|
encfs vs. aegisfs
I have some questions regarding encryption on harmattan filesystem.
Let me first present the scenario I am after here. Firstly, It is known that when device is in harmattan open mode, the cal-area memory is in read-only state. This causes side-effects like device locking with security code not possible as the code is stored there. Now, it should be possible to write such a replacement for security locking that stores the locking code (or a hash derived from it) to a normal file, but this led me thinking more about device security. What I would like to implement is a method of encrypting the whole /home/user directory, in such a way that a passphrase is asked at device boot. Device locking could be then implemented on top of this, using either the same passphrase that is used to decrypt the home directory or simpler security number that is stored on the encrypted home directory. Accessing the device in USB-mass-memory mode can either present the encryped MyDocs directory (and user could have the same encfs keys on the host computer, decrypting the files transparently) or a specific non-encrypted folder might be presented, leaving user the option to transfer the wanted files there manually. Security of accessing the device via ssh would be covered, as user has to log in with a password anyway. I know it should be fairly easy to set up the encrypt/decrypt scripts on device startup, using similar way as nitdroid boot loader does, before any mounts are done on the device. Now we get to the meat of this posting: I first meant to look into porting encfs to harmattan as I am familiar using it, but then I thought about aegisfs. It is already existing on the device, and it can do encrypting/decrypting on the fly. Probably it is even optimized quite well to run on the limited resources of the device, better than encfs for sure. But can aegisfs do cryptography similar way as encfs does, so that authentication is done once and then processes with correct real-uid can decrypt the content automatically? I read the documentation given on Nokia support pages and I can see aegisfs is mainly used to isolate applications from interference to each other and to prevent user from tampering with application data. Authentication is done via certificate system geared up so that device manufacturer has the ultimate decisions on who gets access to what, instead of being in the control of device user. So, any help is appreciated here, can we make aegisfs to work the way it can be used here, or should we port another layer of cryptography to the device? |
Re: encfs vs. aegisfs
I use encfs from the shell , anyone think about adding a ui or something ?
http://talk.maemo.org/showthread.php...fs#post1241911 |
Re: encfs vs. aegisfs
Have you done any performance measurements on it, how much does it slow down file access?
I will have to download that and see if it could be used for home directory protection. |
Re: encfs vs. aegisfs
Quote:
Do I need to get some additonal packeges? Code:
~ # |
Re: encfs vs. aegisfs
FYI, I use openmode kernel
can you export LANG=C before pasting |
Re: encfs vs. aegisfs
This would be an awesome project if it really came true. :thumbsup:
|
Re: encfs vs. aegisfs
Quote:
Anyway, here is the same in english. And, of course I use openmode kernel... I would not except this to work without :) Code:
BusyBox v1.20.0.git (MeeGo 3:1.20-0.2+0m8) built-in shell (ash) |
Re: encfs vs. aegisfs
cat u try again by just using :
cat /etc/apt/sources.list.d/home-rzr-harmattan.list deb http://repo.pub.meego.com/home:/rzr:...ttan_standard/ ./ my working versions are reported at : http://rzr.online.fr/q/fuse# |
Re: encfs vs. aegisfs
Quote:
OK, tried it, but no help there...: Code:
~ # |
Re: encfs vs. aegisfs
i dont have the module either , so i guess it is built in ...
I used nitdroid's zImage ... http://downloads.nitdroid.com/e-yes/n9/zImage |
Re: encfs vs. aegisfs
Quote:
$ uname -a Linux RM696 2.6.32.54-dfl61-20121301 #52 PREEMPT Thu Jul 5 02:32:54 MSK 2012 armv7l GNU/Linux ~ $ |
Re: encfs vs. aegisfs
Hey, stop the presses :)
Actually it works for me now, the latest apt-stanza corrected the problem but I did not notice that as I was just looking at the fusemodule and did not realize it was built in the kernel already. I noticed that for now only root has access to /dev/fuse so I need to check if It works with user priviliges also. |
Re: encfs vs. aegisfs
Basically my original idea is starting to look doable now.
I have now played around a bit with encfs, and found out some things about it; Unlike encfs implementation I have used on desktop linux, I did not find out a way of starting encfs as non-root user. It makes no difference whether I chmod the /dev/fuse as a+rwx, still trying to create or mount the encfs bombs out with "fuse: failed to open /dev/fuse: Permission denied" Well, fortunately it does not matter much, as I can create and mount the fs as root with --public flag, and it is available to other users after that as well. I tried copying the encrypted content to my ubuntu box and successifully opened the content there with the correct passphrase. That is as well as it should be, so protected access to the device in usb-memory mode is possible. Next I looked into the device booting scripts. I have nitdroid dual-boot active on my device, so it was easy to find out the place in /sbin/preinit script where the multiboot section begins. The correct place to mount the encrypted home would be just before the android/meego boot selection. Now, next thing to do is to write up a simple input panel that can be called from the preinit script to query for passphrase. When I get that part working correctly, meaning I can input the passphrase and see that decrypting is activated, I will try to move all stuff in /user/home inside the encfs mount. |
| All times are GMT. The time now is 21:46. |
vBulletin® Version 3.8.8