maemo.org - Talk
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

maemo.org - Talk (https://talk.maemo.org/index.php)
-   Brainstorm (https://talk.maemo.org/forumdisplay.php?f=47)
-   -   Complete Filesystem Encryption (https://talk.maemo.org/showthread.php?t=70539)

hawaii 2011-03-02 04:19
Complete Filesystem Encryption
 
I will soon have another N900 to play with (thanks to the amazing folks I meet on the internet) and plan on getting a complete filesystem encryption set up. It will be very similar to this post http://talk.maemo.org/showpost.php?p...0&postcount=36

Any pointers, concerns or talk about it can go here.

Thanks!

Hurrian 2011-03-02 09:43
Re: Complete Filesystem Encryption
 
(after encryption, at start-up you will get a message stating "unsupported filesystem" and the /dev/mmcblk0p1 will not be mounted)

This is in no way at all plausible deniability. It's a phone, which should mean you have personal data on it.

At the very least, it should have photos,fake contacts and a browser history on it.

IMO:
Xbox huge /home folder
Inside it, a relatively small loopmounted Truecrypt container/partition. ~/MyDocs is loopmounted, unencrypted vfat.
To mount the thing, you run a seekrit bash script that waits for a certain sequence of hardware commands from dbus (think opening/closing the ALS, slider, camera slider, battery cover)

Note: An empty device (no contacts and photos) does not make sense when you have 2 GB free space ;P

lohner 2011-05-17 16:13
Re: Complete Filesystem Encryption
 
Inspired by the post the thread-starter referred to (click), I tried this myself, slightly different:
  • compiled latest truecrypt (version 7) from source (thanks to this)
  • added kernel crypto support (thanks to this)
  • created a truecrypt container, encrypted with the twofish cipher (it was the fastest in the truecrypt benchmark on my N900) on a fast Linux box
  • created a loop file inside the truecrypt file to be mounted as MyDocs
  • using the awesome Backupmenu, I created a backup of my N900, then resized the /home partition to almost 30 GB, shrinking the MyDocs partition to several MBytes. The swap was left untoched. I did all this with Backupmenu's USB-Functions on a Linux box with gparted. It is important to have the same partition order as the original maemo to avoid error messages at startup.
  • put all files from my Backup into the MyDocs loop file and the truecrypt container
  • copied it over to /home directory on maemo
  • now I am still working on a perfect mount script to be run at startup (see below)

Modified script from here:
Code:
#!/bin/sh
echo umount
killall maemo-xinput-sounds
killall temp-reaper
umount /home/user/MyDocs
echo truecrypt
modprobe xts
modprobe lrw
truecrypt -m=timestamp --filesystem=none /home/.user.tc
mount -t ext4 -o rw,noatime,commit=1,data=writeback /dev/mapper/truecrypt1 /home/user
#if i don't mount it like this, it takes too long to mount
losetup /dev/loop5 /home/user/.MyDocs.container
mount /dev/loop5 /home/user/MyDocs
#workaround to be able to "see" the MyDocs folder using the #filemanager.
truecrypt -t -l
echo "ctrl-c to abort...."
sleep 5
#restart the daemon that manages IM user accounts (and maybe #e-mail accounts?)
echo "signond"
killall signond
sleep 2

#restart the messaging services, to re-read messaging accounts
echo "trackerd"
killall trackerd
echo "tracker-indexer"
killall tracker-indexer
echo "browserd"
killall browser browserd
echo "mission-control"
killall mission-control
echo "rtcom-messaging-ui"
killall rtcom-messaging-ui
echo "rtcom-call-ui"
killall rtcom-call-ui
echo "rtcom-accounts-ui"
killall rtcom-accounts-ui
echo "osso-addressbook"
killall osso-addressbook
echo "hildon-thumbnailerd"
killall hildon-thumbnailerd
echo "osso-connectivity-ui-conndlgs"
killall osso-connectivity-ui-conndlgs
echo "clipboard-manager"
killall clipboard-manager
echo "profiled"
killall profiled

echo "sleep 10"
sleep 10
echo "hildon-desktop"
killall hildon-desktop
echo "sleep 15"
sleep 15
echo "hildon-home"
killall hildon-home
sleep 2
echo "hildon-status-menu"
killall hildon-status-menu
echo "systemui"
killall systemui
#restart the better part of hildon, to re-read desktop, calendar, #shortcuts, etc from the new /home/user encrypted partition.
The excessive sleep commands are used because I sometimes ran into reboots without them. But clearly they are to be optimized (far too many, far too long now).

ISSUES:
  • Filesystems are not clean (not unmounted properly) on reboot. Especially when pressing the power button. Using the halt command seems to do less harm (still need to verify this)
  • Sometimes silent mode does not work
  • Some settings (browser, desktop bookmarks, number of desktops, language, ...) depend on the primordial home directory. Some of these issues may be resolvable, some (e.g. language settings) not.
  • slightly slower program startup (e.g. messaging application)
  • battery lifetime not much different, maybe a little less

for reference, the last entries of my mounted filesystems list:
Code:
/dev/mmcblk1p1 on /media/mmc1 type vfat (rw,noauto,nodev,noexec,nosuid,noatime,nodiratime,utf8,uid=29999,shortname=mixed,dmask=000,fmask=0133,rodir)
truecrypt on /tmp/.truecrypt_aux_mnt1 type fuse.truecrypt (no-canonicalize,rw,nosuid,nodev,allow_other)
/dev/mapper/truecrypt1 on /home/user type ext4 (rw,noatime,commit=1,data=writeback)
/dev/loop5 on /home/user/MyDocs type ext4 (0)
TODO:
  • finish the mount script
  • resolve most of the issues, especially the clean shutdown issue
  • format /home ext4
  • eventually encrypt swap too
  • do it all with dm-crypt

By the way, using the N900 as an encrypted USB device (like suggested here) automatically works this way.

Please try it, ask if you need help and post your experiences and issues.
And please don't forget a proper backup, since you are likely to brick everything on your first try.

NIN101 2011-07-14 17:21
Re: Complete Filesystem Encryption
 
Hi,

I managed to encrypt the home partition (mmcblk0p2) with LUKS. No need for tricks with MyDocs containers or kill's, symlinks etc. Obviously, not recommended for endusers. It works very well for me.
http://n900.quitesimple.org/crypto/encrypted_home/

This with an encrypted MyDocs partition is practically the closest you can get to "Complete Filesystem Encryption". At least it covers everything important.

lkravovicz 2011-07-15 04:54
Re: Complete Filesystem Encryption
 
ok i was also enquiring about LUKS a while ago http://talk.maemo.org/showthread.php?t=64479.

perhaps set up a github repo for your stuffs? i'm sure your script could be iteratively community-developed for a smoother process.

Hurrian 2011-07-15 22:26
Re: Complete Filesystem Encryption
 
hmm, we might be able to encrypt rootfs too if we used an initramfs (initfs mtd partition) to set up encryption and key storage.

lkravovicz 2011-07-16 06:57
Re: Complete Filesystem Encryption
 
the only way it makes sense to me is to have an external token for the key. either something yubikey style for überlong password or keyfile on usb stick.

metawishmaster 2011-07-23 10:43
Re: Complete Filesystem Encryption
 
I've finished encryption with passphrase, and smart-card support is almost finished.

p.s. week or two left
it will be bootmenu entry

metawishmaster 2011-09-22 09:37
Re: Complete Filesystem Encryption
 
This may be not be what you need, but it can deal with smart cards:
http://talk.maemo.org/showthread.php?t=77443

momcilo 2011-09-22 09:43
Re: Complete Filesystem Encryption
 
Quote:
Originally Posted by lkravovicz (Post 1051951)
the only way it makes sense to me is to have an external token for the key. either something yubikey style for überlong password or keyfile on usb stick.
In general passwords have low entropy. Longer passwords will prolong the cryptanalysis, but that will not solve the issue.

Until I've discovered the MSSF, I was very interested in N9 since NFC chip is essentially smart card reader.


All times are GMT. The time now is 10:21.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

vBulletin® Version 3.8.8