The Following 34 Users Say Thank You to Estel For This Useful Post: | ||
awroax, chill, DeadHorseRiding, Deltree, eight, Fatalist, foobar, fw190, gionni88, iDont, imo, impeham, ivgalvez, Joseph9560, m750, malfunctioning, Manatus, marmistrz, Natan_xy, nicholes, Nikem, NIN101, nkirk, panjgoori, peterleinchen, Raimu, reinob, StefanL, stlpaul, te37v, udaychaitanya16, Vlad_on_the_road, woody14619 |
|
2012-01-08
, 08:25
|
|
Posts: 5,028 |
Thanked: 8,613 times |
Joined on Mar 2011
|
#2
|
|
2012-01-08
, 10:36
|
|
Posts: 1,103 |
Thanked: 368 times |
Joined on Oct 2010
@ india, indore
|
#3
|
|
2012-01-09
, 01:56
|
|
Posts: 5,028 |
Thanked: 8,613 times |
Joined on Mar 2011
|
#4
|
|
2012-01-10
, 23:58
|
|
Posts: 5,028 |
Thanked: 8,613 times |
Joined on Mar 2011
|
#5
|
Q: Is it possible to encrypt whole /home/ ?
A: Yes, but it is quite complicated and *not* recommended process - you need to be sure, that You'll know what to do, if something goes wrong. And I would not like to be in your shoes, if you find yourself in need for reflash COMBINED (although, it doesn't affect reflashing kernel-only). See THIS and find template scripts HERE
|
2012-01-11
, 15:57
|
Posts: 14 |
Thanked: 1 time |
Joined on Jan 2010
|
#6
|
|
2012-01-11
, 17:10
|
|
Posts: 5,028 |
Thanked: 8,613 times |
Joined on Mar 2011
|
#8
|
The progam manager automatically updated truecrypt to the 7.1 gui version.
How can I get the old version without gui again?
The Following User Says Thank You to Estel For This Useful Post: | ||
|
2012-01-11
, 17:46
|
Posts: 14 |
Thanked: 1 time |
Joined on Jan 2010
|
#9
|
disable extras-devel, which you shouldn't use (probably) anyway, if You don't know why it has been automatically upgraded.
|
2012-01-11
, 17:53
|
|
Posts: 5,028 |
Thanked: 8,613 times |
Joined on Mar 2011
|
#10
|
The Following User Says Thank You to Estel For This Useful Post: | ||
Tags |
cryptography, encrypted, kernelcrypto, security, truecrypt |
|
---
I've uploaded TrueCrypt 7.1 to Extras-testing. It is latest upstream version - additionally, following things changed from 6.3a-maemo4 (available in extras):
All code has been written by TrueCrypt foundation (excluding external wrapper). I just uploaded it, thus I take no credits for any other work, involved in bringing it to our device.
For now, to run it, open terminal, and as root, execute:
.desktop shortcut and icon coming up in next version (contribution of nice TrueCrypt'ish icon(s) highly appreciated). Instructions on usage to be found here:
http://talk.maemo.org/showthread.php...ight=truecrypt
Ignore parts about installing, unsetting GTK2_RC_FILES etc - jump straight to usage (Instructions will be update soon by original author, to comply with repos-available incarnation). Also, please post all questions/problems related to TrueCrypt usage there. This topic is meant only for development suggestions and bug reporting (and, of course, announcing further versions).
---
Mass-storage mode:
---
You can use N900's encrypted partitions via mass-storage mode, *without* need for TrueCrypt installed on desktop (all decrypted in N900, transparently for desktop). This way, You can use content of Your encrypted volumes in desktops, without actually using them to input passwords/keyfiles = no risk, that software or hardware keyloggers attached to said desktops, will catch your password. Just remember, that it *doesn't* protect Your encrypted volume from getting unwanted files written by malware, or even being deleted/overwritten, if connected in read&write mode.
It's very simple to achieve - just execute in terminal (as root):
Side note:
If, for any reasons, You want simple code to grep your encrypted device location, by providing it's actual location (partition or encrypted file container), you can use this (courtesy of NIN101):
It doesn't have any benefit over writing argument directly, but may be useful, if You're planning to write simple GUI for that, or to include support for it in your program.
Known flaws:
Mass-storage'd volumes doesn't respect special filesystem options passed to Maemo by trueCrypt, during mounting (they're still valid for Maemo, but not for desktop). So, if You mount Your volume with read-only flag, and latter mass-storage it, desktop will be able to write to it anyway. Of course, Maemo still respects read and write flags. If You want to export volume for desktop via mass-storage in read-only state, you must create Your copy of [b]osso-usb-mass-storage-enable.sh (remember to chmod +x it afterwards), edit it to use read-only, and use it instead of vanilla osso-usb-mass-storage-enable.sh, everytime You want to export volume as read-only.
Known "special" benefits:
As for volumes with ''Hidden volume protection'', mass storage respect it and provide some kind of extended plausible deniability. Such volume, when exported to desktop via mass-storage, still protect blocks of hidden volume, yet *doesn't* throw any warnings on desktop side. Furthermore, "blocked" file appear to be written successfully from desktop side. For example, if You copy music file, that gets write blocked, it's fully usable from desktop, as long as You don't disconnect mass-storage and connect it again.
That is, You can have, lets say, 20MB outer volume, with 15MB hidden volume inside, then copy 17MB music file to outer volume (obviously, with "hidden Volume Protection", it will get blocked as soon as it reach any hidden volume block), and then, perfectly play it from desktop - from start to the end. Also, using "safe device removal" will not pop-up any errors.
in reality, such file will be copied only in part that was written to outer volume, with rest just plain cut-off (in my tests, I was able to play such music file furthermore, but instead 3 minutes, it played only for 29 seconds).
Of course, I've tested it with another music file occupying 98% of hidden volume, and despite "writing" repeatedly many different files to outer volume (from desktop, via mass-storage mode), file on hidden volume was kept intact.
Only one moment, when You'll get notification "warning, TrueCrypt protected hidden volume from damage (...)", is when You unmount TrueCrypt containers (if you've followed my advice and disabled "background task").
(technical explanation of this phenomena)
When volumes are mounted successfully with hidden volume protection, they're mounted as encrypted loop devices (for example, /dev/loop0). Unlike filesystem options (like read and write flags), which are set at later part - while mounting encrypted device as actual access point for filesystem (i.e. /media/truecrypt1), thus ignored by mass-storage target desktop - "hidden volume protection" is set as special option of such loop device. As we export loop device as mass-storage, protecting bits are respected, yet desktop OS doesn't have a clue about them, and isn't informed. Common sense would tell, that during "Safe Device Removal", desktop's Os should be informed about "delayed write fail", yet, it seems that it's not informed about any failures, and consider operation finished OK.
Normally, this would be bug, but in our case, it's a feature providing additional benefit
---
FAQ:
---
Q: I don't trust some random guy providing TrueCrypt binaries.
A: No problem, you can compile Your own from sources, instead of using one from repositories:
A: From trueCrypt documentation:
Also, You should avoid changing password/keyfiles for already existing encrypted volumes, on devices that use wear-leveling. Instead, in such case, create new encrypted volume (or backup files from encrypted volume, and re-create it from scratch), and copy data there. As stated in quoted documentation, overwriting volume header (in case of changing password/keyfile) implies security risk of having both old and new header spread (physically) on partition (again, using that security hole isn't trivial, but possible).
Q: Is it safe to use Maemo auto-completion feature with TrueCrypt?
A: No. Maemo auto-completion feature is well-known for remembering *every* word You put into any Maemo dialog box, including passwords (!) - same apply for TrueCrypt GUI windows asking for password. This implicit huge security risk in any password-protected application, thus it's recommended to turn it off.
If You've already used Maemo auto-completion, after turning it off, recognized words are *still* stored in it's database, located on: /home/user/.osso/dictionaries/.personal.dictionary
Delete this file, but doesn't try shredding it - it's utterly useless on storage with wear-leveling (thanks for spotting it, Niwakame). the only way to securely get rid of database remnants, is filling *whole* free space in partition with zero's (not random numbers, as on flash storage, zero's are faster to write after - unless you want to kill your partition performance for quite a while).
Q: Is there any way to force unmount encrypted partition, in case of stolen/lost phone?
A: When encrypted partitions are mounted (by TrueCrypt, I don't mean regular linux mounting), they're - obviously - unprotected, unless unmounted (to mount it again, one need to provide password). Currently, only one possibility is to set relatively short auto-lock time - for example, 5 min - lock code can be disabled by reflashing, but it require turning phone off/rebooting, anyway (in which case, encrypted partitions are unmounted).
Yet, it isn't ideal solution - if thief know about Your "secret" files and want to access them, he can perform any operation on phone (to not allow triggering of inactivity autolock), until he finish copying files from mounted, encrypted volume. Unfortunately, same apply for notebooks, desktops etc, and it's generally not TrueCrypt-side problem. For "paranoia" level of required security, always unmount encrypted partition, before going away from phone/putting it into pocket/etc.
I'll ask developers of SMSCON, about possibility to include special SMS command, remotely unmounting all TrueCrypt partitions. IIRC, it's even possible to achieve now, by using SMSCON custom command.
Q: I have some problems with version 6.3a-maemo4 available via extras...
A: 6.3a-maemo4 wasn't uploaded by me, and I haven't even used it, so I can't help with that. Furthermore, 6.3a-maemo4 is depreciated, as it got -m nokernelcrypto hardcoded (no way to use XTS via module shipped with kernel-power). TrueCrypt 7.1 is now available through extras-testing, so you don't need to have -devel enabled to use install it.
---
First post will be updated when appropriate (with notes left as post, inside this thread). Wiki page is also on it's way (if You can create it before me/fill with content, when it appears, I would be most grateful).
/Estel
N900's aluminum backcover / body replacement
-
N900's HDMI-Out
-
Camera cover MOD
-
Measure battery's real capacity on-device
-
TrueCrypt 7.1 | ereswap | bnf
-
Hardware's mods research is costly. To support my work, please consider donating. Thank You!
Last edited by Estel; 2012-01-17 at 01:40.