encfs vs. aegisfs - maemo.org

Active Topics

U-Boot for Nokia RX-51 with BootMenu (updated version 2012.10-rc3-1) (841)
to Alternatives by omniteal@pm.me - 7 hrs, 27 mins ago
List of well performing apps on Leste (34)
to Maemo 7 / Leste by biketool - 18 hrs, 25 mins ago
Maemo repository (5)
to Community by dredlok706 - 2 days, 13 hrs ago
Re-commissioning N9 in 2018 (127)
to MeeGo / Harmattan by smatkovi - 2 days, 16 hrs ago
Porting apps to Leste (41)
to Maemo 7 / Leste by Arno_11 - 3 days, 9 hrs ago
N900 is not recognizable on any of my devices (windows 10,7, xp) What can I do? (1)
to Nokia N900 by nieldk - 4 days, 21 hrs ago
more...

Page 1 of 2

Next >

Thread Tools

juiceme	2012-08-29 , 21:39
Community Council \| Posts: 4,920 \| Thanked: 12,867 times \| Joined on May 2012 @ Southerrn Finland	#1

I have some questions regarding encryption on harmattan filesystem.

Let me first present the scenario I am after here.

Firstly, It is known that when device is in harmattan open mode, the cal-area memory is in read-only state. This causes side-effects like device locking with security code not possible as the code is stored there.

Now, it should be possible to write such a replacement for security locking that stores the locking code (or a hash derived from it) to a normal file, but this led me thinking more about device security.

What I would like to implement is a method of encrypting the whole /home/user directory, in such a way that a passphrase is asked at device boot. Device locking could be then implemented on top of this, using either the same passphrase that is used to decrypt the home directory or simpler security number that is stored on the encrypted home directory.

Accessing the device in USB-mass-memory mode can either present the encryped MyDocs directory (and user could have the same encfs keys on the host computer, decrypting the files transparently) or a specific non-encrypted folder might be presented, leaving user the option to transfer the wanted files there manually.

Security of accessing the device via ssh would be covered, as user has to log in with a password anyway.

I know it should be fairly easy to set up the encrypt/decrypt scripts on device startup, using similar way as nitdroid boot loader does, before any mounts are done on the device.

Now we get to the meat of this posting: I first meant to look into porting encfs to harmattan as I am familiar using it, but then I thought about aegisfs. It is already existing on the device, and it can do encrypting/decrypting on the fly. Probably it is even optimized quite well to run on the limited resources of the device, better than encfs for sure.

But can aegisfs do cryptography similar way as encfs does, so that authentication is done once and then processes with correct real-uid can decrypt the content automatically?

I read the documentation given on Nokia support pages and I can see aegisfs is mainly used to isolate applications from interference to each other and to prevent user from tampering with application data. Authentication is done via certificate system geared up so that device manufacturer has the ultimate decisions on who gets access to what, instead of being in the control of device user.

So, any help is appreciated here, can we make aegisfs to work the way it can be used here, or should we port another layer of cryptography to the device?

Quote & Reply |

The Following User Says Thank You to juiceme For This Useful Post:
DarkSkies

	www.rzr.online.fr	2012-08-29 , 23:19
	Posts: 1,348 \| Thanked: 1,863 times \| Joined on Jan 2009 @ fr/35/rennes	#2

I use encfs from the shell , anyone think about adding a ui or something ?

http://talk.maemo.org/showthread.php...fs#post1241911

__________________
Current obsession:

https://purl.org/rzr/abandonware

Please help to list all maemo existing apps :

https://github.com/abandonware/aband...ment-578143760

https://wiki.maemo.org/Apps#

I am looking for " 4 inch TFT LCD display screen " for Nokia n950 HandSet

http://rzr.online.fr/q/lcd

Also, I need online storage to archive files :

http://db.tt/gn5Qffd6#

https://my.pcloud.com/#page=register...e=g8ikZmcfEJy#

Quote & Reply |

The Following User Says Thank You to www.rzr.online.fr For This Useful Post:
juiceme

juiceme	2012-08-30 , 04:52
Community Council \| Posts: 4,920 \| Thanked: 12,867 times \| Joined on May 2012 @ Southerrn Finland	#3

Have you done any performance measurements on it, how much does it slow down file access?
I will have to download that and see if it could be used for home directory protection.

Quote & Reply |

juiceme	2012-08-30 , 09:04
Community Council \| Posts: 4,920 \| Thanked: 12,867 times \| Joined on May 2012 @ Southerrn Finland	#4

Originally Posted by www.rzr.online.fr

I use encfs from the shell , anyone think about adding a ui or something ?

http://talk.maemo.org/showthread.php...fs#post1241911

Okay, I installed your encfs packages but there is something still amiss. I cannot locate fuse module even as fusermount is installed.
Do I need to get some additonal packeges?

Code:

~ # 
~ # cat > /etc/apt/sources.list.d/home-rzr-harmattan.list
deb http://repo.pub.meego.com/home:/rzr:/harmattan:/testing/MeeGo_1.2_Harmattan_Maemo.org_MeeGo_1.2_Harmattan_standard/ ./
deb http://repo.pub.meego.com/home:/rzr:/harmattan/MeeGo_1.2_Harmattan_Maemo.org_MeeGo_1.2_Harmattan_standard/ ./
deb http://repo.pub.meego.com/home:/rzr:/harmattan/harmattan/ ./
~ # 
~ # apt-get update
Nouda:1 exec:////usr/bin/osa --packages
0% [Avataan yhteys repo.pub.meego.com] [1 exec:////usr/bin/osa --packages 0B]QNetworkReplyImpl::_q_startOperation was called more than once
Löytyi https://downloads.maemo.nokia.com ./ Release.gpg                      
Siv https://downloads.maemo.nokia.com ./ Translation-fi                                        
Siv http://repo.pub.meego.com ./ Release.gpg                                                   
Siv http://repo.pub.meego.com ./ Translation-fi                 
Siv http://repo.pub.meego.com ./ Release.gpg
Siv http://repo.pub.meego.com ./ Translation-fi
Siv http://repo.pub.meego.com ./ Release.gpg
Siv http://repo.pub.meego.com ./ Translation-fi
Löytyi https://downloads.maemo.nokia.com ./ Release.gpg
Nouda:2 http://repo.pub.meego.com ./ Release [509B]             
Nouda:3 http://repo.pub.meego.com ./ Release [517B]             
Nouda:4 http://repo.pub.meego.com ./ Release [367B]
Siv https://downloads.maemo.nokia.com ./ Translation-fi
Nouda:5 http://repo.pub.meego.com ./ Packages [206kB]           
Löytyi https://downloads.maemo.nokia.com ./ Release.gpg           
Siv https://downloads.maemo.nokia.com ./ Translation-fi                 
Löytyi https://downloads.maemo.nokia.com ./ Release                     
Löytyi https://downloads.maemo.nokia.com ./ Release                       
Löytyi https://downloads.maemo.nokia.com ./ Release                       
Siv https://downloads.maemo.nokia.com ./ Packages/DiffIndex                                                                 
Nouda:6 http://repo.pub.meego.com ./ Packages [750kB]                                                                       
Siv https://downloads.maemo.nokia.com ./ Packages/DiffIndex                                                                 
Siv https://downloads.maemo.nokia.com ./ Packages/DiffIndex                                                                 
Löytyi https://downloads.maemo.nokia.com ./ Packages                                                                        
Löytyi https://downloads.maemo.nokia.com ./ Packages                                                                        
Löytyi https://downloads.maemo.nokia.com ./ Packages                                                                        
Nouda:7 http://repo.pub.meego.com ./ Packages [16.0kB]                                                                      
Noudettiin 1,124kt ajassa 10s (103kt/s)                                                                                     
Updating desktop entries... Done
Luetaan pakettiluetteloita... Valmis
~ # 
~ # 
~ # apt-get install encfs
Luetaan pakettiluetteloita... Valmis
Muodostetaan riippuvuussuhteiden puu       
Luetaan tilatiedot... Valmis        
Seuraavat ylimääräiset paketit on merkitty asennettaviksi:
  fuse-utils libboost-filesystem1.42.0 libboost-serialization1.42.0 libboost-system1.42.0 librlog5 meta-harmattan
Ehdotetut paketit:
  mp-harmattan-rm680-pr
Seuraavat UUDET paketit asennetaan:
  encfs fuse-utils libboost-filesystem1.42.0 libboost-serialization1.42.0 libboost-system1.42.0 librlog5 meta-harmattan
0 päivitetty, 7 uutta asennusta, 0 poistettavaa ja 8 päivittämätöntä.
Noudettavaa arkistoa 803kt.
Toiminnon jälkeen käytetään 3,293k t lisää levytilaa.
Haluatko jatkaa [K/e]? k
VAROITUS: Seuraavian pakettien alkuperää ei voi varmistaa!
  libboost-system1.42.0 libboost-filesystem1.42.0 libboost-serialization1.42.0 librlog5 fuse-utils meta-harmattan encfs
Asennetaanko nämä paketit ilman todennusta [y/N]? y
Nouda:1 http://repo.pub.meego.com ./ libboost-system1.42.0 1.42.0-3maemo2+0m6 [30.6kB]
Nouda:2 http://repo.pub.meego.com ./ libboost-filesystem1.42.0 1.42.0-3maemo2+0m6 [53.9kB]
Nouda:3 http://repo.pub.meego.com ./ libboost-serialization1.42.0 1.42.0-3maemo2+0m6 [240kB]
Nouda:4 http://repo.pub.meego.com ./ librlog5 1.4-2.0~rzr1 [26.1kB]
Nouda:5 http://repo.pub.meego.com ./ fuse-utils 2.8.6maemo5+0m7 [18.3kB]
Nouda:6 http://repo.pub.meego.com ./ meta-harmattan 0.0.0-2 [2,418B]
Nouda:7 http://repo.pub.meego.com ./ encfs 1.7.4-2.4 [432kB]
Noudettiin 803kt ajassa 6s (127kt/s)                                                                                        
Selecting previously deselected package libboost-system1.42.0.
(Reading database ... 51413 files and directories currently installed.)
Unpacking libboost-system1.42.0 (from .../libboost-system1.42.0_1.42.0-3maemo2+0m6_armel.deb) ...
Selecting previously deselected package libboost-filesystem1.42.0.
Unpacking libboost-filesystem1.42.0 (from .../libboost-filesystem1.42.0_1.42.0-3maemo2+0m6_armel.deb) ...
Selecting previously deselected package libboost-serialization1.42.0.
Unpacking libboost-serialization1.42.0 (from .../libboost-serialization1.42.0_1.42.0-3maemo2+0m6_armel.deb) ...
Selecting previously deselected package librlog5.
Unpacking librlog5 (from .../librlog5_1.4-2.0~rzr1_armel.deb) ...
Selecting previously deselected package fuse-utils.
Unpacking fuse-utils (from .../fuse-utils_2.8.6maemo5+0m7_armel.deb) ...
Selecting previously deselected package meta-harmattan.
Unpacking meta-harmattan (from .../meta-harmattan_0.0.0-2_armel.deb) ...
Selecting previously deselected package encfs.
Unpacking encfs (from .../encfs_1.7.4-2.4_armel.deb) ...
aegis-installing libboost-system1.42.0 (from '')
aegis-installing libboost-filesystem1.42.0 (from '')
aegis-installing libboost-serialization1.42.0 (from '')
aegis-installing librlog5 (from '')
aegis-installing fuse-utils (from '')
aegis-installing meta-harmattan (from '')
aegis-installing encfs (from '')
Processing triggers for applauncherd-launcher ...
Setting up libboost-system1.42.0 (1.42.0-3maemo2+0m6) ...
Setting up libboost-filesystem1.42.0 (1.42.0-3maemo2+0m6) ...
Setting up libboost-serialization1.42.0 (1.42.0-3maemo2+0m6) ...
Setting up librlog5 (1.4-2.0~rzr1) ...
Setting up fuse-utils (2.8.6maemo5+0m7) ...
Setting up meta-harmattan (0.0.0-2) ...
Setting up encfs (1.7.4-2.4) ...
Updating desktop entries... Done
~ # 
~ # 
~ # exit
~ $ 
~ $ whoami
user
~ $ 
~ $ pwd
/home/user
~ $ 
~ $ 
~ $ mkdir local
~ $ mkdir mnt
~ $ encfs ~/local/encfs ~/mnt/encfs
Hakemistoa "/home/user/local/encfs/" ei ole olemassa. Luodaanko se? (y,n) y
Hakemistoa "/home/user/mnt/encfs" ei ole olemassa. Luodaanko se? (y,n) y
Luodaan uutta salattua taltiota.
Ole hyvä ja valitse yksi seuraavista optioista:
 kirjoita "x" valitaksesi eksperttitilan,
 kirjoita "p" valitaksesi esiasennetun vainoharhaisen tilan,
 mikä tahansa muu merkki tai tyhjä rivi valitsee tavanomaisen tilan.
?> 

Tavanomaiset asetukset valittu.

Kokoonpanon määrittäminen päättyi. Luotiin tiedostojärjestelmä,
jolla on seuraavat ominaisuudet:
Tiedostojärjestelmän salausalgoritmi: "ssl/aes", versio 3:0:2
Tiedostonimen koodaus: "nameio/block", versio 3:0:1
Avainkoko: 192 bittiä
Lohkon koko: 1024 tavua
Jokainen tiedosto sisältää 8-tavuisen otsakkeen uniikilla IV-datalla.
Tiedostonimet koodattu käyttäen IV-ketjutustilaa.
File holes passed through to ciphertext.

Nyt sinun täytyy syöttää salasana tiedostojärjestelmääsi varten.
Sinun tarvitsee muistaa tämä salasana, sillä minkäänlaista
palautusmekanismia ei ole. Salasanan voi kuitenkin vaihtaa
myöhemmin käyttäen encfsctl:ää.

Uusi EncFS-salasana: 
Vahvista EncFS-salasana: 
fuse: failed to open /dev/fuse: Permission denied
fuse epäonnistui. Yleisiä ongelmia:
 - fuse -ydinmoduuli ei ole asennettu (modprobe fuse)
 - epäkelvolliset optiot -- katso käyttöohjeet
~ $ 
~ $ 
~ $ 
~ $ lsmod | grep fuse
~ $ 
~ $ devel-su 
Password: 


BusyBox v1.20.0.git (MeeGo 3:1.20-0.2+0m8) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # 
~ # /sbin/modprobe fuse
FATAL: Module fuse not found.
~ # 
~ # 
~ # find /lib/modules | grep fuse
~ # 
~ # 
~ # apt-get install fuse
Luetaan pakettiluetteloita... Valmis
Muodostetaan riippuvuussuhteiden puu       
Luetaan tilatiedot... Valmis        
Joitakin paketteja ei voitu asentaa. On ehkä vaadittu mahdottomia tai,
jos käytetään epävakaata jakelua, joitain vaadittuja paketteja ei ole
vielä luotu tai siirretty Incoming-kansiosta.
Seuraavista tiedoista voi olla hyötyä selvitettäessä tilannetta:

Näillä paketeilla on tyydyttämättömiä riippuvuuksia:
  fuse: Riippuvuudet: fuse-utils (= 2.8.6-0maemo5+0m7+nmu1~rzr2) mutta 2.8.6maemo5+0m7 on merkitty asennettavaksi
E: Rikkinäiset paketit
~ # 
~ # apt-get install fuse-utils
Luetaan pakettiluetteloita... Valmis
Muodostetaan riippuvuussuhteiden puu       
Luetaan tilatiedot... Valmis        
fuse-utils on jo uusin versio.
fuse-utils on merkitty käyttäjän toimesta asennetuksi.
0 päivitetty, 0 uutta asennusta, 0 poistettavaa ja 8 päivittämätöntä.
~ # 
~ #

Quote & Reply |

	www.rzr.online.fr	2012-08-30 , 09:59
	Posts: 1,348 \| Thanked: 1,863 times \| Joined on Jan 2009 @ fr/35/rennes	#5

FYI, I use openmode kernel

can you

export LANG=C

before pasting

Quote & Reply |

The Following User Says Thank You to www.rzr.online.fr For This Useful Post:
juiceme

DarkSkies	2012-08-30 , 10:06
Posts: 256 \| Thanked: 110 times \| Joined on Jan 2012 @ Europe	#6

This would be an awesome project if it really came true. :thumbsup:

__________________
NOKIA N9 16GB BLACK

Quote & Reply |

juiceme	2012-08-30 , 10:50
Community Council \| Posts: 4,920 \| Thanked: 12,867 times \| Joined on May 2012 @ Southerrn Finland	#7

Originally Posted by www.rzr.online.fr

FYI, I use openmode kernel
can you export LANG=C before pasting

Really sorry for that!!

Anyway, here is the same in english. And, of course I use openmode kernel... I would not except this to work without

Code:

BusyBox v1.20.0.git (MeeGo 3:1.20-0.2+0m8) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ $ 
~ $ 
~ $ export LANG=C
~ $ 
~ $ 
~ $ 
~ $ pwd
/home/user
~ $ 
~ $ whoami
user
~ $ 
~ $ encfs ~/local/encfs ~/mnt/encfs
Creating new encrypted volume.
Please choose from one of the following options:
 enter "x" for expert configuration mode,
 enter "p" for pre-configured paranoia mode,
 anything else, or an empty line will select standard mode.
?> 

Standard configuration selected.

Configuration finished.  The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 3:0:2
Filename encoding: "nameio/block", version 3:0:1
Key Size: 192 bits
Block Size: 1024 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File holes passed through to ciphertext.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism.  However, the password can be changed
later using encfsctl.

New Encfs Password: 
Verify Encfs Password: 
fuse: failed to open /dev/fuse: Permission denied
fuse failed.  Common problems:
 - fuse kernel module not installed (modprobe fuse)
 - invalid options -- see usage message
~ $ 
~ $ 
~ $ devel-su 
Password: 


BusyBox v1.20.0.git (MeeGo 3:1.20-0.2+0m8) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # 
~ # 
~ # /sbin/modprobe fuse
FATAL: Module fuse not found.
~ # 
~ # find /lib/modules/ | grep fuse
~ # 
~ # 
~ # apt-get install fuse
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
  fuse: Depends: fuse-utils (= 2.8.6-0maemo5+0m7+nmu1~rzr2) but 2.8.6maemo5+0m7 is to be installed
E: Broken packages
~ # 
~ # 
~ # 
~ # apt-get install fuse-utils
Reading package lists... Done
Building dependency tree       
Reading state information... Done
fuse-utils is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 8 not upgraded.
~ # 
~ # 
~ # exit
~ $ 
~ $

Quote & Reply |

	www.rzr.online.fr	2012-08-30 , 11:37
	Posts: 1,348 \| Thanked: 1,863 times \| Joined on Jan 2009 @ fr/35/rennes	#8

cat u try again by just using :

cat /etc/apt/sources.list.d/home-rzr-harmattan.list
deb http://repo.pub.meego.com/home:/rzr:...ttan_standard/ ./

my working versions are reported at :

http://rzr.online.fr/q/fuse#

Quote & Reply |

juiceme	2012-08-30 , 12:10
Community Council \| Posts: 4,920 \| Thanked: 12,867 times \| Joined on May 2012 @ Southerrn Finland	#9

Originally Posted by www.rzr.online.fr

cat u try again by just using :

cat /etc/apt/sources.list.d/home-rzr-harmattan.list
deb http://repo.pub.meego.com/home:/rzr:...ttan_standard/ ./

my working versions are reported at :

http://rzr.online.fr/q/fuse#

OK, tried it, but no help there...:

Code:

~ # 
~ # cat /etc/apt/sources.list.d/home-rzr-harmattan.list
deb http://repo.pub.meego.com/home:/rzr:/harmattan:/testing/MeeGo_1.2_Harmattan_Maemo.org_MeeGo_1.2_Harmattan_standard/ ./
~ # 
~ # 
~ # apt-get update
Get:1 exec:////usr/bin/osa --packages
0% [Connecting to repo.pub.meego.com] [1 exec:////usr/bin/osa --packages 0B]QNetworkReplyImpl::_q_startOperation was called more than once
Hit https://downloads.maemo.nokia.com ./ Release.gpg                                          
Hit https://downloads.maemo.nokia.com ./ Release.gpg                                          
Hit https://downloads.maemo.nokia.com ./ Release.gpg            
Ign http://repo.pub.meego.com ./ Release.gpg                    
Hit https://downloads.maemo.nokia.com ./ Release                
Hit https://downloads.maemo.nokia.com ./ Release                
Hit https://downloads.maemo.nokia.com ./ Release                                    
Hit http://repo.pub.meego.com ./ Release                                            
Ign https://downloads.maemo.nokia.com ./ Packages/DiffIndex                         
Ign http://repo.pub.meego.com ./ Packages/DiffIndex                                 
Hit https://downloads.maemo.nokia.com ./ Packages               
Hit http://repo.pub.meego.com ./ Packages                       
Ign https://downloads.maemo.nokia.com ./ Packages/DiffIndex     
Ign https://downloads.maemo.nokia.com ./ Packages/DiffIndex
Hit https://downloads.maemo.nokia.com ./ Packages
Hit https://downloads.maemo.nokia.com ./ Packages
Fetched 150kB in 5s (27.6kB/s)
Updating desktop entries... Done
Reading package lists... Done
~ # 
~ # apt-get upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages have been kept back:
  lzop
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
~ # 
~ # apt-get purge encfs
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libboost-serialization1.42.0 librlog5 meta-harmattan libboost-filesystem1.42.0 libboost-system1.42.0
Use 'apt-get autoremove' to remove them.
The following packages will be REMOVED:
  encfs*
0 upgraded, 0 newly installed, 1 to remove and 1 not upgraded.
After this operation, 1901kB disk space will be freed.
Do you want to continue [Y/n]? y
(Reading database ... 51539 files and directories currently installed.)
Removing encfs ...
Processing triggers for applauncherd-launcher ...
aegis uninstalling encfs
Updating desktop entries... Done
~ # 
~ # apt-get install encfs fuse
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting meta-harmattan instead of fuse
meta-harmattan is already the newest version.
The following NEW packages will be installed:
  encfs
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 0B/432kB of archives.
After this operation, 1901kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  encfs
Install these packages without verification [y/N]? y
Selecting previously deselected package encfs.
(Reading database ... 51452 files and directories currently installed.)
Unpacking encfs (from .../encfs_1.7.4-2.4_armel.deb) ...
aegis-installing encfs (from '')
Processing triggers for applauncherd-launcher ...
Setting up encfs (1.7.4-2.4) ...
Updating desktop entries... Done
~ # 
~ # 
~ # lsmod | grep fuse
~ # 
~ # find /lib/modules | grep fuse
~ # 
~ #