I have some questions regarding encryption on harmattan filesystem.

Let me first present the scenario I am after here.

Firstly, It is known that when device is in harmattan open mode, the cal-area memory is in read-only state. This causes side-effects like device locking with security code not possible as the code is stored there.

Now, it should be possible to write such a replacement for security locking that stores the locking code (or a hash derived from it) to a normal file, but this led me thinking more about device security.

What I would like to implement is a method of encrypting the whole /home/user directory, in such a way that a passphrase is asked at device boot. Device locking could be then implemented on top of this, using either the same passphrase that is used to decrypt the home directory or simpler security number that is stored on the encrypted home directory.

Accessing the device in USB-mass-memory mode can either present the encryped MyDocs directory (and user could have the same encfs keys on the host computer, decrypting the files transparently) or a specific non-encrypted folder might be presented, leaving user the option to transfer the wanted files there manually.

Security of accessing the device via ssh would be covered, as user has to log in with a password anyway.

I know it should be fairly easy to set up the encrypt/decrypt scripts on device startup, using similar way as nitdroid boot loader does, before any mounts are done on the device.

Now we get to the meat of this posting: I first meant to look into porting encfs to harmattan as I am familiar using it, but then I thought about aegisfs. It is already existing on the device, and it can do encrypting/decrypting on the fly. Probably it is even optimized quite well to run on the limited resources of the device, better than encfs for sure.

But can aegisfs do cryptography similar way as encfs does, so that authentication is done once and then processes with correct real-uid can decrypt the content automatically?

I read the documentation given on Nokia support pages and I can see aegisfs is mainly used to isolate applications from interference to each other and to prevent user from tampering with application data. Authentication is done via certificate system geared up so that device manufacturer has the ultimate decisions on who gets access to what, instead of being in the control of device user.

So, any help is appreciated here, can we make aegisfs to work the way it can be used here, or should we port another layer of cryptography to the device?