Notices

You are doing everything at own risk if you follow the instructions.

Kernel Crypto
Without crypto modules, TC will be probably slower and you have to mount with truecrypt -m nokernelcrypto. AES and Twofish with the block cipher mode XTS are supported by power kernel v48 out of the box.

If you want kernel crypto for older versions, take a look at this page.

Precompiled
Available in extras-devel

Compilation in scratchbox
Verification of the downloaded packages is up to you.

Setup scratchbox as described here http://wiki.maemo.org/Documentation/...l_Installation
Log in and choose the ARM target.

Add these two friends to /etc/apt/sources.list
Get the truecrypt source, unpack it and copy it to scratchbox (usually accessible through the symlink $USER/Desktop/sbhome)


copy truecrypt-7.0a-source/Main/truecrypt to /usr/bin/truecrypt on your N900

You may need to add the extra* repos to apt for this.





If you don't want to use kernel crypto, you have to mount it with something like this: truecrypt -m nokernelcrypto [disk/container] [mountpoint]. Otherwise you will have some errors.

Security Tips
Password leaks
If the auto complete function of maemo is enabled, most of the passwords entered to a GUI will be saved into a database. Turn this feature off before using TC. Database path: /home/user/.osso/dictionaries/.personal.dictionary.

Protection when mounted
There is of course no protection when your device is turned on and the partition or file container mounted. If someone steals your phone, your tc protected files will become accessible. To prevent this, you can enable the lock code. This should be secure unless your attacker has SSH access or something similar to that.

Swap
See some paragraphs below.

Issues

GUI does not fit. To fix this, we can deactivate the Maemo Theme for tc:


Autostart Script


/etc/event.d/truecrypt
/usr/bin/tcmount
chmod u+x /usr/bin/tcmount

This will mount the volumes you want on hildon start up. The known dialog("Enter password for...") will ask you to enter your password and to provide the keys etc.



Protection of private data in /home/user/
The following steps are very messy. A better solution - but harder - is the encryption of the /home/ partition. check this

If the partition or the file container which contains these things is not mounted, you can't use your crypted data and this will result in some error messages. And again, you are doing it at your own risk and only you are responsible for data loss.

So, mount your TC volume.

Please keep in mind that the following steps are not recommended/possible if you are using FAT thanks to user permissions and stuff like that which fat can not handle the way traditional linux filesystems do.

a) Moving phonebook
This will move your phone book. Symbolic links will point to the path in your encrypted volume. However, this is just a "mv", which means, no secure delete will occur on the source directories.
b) Moving SMS
chown user -R [tcvolume]/.rtcom-eventlogger

The same principle can be adapted to other directories, for example .mozilla.



Swap encryption
Unencrypted parts can remain in the swap partition. We should deal with that. Please make sure that you have the tools and the kernel modules!
Encryption of the Swap-Partition

1. cat /proc/swaps - Find out which device is your swap partition. Usually it is /dev/mmcblk0p3.
2. Open /etc/event.d/rcS-late
3. Find "swapon -a"
4. Replace it with:
/dev/urandom is the key file. Obviously, with every reboot a new key will be used.
It's recommended to test it first without editing the bootscripts.

General tips
FAT
If you want to write to FAT volumes as user, read this (--fs-options).

ext performance
For ext volumes, the following options are recommended.

Those options give you some significant performance increase (especially noticeable in the media player, no lags anymore).

root user
To avoid multiple issues (e. g. setting device mappings and mounting), run tc as root.

Great post, I'm trying to get full system encryption to work without any major issues. If that's not possible, I will use your softlink method instead. If anyone is interested in sharing their experiences, please do so in this thread.

truecrypt gui just doesn't fit on the screen, better to build without

couldn't actually build without gui, wxWidgets decency hell

nevertheless, I can't mount a volume, any idea what is wrong?
UPD: container was broken, recreated and and it worked fine

Hey there,
great tutorial. After six hours of trying I finally got it working. Wouldn't it be possible to load the compiled Trucrypt7.0a into extra-devel? It would safe a lot of time, since the newest desktop-version is Truecrypt7.0a and you need the same version for encrypt MyDocs via the PC. Anyway I got the following problem:
I mount my encrypted MyDocs like this
If mounted like this right at the start of the hildon-desktop (with the help of your script) I'm not able to accsess MyDocs as the normal user, only as root. If mounted afterwards via the terminal I could enter MyDocs without any problems. Hope you could help me and thanks a lot again!
Cheers blck

EDIT: Got it! Adding --fs-options=rw,uid=29999 to the tcmount did it.

But only if the maemo theme is used by TrueCrypt. I once started it somehow without, so it looked like a normal GTK application. Still not sure if some parts of the GUI would be more useable with that. Anyway, I'm using the GUI mostly for the mounting like in the screenshot because the rest can often be easier achieved with the CLI.

Edit:
:~# unset GTK2_RC_FILES
:~# truecrypt

Screenshots:
http://img7.imagebanana.com/img/px4n...0625134520.png

http://www.imagebanana.com/view/kegr...0625134600.png

It is useable.



Yep the building process depends on wxWidgets anyway, even if you only want to build a command line version.

Yes I probably could do that once I get my N900 back from repairment.

Good point. Especially needed if the filesystem of the volume you are mounting is FAT, as the Unix file permission concept does not apply to it, so you could'nt make it work with a simple chown.

Boom. Now that v48 is out we finally got the xts block cipher mode kernel module coming with the kernel. This (should) give faster performance for disk encryption software like TrueCrypt, which uses XTS by default. Version 6* which is in the repos is now actually obsolete (it's hardcoded with -m nokernelcrypto).

<Estel cast thread resurrection sign> *boom*

NIN101, any chances of putting latest truecrypt into maemo repos? It's a little shame, that we still got hardcoded -nokernelcrypto version in -devel. Anyway, thanks for doing 7.1, whenever it sits

Also, please remember, that You don't need to be maintainer, to upload new version into -devel.

/Estel

I considered months ago to package it, even created debs, but I finally didn't upload the stuff to extras-devel. Because I have no motivation to deal with problems like kernel fragmentation¹. Of course, we could depend on kernel-power. But it's not that cool to force kernels. Users who install KP should manage to do a cp to /usr/bin or compile it (the best way). Modules for most known kernels could be shipped with some postinstall magic - but this is not exactly brilliant. A wrapper script with a fallback to -m nokernelcrypto if the needed modules are not found is cool, but... dunno.

Pretty annoying starting situation

It is if you make is a separate package. ( eg. kp-truecrypt)