Thread: cryptsetup: encrypted filesystem on your N900
View Single Post
tehowe is offline tehowe
2012-01-03 , 02:49
Posts: 45 | Thanked: 5 times | Joined on Oct 2008
#38
After puzzling through the various options for securing the N900, I decided to go with cryptsetup/dmcrypt/LUKS for the SD card 'mmc1' and to skip trying to encrypt /home and /MyDocs for the time being (1, it's a PITA and 2, simply locking your phone will deter thieves from getting at your data on the internal RAM (yes, the bug that exposed it to the USB port when powered down has been fixed in PR 1.2)

But the SD card, anyone can pull it out of the phone. So why not use Linux-native LUKS filesystem encryption to secure it?

I've seen bits and pieces of how to use cryptsetup to secure your SD card on this and other forums but never a full 'cut and paste' guide n00bs like me could use. So here goes.

(It's worth mentioning first that I'm using the Kernel Power kernel replacement http://wiki.maemo.org/Kernel_Power
This may or may not be necessary.
For root shell access, I've got sudser and rootsh and bash3 from the applications manager. For more see here http://wiki.maemo.org/Root_access)
Substitute your fave editor for nano, which I think I also installed seperately, in the steps below.

1. Install cryptsetup
Code:
sudo apt-get install cryptsetup
2. Backup your SD-card contents
- I put the SD card in my Linux desktop's media reader and simply copied the directory to a safe place

3(a). Format your SD-card for LUKs - OPTION1 use Linux desktop
- I actually just used Ubuntu's Nautilus file manager to view the computer's drives, then right-clicked on the SD card, picked Format, and chose 'Encrypted, Compatible with Linux (FAT)' It then asks you to enter your passphrase.

After putting the card back in the N900 I did the following just to make sure the filesystem is ext3 (why not use a journalled file system)

Code:
# unmount the SD card
sudo umount /media/mmc1
# open the crypt (type your passphrase in again)
sudo cryptsetup luksOpen /dev/mmcblk1 mmc1
# now add the ext3 file system inside the crypt
sudo mkfs.ext3 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/mmc1
3(b). Format your SD-card for LUKs - OPTION 2 use N900 console
- You could instead use the N900's console with the SD card in the phone (see here)

Code:
# unmount the SD  card
sudo umount /media/mmc1
# format the card, use a strong passphrase!
sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/mmcblk1
# open the crypt (type your passphrase in again)
sudo cryptsetup luksOpen /dev/mmcblk1 mmc1
# now add a file system inside the crypt - ext3 is good
sudo mkfs.ext3 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/mmc1
4. Make a script to help automate the process
- I didn't find anything conclusive to automount the SD card on startup in these forums, but was able to modify a script I found here to make it pretty painless.

Code:
# drop a script in /home - couldn't get executable permission for scripts in /home/MyDocs
cd ~
cd ..
mkdir scripts
sudo nano crypt.sh
Paste the following in

Code:
#!/bin/sh

case $1 in
  start)
	modprobe dm_crypt
	cryptsetup luksOpen /dev/mmcblk1p1 mmc1
	echo "Mounting SD card..."
	mount /dev/mapper/mmc1 /media/mmc1
	chmod 777 /media/mmc1
	;;
  stop)
	echo "Unmounting SD card..."
	umount /media/mmc1
	cryptsetup luksClose /dev/mapper/mmc1
	;;
  *)
	echo "Usage: crypt [ start | stop ]"
	;;
esac
CTRL-O and CTRL-X to save and exit nano

finally,

Code:
sudo chmod +x crypt.sh
5. (Optional) Edit the system mount script to remove annoying 'filesystem not supported' error message that happens when SD card crypt is first opened in script above. You can just ignore it though if you want.

Code:
cd /usr/sbin
sudo nano oss-mmc-mount.sh
Look for the line that reads
b | c | e | 4 | 6 | 14 | 16 | 1b | 1c | 1e)
and change it to
b | c | e | 4 | 6 | 14 | 16 | 83 | 1b | 1c | 1e)
and press CTRL-O, CTRL-X to save and exit.

6. To open the SD card, you can now type (from the shell)
Code:
sudo ~/scripts/crypt.sh start
To close the SD card, type
Code:
sudo ~/scripts/crypt.sh stop
Huzzah! Hope that helps someone out.
 

The Following User Says Thank You to tehowe For This Useful Post: