup: encrypted filesystem on your N900
Quote:
I understand the need in that situation, but it's not related to actually finding out what's stored on the device. Quote:
I'd say that it's very hard to find "the exact size" without actually reading the file system which requires decryption. Quote:
|
Re: cryptsetup: encrypted filesystem on your N900
Quote:
|
Re: cryptsetup: encrypted filesystem on your N900
Quote:
On my SD card, I have a tiny vfat partition for when I need to reflash (because of other reasons than encryption). The rest of the 16Gb I have in a separate encrypted partition... I'm using it all the time, no probs whatsoever. All the pics etc. taken with the phone go there etc. and of course all data... In my opinion this is a must, if you lose your phone or it gets stolen, it's painful, but at least your data is gonna be safe and unuseable. |
Re: cryptsetup: encrypted filesystem on your N900
Quote:
1) So you've only encrypted the SD card. The eMMC disk is still unencrypted? 2) When and how do you enter the password for the encrypted partition? |
Re: cryptsetup: encrypted filesystem on your N900
Quote:
Example: Attacker looking for photos taken by N900. Situation A Attacker finds a folder with a few encrypted files, each ranging from 800KB to 1.2MB Situation B Attacker finds only a file with a 1GB encrypted content. Further studies of this file shows that the data written there looks a lot like ramdom garbage. Isn't it clear what situation is safer? See above.[/QUOTE] |
Re: cryptsetup: encrypted filesystem on your N900
Quote:
I'm only talking about encrypted file systems and not files encrypted one by one. Situation A has, as far as I know, never been mentioned by me (apart form a suggestion for encryption of separate files before venturing into FS land). |
Re: cryptsetup: encrypted filesystem on your N900
Quote:
|
Re: cryptsetup: encrypted filesystem on your N900
Quote:
The DCIM folder etc. I also store on the encrypted SD and just created eMMC symlinks to it. Quote:
If you'd want to encrypt the eMMC and preserve home on it etc. you'd have to mess with creating an initrd that would ask for password on boot etc. There's all kinds of potential problems where your device (well, at least mine) would hang and you'd have to reflash before you'd get it right, that I decided - to hell with it, not worth the trouble, but I think it could be done. Jebba's kernel had a framebuffer enabled, so you'd be able to see prompts for the pass and enter it. Now however I'm using Titan's overclocking kernel, and would have to mess with recompiling and the initrd... No go for me. If you do it, let us know here... |
Re: cryptsetup: encrypted filesystem on your N900
Quote:
Quote:
When I have some spare time I take another look. Thanks anyway. |
Re: cryptsetup: encrypted filesystem on your N900
I'm currently running my n900 with encrypted swap, /home /home/user/MyDocs.
This is possible thanks to jebbas kernel, which allows for pw input on the framegrabber console. Unfortunately the hildon gui still randomly display some "unsupported filesystem" messages which I cannot track to any root cause and even wierder when using the camera the device tends to reboot - despite the filesystem on the encrypted /home/user/MyDocs being vfat. Now a couple of questions: - Any hints regarding the "unsupported filesystem" and reboot issues? - Any experience on running jebbas kernel on PR1.2? - Any cleanly integrated (GUI) dm-crypt layer in sight? |
Re: cryptsetup: encrypted filesystem on your N900
Quote:
How did you set it up, just encrypt /home and that's it? What's your /etc/fstab Did you have to mess with anything else, I assume since root isn't encrypted you didn't have to mess with initrd... |
Re: cryptsetup: encrypted filesystem on your N900
Maemo uses upstart for system init which is highly parallelized. So the trick was to make some scripts in the boot process depend on my cryptsetup script /etc/event.d/crypsetup:
Code:
start on started sgx Code:
start on CRYPT_OK Code:
sfdisk -l Code:
cat /etc/crypttab Code:
cat /etc/fstab It works _somehow_. Still random reboots and this "unsupported storage format" message popping up make it annoying to use. Does anybody have a clue in what scripts maemo checks for "supported storage formats"? Thanks Wirr |
Re: cryptsetup: encrypted filesystem on your N900
Quote:
It seems that "osso-mmc-mount.sh" verifies for each file system if it is in a supported list (which only have a few allowed IDs). When I included id "83" there, and changed mmc-mount it stopped complaining. The n900 also started to mount the microSDHC automatically. It might be the same script in your case. It might be going through all available partitions and feeding them to this script or similar... |
Re: cryptsetup: encrypted filesystem on your N900
Has any futher progress been made with this?
I'm in need of encrypting my eMMC (pictures, videos, texts etc); I only have a small SD card atm which I'm using to dualboot so I can't really use that. |
Re: cryptsetup: encrypted filesystem on your N900
How to make Jebba's kernel modules stay active?
I followed the instructions given in http://wiki.maemo.org/User:Jebba/Ker..._custom_kernel to the line Enjoy :) after having done that, I put in the n900 my SD-card (partitioned in vfat and Luks-ext3 part), vfat mounted automatically and then I used the cryptsetup luksOpen command, gave password and mounted ext3. All worked nicely. Then I rebooted the device and although the cryptsetup command was there, the needed modules were no longer available. So I used again the 2 x dpkg commands given by Jebba and rebooted.All worked again as it should. Reboot again made the needed modules disappear again. BTW: I also changed /etc/fstab and the reboot put the original /etc/fstab in its place again. What happened, why do the modules disppear and why is /etc/fstab restored? |
Re: cryptsetup: encrypted filesystem on your N900
Quote:
|
Re: cryptsetup: encrypted filesystem on your N900
Quote:
Conclusion: keeping the keyboard closed will also keep the extra modules inaccessible. However, /etc/fstab remains the original one, not the one with my changes, so that one is not influenced by having the keyboard open or closed. |
Re: cryptsetup: encrypted filesystem on your N900
Hello,
I have managed to somehow set up encrypted /home/user using truecrypt, using the internal flash partition /dev/mmcblk0p1, which is normally mounted as /home/user/MyDocs. First step is to back up /home/user/MyDocs contents, as they will be overwritten! Second step was to unmount the partition, and encrypting it using truecrypt, with ext3 filesystem. After that, mount it some place as /mnt, set the correct ownership and permisions (owner user.users), and copy the contents of /home/user (including the hidden folders) to the new truecrypt encrypted partition. Now, a tricky part comes in. Somehow, the N900 will not be able to browse the /home/user/MyDocs folder, unless it is mounted directly. The only workaround i could find, is to create an image under the new /home/user folder (which will be encrypted) , and mount it separate under /home/user/MyDocs , as a loop device. It does not matter which type of filesystem you use , as the N900 can accept both fat32 and ext3 fs under MyDocs folder. The interesting part is that you get somehow plausible deniability, as when you first start the phone, it will not show the contacts, pictures, user accounts, documents, until you use the following script to mount the encrypted partition: (after encryption, at start-up you will get a message stating "unsupported filesystem" and the /dev/mmcblk0p1 will not be mounted) #!/bin/bash truecrypt --filesystem=none /dev/mmcblk0p1 mount /dev/loop0 /home/user #if i don't mount it like this, it takes too long to mount losetup /dev/loop5 /home/user/docs.img mount /dev/loop5 /home/user/MyDocs #workaround to be able to "see" the MyDocs folder using the #filemanager. truecrypt -l sleep 2 killall signond #restart the daemon that manages IM user accounts (and maybe #e-mail accounts?) sleep 2 killall mission-control rtcom-messaging-ui rtcom-call-ui rtcom-accounts-ui #restart the messaging services, to re-read messaging accounts sleep 2 killall hildon-desktop hildon-home hildon-status-menu #restart the better part of hildon, to re-read desktop, calendar, #shortcuts, etc from the new /home/user encrypted partition. Script has to run as root. This actually works, by replacing /home/user folder with an encrypted one, and the /home/user/MyDocs with a loop image (you can choose the size). There is no significant performance decrease, and does not affect the battery. Also, you do not need to modify the kernel. Works perfect on the N900 with last version of firmware and kernel, and last version of tryuecrypt ported on N900 Maemo 5. Now, there is also a method of encrypting the swap partition, using truecrypt with one-time key files. Here is the script: (has to be ran after mounting the encrypted /home/user partition) #!/bin/bash swapoff -a #disable swap cd /home/user dd if=/dev/urandom of=key1.txt bs=1024K count=1 dd if=/dev/urandom of=key2.txt bs=1024K count=1 dd if=/dev/urandom of=key3.txt bs=1024K count=1 dd if=/dev/urandom of=key4.txt bs=1024K count=1 dd if=/dev/urandom of=key5.txt bs=1024K count=1 #create 5 one time use key-files under the encrypted /home/user truecrypt -t -c --random-source=/dev/urandom --quick --encryption=AES --hash=SHA-512 --volume-type=normal --filesystem=none -k key1.txt,key2.txt,key3.txt,key4.txt,key5.txt -p="" /dev/mmcblk0p3 truecrypt -t -p="" -k key1.txt,key2.txt,key3.txt,key4.txt,key5.txt --protect-hidden=no --filesystem=none /dev/mmcblk0p3 rm -f key*.txt #create a truecrypt partition on the /dev/mmcblk0p3 and remove #the temporary key files mkswap /dev/loop1 swapon /dev/loop1 #format and activate the swap However, this has not been tested. Once again, this method works by replacing the entire /home/user folder, along with all its contents, including calendar entries, email and IM accounts, emails and conversations. If you decide to try it, make sure you back up the important stuff first. I could not find a reliable way to encrypt the swap, the /tmp and the /var/tmp folders, yet. Maybe someone else will. Cheers, J |
Re: cryptsetup: encrypted filesystem on your N900
Did anyone try this? would be great if you could share your experiences in this thread.
|
A LUKS how-to guide for the SD card
After puzzling through the various options for securing the N900, I decided to go with cryptsetup/dmcrypt/LUKS for the SD card 'mmc1' and to skip trying to encrypt /home and /MyDocs for the time being (1, it's a PITA and 2, simply locking your phone will deter thieves from getting at your data on the internal RAM (yes, the bug that exposed it to the USB port when powered down has been fixed in PR 1.2)
But the SD card, anyone can pull it out of the phone. So why not use Linux-native LUKS filesystem encryption to secure it? I've seen bits and pieces of how to use cryptsetup to secure your SD card on this and other forums but never a full 'cut and paste' guide n00bs like me could use. So here goes. (It's worth mentioning first that I'm using the Kernel Power kernel replacement http://wiki.maemo.org/Kernel_Power This may or may not be necessary. For root shell access, I've got sudser and rootsh and bash3 from the applications manager. For more see here http://wiki.maemo.org/Root_access) Substitute your fave editor for nano, which I think I also installed seperately, in the steps below. 1. Install cryptsetup Code:
sudo apt-get install cryptsetup - I put the SD card in my Linux desktop's media reader and simply copied the directory to a safe place 3(a). Format your SD-card for LUKs - OPTION1 use Linux desktop - I actually just used Ubuntu's Nautilus file manager to view the computer's drives, then right-clicked on the SD card, picked Format, and chose 'Encrypted, Compatible with Linux (FAT)' It then asks you to enter your passphrase. After putting the card back in the N900 I did the following just to make sure the filesystem is ext3 (why not use a journalled file system) Code:
# unmount the SD card - You could instead use the N900's console with the SD card in the phone (see here) Code:
# unmount the SD card - I didn't find anything conclusive to automount the SD card on startup in these forums, but was able to modify a script I found here to make it pretty painless. Code:
# drop a script in /home - couldn't get executable permission for scripts in /home/MyDocs Code:
#!/bin/sh finally, Code:
sudo chmod +x crypt.sh Code:
cd /usr/sbin b | c | e | 4 | 6 | 14 | 16 | 1b | 1c | 1e) and change it to b | c | e | 4 | 6 | 14 | 16 | 83 | 1b | 1c | 1e) and press CTRL-O, CTRL-X to save and exit. 6. To open the SD card, you can now type (from the shell) Code:
sudo ~/scripts/crypt.sh start Code:
sudo ~/scripts/crypt.sh stop |
Re: cryptsetup: encrypted filesystem on your N900
Quick question.. does this mount the encrypted partition on a pc when you plug in in usb mode? (with the partition decrypted and mounted, of course)
|
Re: cryptsetup: encrypted filesystem on your N900
Quote:
|
All times are GMT. The time now is 02:13. |
vBulletin® Version 3.8.8