Thread: Complete Filesystem Encryption
View Single Post
lohner is offline lohner
2011-05-17 , 16:13
Posts: 49 | Thanked: 39 times | Joined on May 2011
#3
Inspired by the post the thread-starter referred to (click), I tried this myself, slightly different:
  • compiled latest truecrypt (version 7) from source (thanks to this)
  • added kernel crypto support (thanks to this)
  • created a truecrypt container, encrypted with the twofish cipher (it was the fastest in the truecrypt benchmark on my N900) on a fast Linux box
  • created a loop file inside the truecrypt file to be mounted as MyDocs
  • using the awesome Backupmenu, I created a backup of my N900, then resized the /home partition to almost 30 GB, shrinking the MyDocs partition to several MBytes. The swap was left untoched. I did all this with Backupmenu's USB-Functions on a Linux box with gparted. It is important to have the same partition order as the original maemo to avoid error messages at startup.
  • put all files from my Backup into the MyDocs loop file and the truecrypt container
  • copied it over to /home directory on maemo
  • now I am still working on a perfect mount script to be run at startup (see below)

Modified script from here:
Code:
#!/bin/sh
echo umount
killall maemo-xinput-sounds
killall temp-reaper
umount /home/user/MyDocs
echo truecrypt
modprobe xts
modprobe lrw
truecrypt -m=timestamp --filesystem=none /home/.user.tc
mount -t ext4 -o rw,noatime,commit=1,data=writeback /dev/mapper/truecrypt1 /home/user
#if i don't mount it like this, it takes too long to mount
losetup /dev/loop5 /home/user/.MyDocs.container
mount /dev/loop5 /home/user/MyDocs
#workaround to be able to "see" the MyDocs folder using the #filemanager.
truecrypt -t -l
echo "ctrl-c to abort...."
sleep 5
#restart the daemon that manages IM user accounts (and maybe #e-mail accounts?)
echo "signond"
killall signond
sleep 2

#restart the messaging services, to re-read messaging accounts
echo "trackerd"
killall trackerd
echo "tracker-indexer"
killall tracker-indexer
echo "browserd"
killall browser browserd
echo "mission-control"
killall mission-control
echo "rtcom-messaging-ui"
killall rtcom-messaging-ui
echo "rtcom-call-ui"
killall rtcom-call-ui
echo "rtcom-accounts-ui"
killall rtcom-accounts-ui
echo "osso-addressbook"
killall osso-addressbook
echo "hildon-thumbnailerd"
killall hildon-thumbnailerd
echo "osso-connectivity-ui-conndlgs"
killall osso-connectivity-ui-conndlgs
echo "clipboard-manager"
killall clipboard-manager
echo "profiled"
killall profiled

echo "sleep 10"
sleep 10
echo "hildon-desktop"
killall hildon-desktop
echo "sleep 15"
sleep 15
echo "hildon-home"
killall hildon-home
sleep 2
echo "hildon-status-menu"
killall hildon-status-menu
echo "systemui"
killall systemui
#restart the better part of hildon, to re-read desktop, calendar, #shortcuts, etc from the new /home/user encrypted partition.
The excessive sleep commands are used because I sometimes ran into reboots without them. But clearly they are to be optimized (far too many, far too long now).

ISSUES:
  • Filesystems are not clean (not unmounted properly) on reboot. Especially when pressing the power button. Using the halt command seems to do less harm (still need to verify this)
  • Sometimes silent mode does not work
  • Some settings (browser, desktop bookmarks, number of desktops, language, ...) depend on the primordial home directory. Some of these issues may be resolvable, some (e.g. language settings) not.
  • slightly slower program startup (e.g. messaging application)
  • battery lifetime not much different, maybe a little less

for reference, the last entries of my mounted filesystems list:
Code:
/dev/mmcblk1p1 on /media/mmc1 type vfat (rw,noauto,nodev,noexec,nosuid,noatime,nodiratime,utf8,uid=29999,shortname=mixed,dmask=000,fmask=0133,rodir)
truecrypt on /tmp/.truecrypt_aux_mnt1 type fuse.truecrypt (no-canonicalize,rw,nosuid,nodev,allow_other)
/dev/mapper/truecrypt1 on /home/user type ext4 (rw,noatime,commit=1,data=writeback)
/dev/loop5 on /home/user/MyDocs type ext4 (0)
TODO:
  • finish the mount script
  • resolve most of the issues, especially the clean shutdown issue
  • format /home ext4
  • eventually encrypt swap too
  • do it all with dm-crypt

By the way, using the N900 as an encrypted USB device (like suggested here) automatically works this way.

Please try it, ask if you need help and post your experiences and issues.
And please don't forget a proper backup, since you are likely to brick everything on your first try.
Last edited by lohner; 2011-05-17 at 19:21. Reason: dm-crypt post added
 

The Following User Says Thank You to lohner For This Useful Post: