maemo.org - Talk

maemo.org - Talk (https://talk.maemo.org/index.php)
-   Applications (https://talk.maemo.org/forumdisplay.php?f=41)
-   -   cryptsetup: encrypted filesystem on your N900 (https://talk.maemo.org/showthread.php?t=40154)

jebba 2010-01-12 03:56

cryptsetup: encrypted filesystem on your N900
 
I have built a kernel package and the userspace tool for using encrypted filesystems on the N900.

See:
http://wiki.maemo.org/User:Jebba/Cryptsetup

Have fun.

pinsh 2010-01-12 04:19

Re: cryptsetup: encrypted filesystem on your N900
 
Nice. How is the file system performance when using this (relative to no encryption)?

t7g 2010-01-12 04:37

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by pinsh (Post 465641)
Nice. How is the file system performance when using this (relative to no encryption)?

That script he has on the linked page just sets up a loopback device and then encrypts that. I don't think it's really intended to be used to encrypt your entire filesystem. (First question that springs to mind is, why? protect the open source n900 firmware?)

but really I think he intends it to be used to store the naked pictures your girlfriend MMS's you or the photos you've been saving of that girl you've been stalking on facebook.

you know, stuff you don't use all the time.

davost 2010-01-12 07:40

Re: cryptsetup: encrypted filesystem on your N900
 
On the line
dd if=/dev/urandom of=$CRYPTFILE bs=1M count=$CRYPTSIZE

why not /dev/random instead? Isn't that more secure?

dreixel 2010-01-12 07:42

Re: cryptsetup: encrypted filesystem on your N900
 
Thanks. The n900 really could use some encryption software. I hope eventually there will be some easy-to-use application for the end user to at least create password-protected vaults.

jebba 2010-01-12 13:32

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by davost (Post 465748)
On the line
dd if=/dev/urandom of=$CRYPTFILE bs=1M count=$CRYPTSIZE

why not /dev/random instead? Isn't that more secure?

I don't think so, it also requires more entropy. If you come up with a good doc explaining why it's better, let me know. Many docs I see use /dev/zero, so this is definitely an improvement over that.

jebba 2010-01-12 13:34

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by pinsh (Post 465641)
Nice. How is the file system performance when using this (relative to no encryption)?

I just got it set up, I haven't had a chance to benchmark it. It would be interesting to see how AES performs versus twofish as well.

Encrypted root filesystem (e.g. the *entire* system is encrypted), would be cool, but likely quite difficult with Maemo.

deadmalc 2010-01-12 13:37

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by davost (Post 465748)
On the line
dd if=/dev/urandom of=$CRYPTFILE bs=1M count=$CRYPTSIZE

why not /dev/random instead? Isn't that more secure?

urandom is non blocking, so using random maybe "more secure" but you are likely to suffer file system freezes using random - not something you would want.

random is generally used for cert generation and one off stuff like that

Relativistic 2010-01-12 13:42

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by davost (Post 465748)
On the line
dd if=/dev/urandom of=$CRYPTFILE bs=1M count=$CRYPTSIZE

why not /dev/random instead? Isn't that more secure?

/dev/random blocks until more entropy can be gathered

On the N900, producing even 1 kilobyte of random data with /dev/random takes ages (it just sits there waiting for environment "noise")

/dev/urandom takes less a second to fill 1 MB of random data

Unless you are exchanging above top secret government documents, /dev/urandom is good enough.

白い熊 2010-01-12 20:58

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by t7g (Post 465653)
That script he has on the linked page just sets up a loopback device and then encrypts that. I don't think it's really intended to be used to encrypt your entire filesystem.

Maybe not the whole filesystem, though root could feasibly be encrypted...

Anyhow, I've been testing Jebba's packages and kernel, and they work really well for cryptsetup encryption.

Basically, I use it to encrypt the whole SD card, therefore protecting everything that's on it. That's where your data is to be stored, that's the best protection you can have and it's OTF, you just mount it and then use it as normal. You can do the same for the free space on the internal drive.

BTW, anyone tried mounting encrypted partitions via fstab/crypttab on boottime on the N900 with this?

I'm thinking of trying, but had to reflash a couple of times this past day, due to setting this up, and am not sure I wanna reflash again, in case it coughs up some prob when booting. Though it shouldn't and should probably boot... Any thoughts on this? Or rather anyone tried yet?

niekt0 2010-01-13 12:28

Re: cryptsetup: encrypted filesystem on your N900
 
Hi,

cryptsetup seems to work fine,
but with your kernel cameras are not working.

(mplayer show only green screen, build-in camera tool
report "failed to start")

n.

chemist 2010-01-13 12:33

Re: cryptsetup: encrypted filesystem on your N900
 
please have a look at this brainstorm http://talk.maemo.org/showthread.php?t=34563

jebba 2010-01-13 12:44

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by niekt0 (Post 468217)
cryptsetup seems to work fine,
but with your kernel cameras are not working.

(mplayer show only green screen, build-in camera tool
report "failed to start")

You have something else going on unrelated then. I have been using the camera a lot in the past week (and in the past day) and it's going fine.

Matan 2010-01-13 12:57

Re: cryptsetup: encrypted filesystem on your N900
 
Overwriting the file with urandom is unnecessary and not really helpful. The underlying device uses wear leveling, so your data remains on the physical device. What yoou gain is that the data is not accessible by simply reading blocks of the mmc. But you gain this, no matter what you write, even all zeros. It is actually best to write all ones, as that requires no write to flash (only erase), so causes the least wear for the device. If the mmc controller is smart, it might even improve the chance that it will erase the actual nand sectors that contain the data you want to wipe.

In short - write /dev/zero or all ones, but don't use /dev/urandom, it is a waste of good entropy.

jebba 2010-01-13 13:02

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by Matan (Post 468246)
Overwriting the file with urandom is unnecessary and not really helpful.

Nothing is being overwritten. We're not trying to erase anything here, this is before data has been written. The idea is to make it so it can't be seen how much data has been written to the filesystem. In other words, if you have a 100 meg filesystem with 99 megs of zeros, it's known there is 1 meg of data that needs to get cracked. If it's all filled with random/encrypted data, then the attacker doesn't know how much real data is there.

Joorin 2010-05-17 13:50

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by jebba (Post 468250)
Nothing is being overwritten. We're not trying to erase anything here, this is before data has been written. The idea is to make it so it can't be seen how much data has been written to the filesystem. In other words, if you have a 100 meg filesystem with 99 megs of zeros, it's known there is 1 meg of data that needs to get cracked. If it's all filled with random/encrypted data, then the attacker doesn't know how much real data is there.

Could you please supply an argument for why an attacker would care about the size of data stored on the encrypted device? No matter the amount of data, it's still encrypted and if you picked good enough a passphrase and enough bits in the key, it will still take as much time to crack, no matter what the attacker knows.

Or have I completely misunderstood what one does when mounting and supplying the passphrase/key?

soeiro 2010-05-17 14:55

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by Joorin (Post 662431)
Could you please supply an argument for why an attacker would care about the size of data stored on the encrypted device? No matter the amount of data, it's still encrypted and if you picked good enough a passphrase and enough bits in the key, it will still take as much time to crack, no matter what the attacker knows.

First, there are situations where just knowing that something is there is equally as good (or as bad) as knowing what is there.

Second, by analyzing the exact size it is possible to help to infer what kind of information is there.

Third, it is a lot easier to perform cryptanalysis when the exact size is known.

soeiro 2010-05-17 15:01

Re: cryptsetup: encrypted filesystem on your N900
 
@jebba

Did you try to store N900 personal data in the encrypted file? In other words, did you try to encrypt the partition that N900 stores personal information?

My idea is simple. I want my personal info (contacts, alarms, emails, pins, etc) to be unavailable if my device is stolen or lost.

Since there is nothing big deal (I just don't want my pictures, PINs and contacts being posted to the Internet or to credit card scammers), i could use a really fast but not so state of the art encryption...

Joorin 2010-05-17 15:10

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by soeiro (Post 662547)
First, there are situations where just knowing that something is there is equally as good (or as bad) as knowing what is there.

So, you're thinking about "plausible deniability"? If you get pulled over in customs and have your phone device searched, you want to be able to deny that there's anything on it without them being able to find out?

I understand the need in that situation, but it's not related to actually finding out what's stored on the device.

Quote:

Second, by analyzing the exact size it is possible to help to infer what kind of information is there.
Eh? File systems typically work in blocks. Within blocks you get fragmentation, half a block per file on average. So, by looking at the amount of blocks that are used (if that's something that you can infer) would give you an accuracy of half a block.

I'd say that it's very hard to find "the exact size" without actually reading the file system which requires decryption.

Quote:

Third, it is a lot easier to perform cryptanalysis when the exact size is known.
See above.

jebba 2010-05-18 02:55

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by soeiro (Post 662555)
@jebba

Did you try to store N900 personal data in the encrypted file? In other words, did you try to encrypt the partition that N900 stores personal information?

My idea is simple. I want my personal info (contacts, alarms, emails, pins, etc) to be unavailable if my device is stolen or lost.

Since there is nothing big deal (I just don't want my pictures, PINs and contacts being posted to the Internet or to credit card scammers), i could use a really fast but not so state of the art encryption...

I haven't really used this on my N900 except a month ago or so and just that "it works". I do use something similar on my laptop for years for the reasons you describe above.

白い熊 2010-05-18 11:45

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by jebba (Post 663388)
I haven't really used this on my N900 except a month ago or so and just that "it works". I do use something similar on my laptop for years for the reasons you describe above.

I've been using an encrypted partition ever since Jebba published his cryptsetup and modified kernel.
On my SD card, I have a tiny vfat partition for when I need to reflash (because of other reasons than encryption). The rest of the 16Gb I have in a separate encrypted partition... I'm using it all the time, no probs whatsoever.

All the pics etc. taken with the phone go there etc. and of course all data...

In my opinion this is a must, if you lose your phone or it gets stolen, it's painful, but at least your data is gonna be safe and unuseable.

soeiro 2010-05-26 21:31

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by 白い熊 (Post 663970)
I've been using an encrypted partition ever since Jebba published his cryptsetup and modified kernel.
On my SD card, I have a tiny vfat partition for when I need to reflash (because of other reasons than encryption). The rest of the 16Gb I have in a separate encrypted partition... I'm using it all the time, no probs whatsoever.

All the pics etc. taken with the phone go there etc. and of course all data...

In my opinion this is a must, if you lose your phone or it gets stolen, it's painful, but at least your data is gonna be safe and unuseable.

@白い熊

1) So you've only encrypted the SD card. The eMMC disk is still unencrypted?

2) When and how do you enter the password for the encrypted partition?

soeiro 2010-05-26 21:40

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by Joorin (Post 662572)
So, you're thinking about "plausible deniability"? (...)

I understand the need in that situation, but it's not related to actually finding out what's stored on the device.

If you don't know whether it is there or not, it would be harder to try to find out what's stored.

Example:
Attacker looking for photos taken by N900.

Situation A
Attacker finds a folder with a few encrypted files, each ranging from 800KB to 1.2MB

Situation B
Attacker finds only a file with a 1GB encrypted content. Further studies of this file shows that the data written there looks a lot like ramdom garbage.

Isn't it clear what situation is safer?





See above.[/QUOTE]

Joorin 2010-05-26 21:45

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by soeiro (Post 680861)
If you don't know whether it is there or not, it would be harder to try to find out what's stored.

Example:
Attacker looking for photos taken by N900.

Situation A
Attacker finds a folder with a few encrypted files, each ranging from 800KB to 1.2MB

Situation B
Attacker finds only a file with a 1GB encrypted content. Further studies of this file shows that the data written there looks a lot like ramdom garbage.

Isn't it clear what situation is safer?





See above.

[/QUOTE]

I'm only talking about encrypted file systems and not files encrypted one by one. Situation A has, as far as I know, never been mentioned by me (apart form a suggestion for encryption of separate files before venturing into FS land).

soeiro 2010-05-26 21:50

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by Joorin (Post 680870)
I'm only talking about encrypted file systems and not files encrypted one by one. Situation A has, as far as I know, never been mentioned by me (apart form a suggestion for encryption of separate files before venturing into FS land).

Ok. I thought this discussion was following the method of generating on big file with /dev/ramdom and using it as a container for encrypted files, mounted as a loopback device. If the original file was created with all zeros, for example, an attacker could know (or guess) the parts of the filesystem where there was actual encrypted data on.

白い熊 2010-05-27 07:02

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by soeiro (Post 680836)
1) So you've only encrypted the SD card. The eMMC disk is still unencrypted?

Yep, I put all the data on the encrypted SD, and basically use the eMMC for useless storage. I was thinking about encrypting the eMMC for a while but didn't do it as per the answer to the point below...

The DCIM folder etc. I also store on the encrypted SD and just created eMMC symlinks to it.
Quote:

2) When and how do you enter the password for the encrypted partition?
After the device boots, the first thing I do is open the terminal and cryptmount... the SD.

If you'd want to encrypt the eMMC and preserve home on it etc. you'd have to mess with creating an initrd that would ask for password on boot etc. There's all kinds of potential problems where your device (well, at least mine) would hang and you'd have to reflash before you'd get it right, that I decided - to hell with it, not worth the trouble, but I think it could be done.

Jebba's kernel had a framebuffer enabled, so you'd be able to see prompts for the pass and enter it. Now however I'm using Titan's overclocking kernel, and would have to mess with recompiling and the initrd... No go for me.

If you do it, let us know here...

soeiro 2010-05-28 01:06

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by 白い熊 (Post 681821)
After the device boots, the first thing I do is open the terminal and cryptmount... the SD.

Ok.

Quote:

Originally Posted by 白い熊 (Post 681821)
Jebba's kernel had a framebuffer enabled, so you'd be able to see prompts for the pass and enter it. Now however I'm using Titan's overclocking kernel, and would have to mess with recompiling and the initrd... No go for me.
If you do it, let us know here...

Well, I want to use Titan's kernel, too. Both because of the possibility overclocking and because of other kernel modules...

When I have some spare time I take another look. Thanks anyway.

wirr 2010-06-02 19:40

Re: cryptsetup: encrypted filesystem on your N900
 
I'm currently running my n900 with encrypted swap, /home /home/user/MyDocs.
This is possible thanks to jebbas kernel, which allows for pw input on the framegrabber console.

Unfortunately the hildon gui still randomly display some "unsupported filesystem" messages which I cannot track to any root cause and even wierder when using the camera the device tends to reboot - despite the filesystem on the encrypted /home/user/MyDocs being vfat.

Now a couple of questions:
- Any hints regarding the "unsupported filesystem" and reboot issues?
- Any experience on running jebbas kernel on PR1.2?
- Any cleanly integrated (GUI) dm-crypt layer in sight?

白い熊 2010-06-04 02:47

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by wirr (Post 696431)
I'm currently running my n900 with encrypted swap, /home /home/user/MyDocs.
This is possible thanks to jebbas kernel, which allows for pw input on the framegrabber console.

So does it pause during boot and ask you for the pass?

How did you set it up, just encrypt /home and that's it?

What's your /etc/fstab

Did you have to mess with anything else, I assume since root isn't encrypted you didn't have to mess with initrd...

wirr 2010-06-05 07:15

Re: cryptsetup: encrypted filesystem on your N900
 
Maemo uses upstart for system init which is highly parallelized. So the trick was to make some scripts in the boot process depend on my cryptsetup script /etc/event.d/crypsetup:
Code:

start on started sgx
stop on starting shutdown

console output

script
        /etc/init.d/cryptdisks start
        initctl emit CRYPT_OK
end script

normal exit 0

And, of course in /etc/event.d/xomap add:
Code:

start on CRYPT_OK
I've adapted the partition table, crypttab and fstab:
Code:

sfdisk -l

Disk /dev/mmcblk0: 977024 cylinders, 4 heads, 16 sectors/track
Units = cylinders of 32768 bytes, blocks of 1024 bytes, counting from 0

  Device Boot Start    End  #cyls    #blocks  Id  System
/dev/mmcblk0p1          1  873600  873600  27955200    0  Empty
/dev/mmcblk0p2    873601  939136  65536    2097152    0  Empty
/dev/mmcblk0p3    939137  971904  32768    1048576    0  Empty
/dev/mmcblk0p4    971905  974976    3072      98304    0  Empty

Code:

cat /etc/crypttab
# <target name> <source device>        <key file>      <options>
docs            /dev/mmcblk0p1          none            luks
userdata        /dev/mmcblk0p2          none            luks
swap1          /dev/mmcblk0p3          /dev/urandom    swap,cipher=aes-cbc-essiv:sha256,size=256,hash=sha256
tmp1            /dev/mmcblk0p4          /dev/urandom    cipher=aes-cbc-essiv:sha256,size=256,hash=sha256

Code:

cat /etc/fstab
# autogenerated
rootfs / rootfs defaults,errors=remount-ro,noatime 0 0
/dev/mapper/swap1 none swap sw 0 0

/dev/mapper/userdata /home ext3 rw,noatime,errors=continue,commit=1,data=writeback 0 0

/dev/mapper/docs /home/user/MyDocs vfat noauto,nodev,noexec,nosuid,noatime,nodiratime,utf8,uid=29999,shortname=mixed,dmask=000,fmask=0133,rodir 0 0

/dev/mapper/tmp1 /tmp ext3 defaults,noatime 0 0


It works _somehow_.
Still random reboots and this "unsupported storage format" message popping up make it annoying to use.

Does anybody have a clue in what scripts maemo checks for "supported storage formats"?

Thanks
Wirr

soeiro 2010-06-09 14:31

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by wirr (Post 700701)
Does anybody have a clue in what scripts maemo checks for "supported storage formats"?

When I formated my microSDHC as ext3 I started to get those annoying messages, too. i only got rid of them when I've changed the "mmc-mount" and "osso-mmc-mount.sh" scripts.

It seems that "osso-mmc-mount.sh" verifies for each file system if it is in a supported list (which only have a few allowed IDs). When I included id "83" there, and changed mmc-mount it stopped complaining. The n900 also started to mount the microSDHC automatically.

It might be the same script in your case. It might be going through all available partitions and feeding them to this script or similar...

jd4200 2010-07-27 02:48

Re: cryptsetup: encrypted filesystem on your N900
 
Has any futher progress been made with this?

I'm in need of encrypting my eMMC (pictures, videos, texts etc); I only have a small SD card atm which I'm using to dualboot so I can't really use that.

Daniel-1944 2010-09-04 13:50

Re: cryptsetup: encrypted filesystem on your N900
 
How to make Jebba's kernel modules stay active?

I followed the instructions given in

http://wiki.maemo.org/User:Jebba/Ker..._custom_kernel

to the line
Enjoy :)

after having done that, I put in the n900 my SD-card (partitioned in vfat and Luks-ext3 part), vfat mounted automatically and then I used the cryptsetup luksOpen command, gave password and mounted ext3. All worked nicely.
Then I rebooted the device and although the cryptsetup command was there, the needed modules were no longer available.
So I used again the 2 x dpkg commands given by Jebba and rebooted.All worked again as it should. Reboot again made the needed modules disappear again.

BTW: I also changed /etc/fstab and the reboot put the original /etc/fstab in its place again.

What happened, why do the modules disppear and why is /etc/fstab restored?

Daniel-1944 2010-09-04 13:59

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by jd4200 (Post 765937)
Has any futher progress been made with this?

I'm in need of encrypting my eMMC (pictures, videos, texts etc); I only have a small SD card atm which I'm using to dualboot so I can't really use that.

Dual boot your N900?? How and with what?

Daniel-1944 2010-09-04 17:18

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by Daniel-1944 (Post 807126)
How to make Jebba's kernel modules stay active?
.
.
.

BTW: I also changed /etc/fstab and the reboot put the original /etc/fstab in its place again.

What happened, why do the modules disappear and why is /etc/fstab restored?

By chance I found a mention in Internet that booting with the keyboard uncovered or covered makes a difference. So I tried booting with the keyboard open and was pleased to see that now the cryptsetup modules are available.
Conclusion: keeping the keyboard closed will also keep the extra modules inaccessible.

However, /etc/fstab remains the original one, not the one with my changes, so that one is not influenced by having the keyboard open or closed.

jsweiss 2010-09-07 12:27

Re: cryptsetup: encrypted filesystem on your N900
 
Hello,
I have managed to somehow set up encrypted /home/user using truecrypt, using the internal flash partition /dev/mmcblk0p1, which is normally mounted as /home/user/MyDocs.

First step is to back up /home/user/MyDocs contents, as they will be overwritten!

Second step was to unmount the partition, and encrypting it using truecrypt, with ext3 filesystem. After that, mount it some place as /mnt, set the correct ownership and permisions (owner user.users), and copy the contents of /home/user (including the hidden folders) to the new truecrypt encrypted partition.

Now, a tricky part comes in. Somehow, the N900 will not be able to browse the /home/user/MyDocs folder, unless it is mounted directly. The only workaround i could find, is to create an image under the new /home/user folder (which will be encrypted) , and mount it separate under /home/user/MyDocs , as a loop device. It does not matter which type of filesystem you use , as the N900 can accept both fat32 and ext3 fs under MyDocs folder.

The interesting part is that you get somehow plausible deniability, as when you first start the phone, it will not show the contacts, pictures, user accounts, documents, until you use the following script to mount the encrypted partition:
(after encryption, at start-up you will get a message stating "unsupported filesystem" and the /dev/mmcblk0p1 will not be mounted)

#!/bin/bash
truecrypt --filesystem=none /dev/mmcblk0p1
mount /dev/loop0 /home/user
#if i don't mount it like this, it takes too long to mount
losetup /dev/loop5 /home/user/docs.img
mount /dev/loop5 /home/user/MyDocs
#workaround to be able to "see" the MyDocs folder using the #filemanager.
truecrypt -l
sleep 2
killall signond
#restart the daemon that manages IM user accounts (and maybe #e-mail accounts?)
sleep 2
killall mission-control rtcom-messaging-ui rtcom-call-ui rtcom-accounts-ui
#restart the messaging services, to re-read messaging accounts
sleep 2
killall hildon-desktop hildon-home hildon-status-menu
#restart the better part of hildon, to re-read desktop, calendar, #shortcuts, etc from the new /home/user encrypted partition.

Script has to run as root.

This actually works, by replacing /home/user folder with an encrypted one, and the /home/user/MyDocs with a loop image (you can choose the size). There is no significant performance decrease, and does not affect the battery. Also, you do not need to modify the kernel.
Works perfect on the N900 with last version of firmware and kernel,
and last version of tryuecrypt ported on N900 Maemo 5.

Now, there is also a method of encrypting the swap partition, using truecrypt with one-time key files. Here is the script:
(has to be ran after mounting the encrypted /home/user partition)

#!/bin/bash
swapoff -a
#disable swap
cd /home/user
dd if=/dev/urandom of=key1.txt bs=1024K count=1
dd if=/dev/urandom of=key2.txt bs=1024K count=1
dd if=/dev/urandom of=key3.txt bs=1024K count=1
dd if=/dev/urandom of=key4.txt bs=1024K count=1
dd if=/dev/urandom of=key5.txt bs=1024K count=1
#create 5 one time use key-files under the encrypted /home/user
truecrypt -t -c --random-source=/dev/urandom --quick --encryption=AES --hash=SHA-512 --volume-type=normal --filesystem=none -k key1.txt,key2.txt,key3.txt,key4.txt,key5.txt -p="" /dev/mmcblk0p3
truecrypt -t -p="" -k key1.txt,key2.txt,key3.txt,key4.txt,key5.txt --protect-hidden=no --filesystem=none /dev/mmcblk0p3
rm -f key*.txt
#create a truecrypt partition on the /dev/mmcblk0p3 and remove #the temporary key files
mkswap /dev/loop1
swapon /dev/loop1
#format and activate the swap

However, this has not been tested.

Once again, this method works by replacing the entire /home/user folder, along with all its contents, including calendar entries, email and IM accounts, emails and conversations. If you decide to try it, make sure you back up the important stuff first.

I could not find a reliable way to encrypt the swap, the /tmp and the /var/tmp folders, yet. Maybe someone else will.

Cheers,
J

lohner 2011-05-17 16:15

Re: cryptsetup: encrypted filesystem on your N900
 
Did anyone try this? would be great if you could share your experiences in this thread.

tehowe 2012-01-03 02:49

A LUKS how-to guide for the SD card
 
After puzzling through the various options for securing the N900, I decided to go with cryptsetup/dmcrypt/LUKS for the SD card 'mmc1' and to skip trying to encrypt /home and /MyDocs for the time being (1, it's a PITA and 2, simply locking your phone will deter thieves from getting at your data on the internal RAM (yes, the bug that exposed it to the USB port when powered down has been fixed in PR 1.2)

But the SD card, anyone can pull it out of the phone. So why not use Linux-native LUKS filesystem encryption to secure it?

I've seen bits and pieces of how to use cryptsetup to secure your SD card on this and other forums but never a full 'cut and paste' guide n00bs like me could use. So here goes.

(It's worth mentioning first that I'm using the Kernel Power kernel replacement http://wiki.maemo.org/Kernel_Power
This may or may not be necessary.
For root shell access, I've got sudser and rootsh and bash3 from the applications manager. For more see here http://wiki.maemo.org/Root_access)
Substitute your fave editor for nano, which I think I also installed seperately, in the steps below.

1. Install cryptsetup
Code:

sudo apt-get install cryptsetup
2. Backup your SD-card contents
- I put the SD card in my Linux desktop's media reader and simply copied the directory to a safe place

3(a). Format your SD-card for LUKs - OPTION1 use Linux desktop
- I actually just used Ubuntu's Nautilus file manager to view the computer's drives, then right-clicked on the SD card, picked Format, and chose 'Encrypted, Compatible with Linux (FAT)' It then asks you to enter your passphrase.

After putting the card back in the N900 I did the following just to make sure the filesystem is ext3 (why not use a journalled file system)

Code:

# unmount the SD card
sudo umount /media/mmc1
# open the crypt (type your passphrase in again)
sudo cryptsetup luksOpen /dev/mmcblk1 mmc1
# now add the ext3 file system inside the crypt
sudo mkfs.ext3 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/mmc1

3(b). Format your SD-card for LUKs - OPTION 2 use N900 console
- You could instead use the N900's console with the SD card in the phone (see here)

Code:

# unmount the SD  card
sudo umount /media/mmc1
# format the card, use a strong passphrase!
sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/mmcblk1
# open the crypt (type your passphrase in again)
sudo cryptsetup luksOpen /dev/mmcblk1 mmc1
# now add a file system inside the crypt - ext3 is good
sudo mkfs.ext3 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/mmc1

4. Make a script to help automate the process
- I didn't find anything conclusive to automount the SD card on startup in these forums, but was able to modify a script I found here to make it pretty painless.

Code:

# drop a script in /home - couldn't get executable permission for scripts in /home/MyDocs
cd ~
cd ..
mkdir scripts
sudo nano crypt.sh

Paste the following in

Code:

#!/bin/sh

case $1 in
  start)
        modprobe dm_crypt
        cryptsetup luksOpen /dev/mmcblk1p1 mmc1
        echo "Mounting SD card..."
        mount /dev/mapper/mmc1 /media/mmc1
        chmod 777 /media/mmc1
        ;;
  stop)
        echo "Unmounting SD card..."
        umount /media/mmc1
        cryptsetup luksClose /dev/mapper/mmc1
        ;;
  *)
        echo "Usage: crypt [ start | stop ]"
        ;;
esac

CTRL-O and CTRL-X to save and exit nano

finally,

Code:

sudo chmod +x crypt.sh
5. (Optional) Edit the system mount script to remove annoying 'filesystem not supported' error message that happens when SD card crypt is first opened in script above. You can just ignore it though if you want.

Code:

cd /usr/sbin
sudo nano oss-mmc-mount.sh

Look for the line that reads
b | c | e | 4 | 6 | 14 | 16 | 1b | 1c | 1e)
and change it to
b | c | e | 4 | 6 | 14 | 16 | 83 | 1b | 1c | 1e)
and press CTRL-O, CTRL-X to save and exit.

6. To open the SD card, you can now type (from the shell)
Code:

sudo ~/scripts/crypt.sh start
To close the SD card, type
Code:

sudo ~/scripts/crypt.sh stop
Huzzah! Hope that helps someone out.

nman 2012-01-06 22:08

Re: cryptsetup: encrypted filesystem on your N900
 
Quick question.. does this mount the encrypted partition on a pc when you plug in in usb mode? (with the partition decrypted and mounted, of course)

tehowe 2012-01-10 19:17

Re: cryptsetup: encrypted filesystem on your N900
 
Quote:

Originally Posted by nman (Post 1146836)
Quick question.. does this mount the encrypted partition on a pc when you plug in in usb mode? (with the partition decrypted and mounted, of course)

If you mean encrypting the SD card as above, then any recent Linux installation on your desktop should ask you for the password before mounting the SD card. That's what happens in Ubuntu 11.04 at least.


All times are GMT. The time now is 02:13.

vBulletin® Version 3.8.8