Page 1 of 2 1 2
Reply
Thread Tools
hawaii's Avatar
hawaii is offline hawaii
2011-03-02 , 04:19
Posts: 1,030 | Thanked: 792 times | Joined on Jun 2009
#1
I will soon have another N900 to play with (thanks to the amazing folks I meet on the internet) and plan on getting a complete filesystem encryption set up. It will be very similar to this post http://talk.maemo.org/showpost.php?p...0&postcount=36

Any pointers, concerns or talk about it can go here.

Thanks!
 

The Following 2 Users Say Thank You to hawaii For This Useful Post:
Hurrian is offline Hurrian
2011-03-02 , 09:43
Posts: 1,225 | Thanked: 1,905 times | Joined on Feb 2011 @ Quezon City, Philippines
#2
(after encryption, at start-up you will get a message stating "unsupported filesystem" and the /dev/mmcblk0p1 will not be mounted)

This is in no way at all plausible deniability. It's a phone, which should mean you have personal data on it.

At the very least, it should have photos,fake contacts and a browser history on it.

IMO:
Xbox huge /home folder
Inside it, a relatively small loopmounted Truecrypt container/partition. ~/MyDocs is loopmounted, unencrypted vfat.
To mount the thing, you run a seekrit bash script that waits for a certain sequence of hardware commands from dbus (think opening/closing the ALS, slider, camera slider, battery cover)

Note: An empty device (no contacts and photos) does not make sense when you have 2 GB free space ;P
 
lohner is offline lohner
2011-05-17 , 16:13
Posts: 49 | Thanked: 39 times | Joined on May 2011
#3
Inspired by the post the thread-starter referred to (click), I tried this myself, slightly different:
  • compiled latest truecrypt (version 7) from source (thanks to this)
  • added kernel crypto support (thanks to this)
  • created a truecrypt container, encrypted with the twofish cipher (it was the fastest in the truecrypt benchmark on my N900) on a fast Linux box
  • created a loop file inside the truecrypt file to be mounted as MyDocs
  • using the awesome Backupmenu, I created a backup of my N900, then resized the /home partition to almost 30 GB, shrinking the MyDocs partition to several MBytes. The swap was left untoched. I did all this with Backupmenu's USB-Functions on a Linux box with gparted. It is important to have the same partition order as the original maemo to avoid error messages at startup.
  • put all files from my Backup into the MyDocs loop file and the truecrypt container
  • copied it over to /home directory on maemo
  • now I am still working on a perfect mount script to be run at startup (see below)

Modified script from here:
Code:
#!/bin/sh
echo umount
killall maemo-xinput-sounds
killall temp-reaper
umount /home/user/MyDocs
echo truecrypt
modprobe xts
modprobe lrw
truecrypt -m=timestamp --filesystem=none /home/.user.tc
mount -t ext4 -o rw,noatime,commit=1,data=writeback /dev/mapper/truecrypt1 /home/user
#if i don't mount it like this, it takes too long to mount
losetup /dev/loop5 /home/user/.MyDocs.container
mount /dev/loop5 /home/user/MyDocs
#workaround to be able to "see" the MyDocs folder using the #filemanager.
truecrypt -t -l
echo "ctrl-c to abort...."
sleep 5
#restart the daemon that manages IM user accounts (and maybe #e-mail accounts?)
echo "signond"
killall signond
sleep 2

#restart the messaging services, to re-read messaging accounts
echo "trackerd"
killall trackerd
echo "tracker-indexer"
killall tracker-indexer
echo "browserd"
killall browser browserd
echo "mission-control"
killall mission-control
echo "rtcom-messaging-ui"
killall rtcom-messaging-ui
echo "rtcom-call-ui"
killall rtcom-call-ui
echo "rtcom-accounts-ui"
killall rtcom-accounts-ui
echo "osso-addressbook"
killall osso-addressbook
echo "hildon-thumbnailerd"
killall hildon-thumbnailerd
echo "osso-connectivity-ui-conndlgs"
killall osso-connectivity-ui-conndlgs
echo "clipboard-manager"
killall clipboard-manager
echo "profiled"
killall profiled

echo "sleep 10"
sleep 10
echo "hildon-desktop"
killall hildon-desktop
echo "sleep 15"
sleep 15
echo "hildon-home"
killall hildon-home
sleep 2
echo "hildon-status-menu"
killall hildon-status-menu
echo "systemui"
killall systemui
#restart the better part of hildon, to re-read desktop, calendar, #shortcuts, etc from the new /home/user encrypted partition.
The excessive sleep commands are used because I sometimes ran into reboots without them. But clearly they are to be optimized (far too many, far too long now).

ISSUES:
  • Filesystems are not clean (not unmounted properly) on reboot. Especially when pressing the power button. Using the halt command seems to do less harm (still need to verify this)
  • Sometimes silent mode does not work
  • Some settings (browser, desktop bookmarks, number of desktops, language, ...) depend on the primordial home directory. Some of these issues may be resolvable, some (e.g. language settings) not.
  • slightly slower program startup (e.g. messaging application)
  • battery lifetime not much different, maybe a little less

for reference, the last entries of my mounted filesystems list:
Code:
/dev/mmcblk1p1 on /media/mmc1 type vfat (rw,noauto,nodev,noexec,nosuid,noatime,nodiratime,utf8,uid=29999,shortname=mixed,dmask=000,fmask=0133,rodir)
truecrypt on /tmp/.truecrypt_aux_mnt1 type fuse.truecrypt (no-canonicalize,rw,nosuid,nodev,allow_other)
/dev/mapper/truecrypt1 on /home/user type ext4 (rw,noatime,commit=1,data=writeback)
/dev/loop5 on /home/user/MyDocs type ext4 (0)
TODO:
  • finish the mount script
  • resolve most of the issues, especially the clean shutdown issue
  • format /home ext4
  • eventually encrypt swap too
  • do it all with dm-crypt

By the way, using the N900 as an encrypted USB device (like suggested here) automatically works this way.

Please try it, ask if you need help and post your experiences and issues.
And please don't forget a proper backup, since you are likely to brick everything on your first try.
Last edited by lohner; 2011-05-17 at 19:21. Reason: dm-crypt post added
 

The Following User Says Thank You to lohner For This Useful Post:
NIN101 is offline NIN101
2011-07-14 , 17:21
Posts: 115 | Thanked: 342 times | Joined on Dec 2010
#4
Hi,

I managed to encrypt the home partition (mmcblk0p2) with LUKS. No need for tricks with MyDocs containers or kill's, symlinks etc. Obviously, not recommended for endusers. It works very well for me.
http://n900.quitesimple.org/crypto/encrypted_home/

This with an encrypted MyDocs partition is practically the closest you can get to "Complete Filesystem Encryption". At least it covers everything important.
Last edited by NIN101; 2014-08-06 at 20:15. Reason: Updated link to working location
 

The Following 5 Users Say Thank You to NIN101 For This Useful Post:
lkravovicz's Avatar
lkravovicz is offline lkravovicz
2011-07-15 , 04:54
Posts: 132 | Thanked: 148 times | Joined on Mar 2007 @ Tallinn, Estonia
#5
ok i was also enquiring about LUKS a while ago http://talk.maemo.org/showthread.php?t=64479.

perhaps set up a github repo for your stuffs? i'm sure your script could be iteratively community-developed for a smoother process.
 
Hurrian is offline Hurrian
2011-07-15 , 22:26
Posts: 1,225 | Thanked: 1,905 times | Joined on Feb 2011 @ Quezon City, Philippines
#6
hmm, we might be able to encrypt rootfs too if we used an initramfs (initfs mtd partition) to set up encryption and key storage.
__________________
N9 PR 1.3 Open Mode + kernel-plus for Harmattan
@kenweknot, working on Glacier for Nemo.
 
lkravovicz's Avatar
lkravovicz is offline lkravovicz
2011-07-16 , 06:57
Posts: 132 | Thanked: 148 times | Joined on Mar 2007 @ Tallinn, Estonia
#7
the only way it makes sense to me is to have an external token for the key. either something yubikey style for überlong password or keyfile on usb stick.
 

The Following User Says Thank You to lkravovicz For This Useful Post:
metawishmaster is offline metawishmaster
2011-07-23 , 10:43
Posts: 31 | Thanked: 10 times | Joined on Apr 2011
#8
I've finished encryption with passphrase, and smart-card support is almost finished.

p.s. week or two left
it will be bootmenu entry
Last edited by metawishmaster; 2011-07-23 at 15:10.
 

The Following 3 Users Say Thank You to metawishmaster For This Useful Post:
metawishmaster is offline metawishmaster
2011-09-22 , 09:37
Posts: 31 | Thanked: 10 times | Joined on Apr 2011
#9
This may be not be what you need, but it can deal with smart cards:
http://talk.maemo.org/showthread.php?t=77443
 

The Following User Says Thank You to metawishmaster For This Useful Post:
momcilo is offline momcilo
2011-09-22 , 09:43
Posts: 673 | Thanked: 856 times | Joined on Mar 2006
#10
Originally Posted by lkravovicz View Post
the only way it makes sense to me is to have an external token for the key. either something yubikey style for überlong password or keyfile on usb stick.
In general passwords have low entropy. Longer passwords will prolong the cryptanalysis, but that will not solve the issue.

Until I've discovered the MSSF, I was very interested in N9 since NFC chip is essentially smart card reader.
__________________
http://gpl-violations.org/faq/violation-faq.html
 
Reply
Page 1 of 2 1 2

« Previous Thread | Next Thread »

 
Forum Jump


All times are GMT. The time now is 16:32.

Contact Us - Home - Archive - Top