![]() |
TrueCrypt 7 with GUI and kernel crypto
You are doing everything at own risk if you follow the instructions.
Kernel Crypto Without crypto modules, TC will be probably slower and you have to mount with truecrypt -m nokernelcrypto. AES and Twofish with the block cipher mode XTS are supported by power kernel v48 out of the box. If you want kernel crypto for older versions, take a look at this page. Precompiled Available in extras-devel Compilation in scratchbox Verification of the downloaded packages is up to you. Setup scratchbox as described here http://wiki.maemo.org/Documentation/...l_Installation Log in and choose the ARM target. Add these two friends to /etc/apt/sources.list Code:
deb http://repository.maemo.org/extras/ fremantle-1.3 free non-free Code:
apt-get update ; apt-get install g++ nasm make libwxgtk2.8-dev libwxgtk2.8-0 libfuse-dev libfuse2 pkg-config Code:
cd truecrypt-7.0a-source copy truecrypt-7.0a-source/Main/truecrypt to /usr/bin/truecrypt on your N900 Code:
apt-get install libwxgtk2.8-0 libfuse2 dmsetup (on your N900) If you don't want to use kernel crypto, you have to mount it with something like this: truecrypt -m nokernelcrypto [disk/container] [mountpoint]. Otherwise you will have some errors. Security Tips Password leaks If the auto complete function of maemo is enabled, most of the passwords entered to a GUI will be saved into a database. Turn this feature off before using TC. Database path: /home/user/.osso/dictionaries/.personal.dictionary. Protection when mounted There is of course no protection when your device is turned on and the partition or file container mounted. If someone steals your phone, your tc protected files will become accessible. To prevent this, you can enable the lock code. This should be secure unless your attacker has SSH access or something similar to that. Swap See some paragraphs below. Issues GUI does not fit. To fix this, we can deactivate the Maemo Theme for tc: Code:
:~# unset GTK2_RC_FILES Autostart Script http://img5.imagebanana.com/img/2q6e...0115212646.png /etc/event.d/truecrypt Quote:
Quote:
This will mount the volumes you want on hildon start up. The known dialog("Enter password for...") will ask you to enter your password and to provide the keys etc. Protection of private data in /home/user/ The following steps are very messy. A better solution - but harder - is the encryption of the /home/ partition. check this If the partition or the file container which contains these things is not mounted, you can't use your crypted data and this will result in some error messages. And again, you are doing it at your own risk and only you are responsible for data loss. So, mount your TC volume. Please keep in mind that the following steps are not recommended/possible if you are using FAT thanks to user permissions and stuff like that which fat can not handle the way traditional linux filesystems do. a) Moving phonebook This will move your phone book. Symbolic links will point to the path in your encrypted volume. However, this is just a "mv", which means, no secure delete will occur on the source directories. Code:
cd /home/user/ Code:
cd /home/user The same principle can be adapted to other directories, for example .mozilla. Swap encryption Unencrypted parts can remain in the swap partition. We should deal with that. Please make sure that you have the tools and the kernel modules! Encryption of the Swap-Partition 1. cat /proc/swaps - Find out which device is your swap partition. Usually it is /dev/mmcblk0p3. 2. Open /etc/event.d/rcS-late 3. Find "swapon -a" 4. Replace it with: Code:
modprobe dm_crypt It's recommended to test it first without editing the bootscripts. General tips FAT If you want to write to FAT volumes as user, read this (--fs-options). ext performance For ext volumes, the following options are recommended. Code:
truecrypt [source] [mountpoint] --fs-options=noatime,nodiratime,data=writeback root user To avoid multiple issues (e. g. setting device mappings and mounting), run tc as root. |
Re: [HOWTO]TrueCrypt with GUI and kernel crypto
Great post, I'm trying to get full system encryption to work without any major issues. If that's not possible, I will use your softlink method instead. If anyone is interested in sharing their experiences, please do so in this thread.
|
Re: [HOWTO]TrueCrypt 7 with GUI and kernel crypto
truecrypt gui just doesn't fit on the screen, better to build without
|
Re: [HOWTO]TrueCrypt 7 with GUI and kernel crypto
couldn't actually build without gui, wxWidgets decency hell
nevertheless, I can't mount a volume, any idea what is wrong? Code:
Nokia-N900:/home/user/MyDocs# truecrypt -t test.tc |
Re: [HOWTO]TrueCrypt 7 with GUI and kernel crypto
Hey there,
great tutorial. After six hours of trying I finally got it working. Wouldn't it be possible to load the compiled Trucrypt7.0a into extra-devel? It would safe a lot of time, since the newest desktop-version is Truecrypt7.0a and you need the same version for encrypt MyDocs via the PC. Anyway I got the following problem: I mount my encrypted MyDocs like this Code:
truecrypt -m nokernelcrypto --protect-hidden=no /dev/mmcblk0p1 /home/user/MyDocs Cheers blck EDIT: Got it! Adding --fs-options=rw,uid=29999 to the tcmount did it. |
Re: [HOWTO]TrueCrypt 7 with GUI and kernel crypto
Quote:
Edit: :~# unset GTK2_RC_FILES :~# truecrypt Screenshots: http://img7.imagebanana.com/img/px4n...0625134520.png http://www.imagebanana.com/view/kegr...0625134600.png It is useable. Quote:
Quote:
Quote:
|
Re: TrueCrypt 7 with GUI and kernel crypto
Boom. Now that v48 is out we finally got the xts block cipher mode kernel module coming with the kernel. This (should) give faster performance for disk encryption software like TrueCrypt, which uses XTS by default. Version 6* which is in the repos is now actually obsolete (it's hardcoded with -m nokernelcrypto).
|
Re: TrueCrypt 7 with GUI and kernel crypto
<Estel cast thread resurrection sign> *boom*
NIN101, any chances of putting latest truecrypt into maemo repos? It's a little shame, that we still got hardcoded -nokernelcrypto version in -devel. Anyway, thanks for doing 7.1, whenever it sits ;) Also, please remember, that You don't need to be maintainer, to upload new version into -devel. /Estel |
Re: TrueCrypt 7 with GUI and kernel crypto
I considered months ago to package it, even created debs, but I finally didn't upload the stuff to extras-devel. Because I have no motivation to deal with problems like kernel fragmentation¹. Of course, we could depend on kernel-power. But it's not that cool to force kernels. Users who install KP should manage to do a cp to /usr/bin or compile it (the best way). Modules for most known kernels could be shipped with some postinstall magic - but this is not exactly brilliant. A wrapper script with a fallback to -m nokernelcrypto if the needed modules are not found is cool, but... dunno.
Pretty annoying starting situation |
Re: TrueCrypt 7 with GUI and kernel crypto
Quote:
|
Re: TrueCrypt 7 with GUI and kernel crypto
+1 for above. Also, it's beter to have version depending on kp, than version with -nokernelcrypto hardcoded - it's even less fun, than forcing kernels ;)
Not to mention, that average (even power-) user can miss this thread, while it's not likely to miss package in repositories. At least my order for getting this is: 1) search repos, read package dates, changelogs, descriptions etc 2) IF 1) fail, search wiki, OR if plentora of competing packages found, do the same. 3) if 2) fails, search forum. Also, if by any case, Your website with precompiled debs get down (You hit by a bus and no one to pay bills, or "they" taking it down), community still get repos version. /Estel |
Re: TrueCrypt 7 with GUI and kernel crypto
Quote:
The only way is to delete the file and then overwrite the whole free space with zeroes. Not with random numbers, as zeroed memory blocks are usually faster when being written to. |
Re: TrueCrypt 7 with GUI and kernel crypto
Uff. Sigh. The license. This is the reason why Debian, Ubuntu, Fedora etc. do not package it. The web is full of debates about the supercool license and its restrictions. Clearly, it isn't cool. Otoh, for example, arch linux has it.
To put that aside I just created a new package here. It won't depend on kernel power or anything, but instead use a wrapper script which checks if the kernel has the xts moduleavailable. If not, it will start it tc with -m nokernelcrypto. That simple. Will upload it in the coming weeks once the license concerns disappear (IANAL). Quote:
|
Re: TrueCrypt 7 with GUI and kernel crypto
Hi! Is it possible to mount for example external hard disks entirely encrypted? I've installed USB hostmode, but the hard disk is not recognized.
|
Re: TrueCrypt 7 with GUI and kernel crypto
Sounds like a hostmode/udev/driver/kernel/whatever problem, not related to TrueCrypt.
Besides that, the answer is probably: yes. |
Re: TrueCrypt 7 with GUI and kernel crypto
NIN101, not demanding anything, but what about packaging latest TrueCrypt and putting it into repos? I know one can do it manually, but when you declared that you're going to do it, I decided to wait... ;)
/Estel |
Re: TrueCrypt 7 with GUI and kernel crypto
I said I will package it. Done (based on the previous package). And now you are going to upload it to the repo with your details, because you are the one wanting it there so much. Deal? :P
|
Re: TrueCrypt 7 with GUI and kernel crypto
I'll try, but uploading pre-builded packages with autobuilder (sounds like and oxy*****, I'm not sure if it's even possible) is out of my scope. i'll check if it's possible via dput and public key. don't blame me if it result in version that eats Your device, though ;)
AFAIK, if You have code and build environment on Your machine, it's all a matter of creating a debian .control file, then autobuilder will swallow it. Unfortunately, I don't have build environment (promising myself, that one day, I'm going to prepare one) , as I'm not coder, which I mentioned many times in the past. /Estel // Edit I think i know how to upload it to extras with less possible hassle included. Can you provide here Debian-compliant (=Maemo-compliant = exactly same You used to build package)... Code:
<truecrypt_version>.tar.gz then, i'll try to upload them via my garage account. If it succeed, we would only need to make You maintainer of this package, or it won't be able to go out of -devel. |
Re: TrueCrypt 7 with GUI and kernel crypto
TrueCrypt 7.1 is available in extras-devel:
http://talk.maemo.org/showthread.php?t=81435 |
Re: TrueCrypt 7 with GUI and kernel crypto
Quote:
kill `pgrep -f ".*rtcom-messaging-ui.*"` to kill all old processes (if you don't do that, you will have to restart before you can see the conversations). The problem i find is that i cannot do the same for the contacts application - moving it to the encrypted drive causes a problem - the integration with the Instant Messaging statuses will not work and you will get error messages. Anyone got this solved? Thanks. |
Re: TrueCrypt 7 with GUI and kernel crypto
Did not use it until now (but am going to...).
Do I understood right? It is about the addressbook not showing the contacts? Or not showing the current status of IM partners (away, offline,...) Either way I would go with a killall osso-addressbook or kill `pgrep /usr/bin/osso-addressbook` Try this first, then: What also may be needed is to "restart" the telepathy processes like ~# ps |grep telepathy 1278 user 4688 S /usr/lib/telepathy/telepathy-ring 2331 user 16892 S /usr/lib/telepathy/telepathy-haze 2334 user 7472 S /usr/lib/telepathy/telepathy-sofiasip afaik: sofiasip is for sip/voip accounts, haze (and others) for IM. Output may look different depending on installed extensions. You may go one by one (preferred, pls post back result) with a killall telepathy-... or all together kill `pgrep telepathy-*` kill `pgrep -f |
Re: TrueCrypt 7 with GUI and kernel crypto
Well, the original scenario I had:
1. Disconnected secured drive 2. Run "Contacts" -> no contacts (as expected) 3. Connect secured drive 4. Run "Contacts" -> still no contacts shown I then used the following between 3 and 4: kill `pgrep /usr/bin/osso-addressbook` kill `pgrep telepathy-*` I checked that all these processes changed process ids to make sure they were killed. After these steps - starting the "Contacts" application shows all the contacts, but not the statuses of the IM accounts (I'm logged in to them of course) and you cannot send IM messages because you are getting "Unable to perform operation - internal error" message if you try too. Anything else should be restarted? Encrypted contacts is a very nice ability I would like to use. Other than that this secured drive is a great second protection for my already encrypted Password safe data file. Thanks for the help :) |
Re: TrueCrypt 7 with GUI and kernel crypto
I'm pretty sure, that all of this can be achieved by bootup or contextual scripts (that automatically restart corresponding services after mounting encrypted partition/container). Ho ever, as for IM bug, we must wait for NIN101 answer - he's specialist of such trick.
Sorry for not being able to help on that. |
Re: TrueCrypt 7 with GUI and kernel crypto
Of course you did kill rtcom-call-ui also?
There is another candidate to be killed/restarted rtcom-messaging-ui And maybe (just guessing from here) osso-connectivity-ui-conndlgs If not, try to find out with ps | grep xxx to find any processes maybe related to that part. Sorry, thats all I can do for you. |
Re: TrueCrypt 7 with GUI and kernel crypto
Quote:
|
Re: TrueCrypt 7 with GUI and kernel crypto
There is another issue I'm facing now:
I'm running the truecrypt mount command with root user and when I start an application like "photos" it has no access to the mounted drive (because it is run with the "user" user). What is the best way to solve this? Of course I can change the shortcuts to be run with "root" but I would like to avoid that. |
Re: TrueCrypt 7 with GUI and kernel crypto
Quote:
I get that when flash storage first got made there was a reason to let the storage medium do **** like that, since OSs didn't come with support for that kind of stuff, but at this point there's no good reason to not give that kind of raw control to the OS itself. |
Re: TrueCrypt 7 with GUI and kernel crypto
Quote:
If extX filesystem, set them with chown etc.. -- Regarding the symlink method: It's indeed a pain and not convenient. Maybe this super killall party can help you; permission problems? |
Re: TrueCrypt 7 with GUI and kernel crypto
Quote:
What do you mean by super killall? :) (the link you added was for the FAT FS issue - probably by mistake?) |
Re: TrueCrypt 7 with GUI and kernel crypto
Quote:
Yes, wrong link. Wanted to link to this |
Re: TrueCrypt 7 with GUI and kernel crypto
Quote:
|
Re: TrueCrypt 7 with GUI and kernel crypto
Ok... then I'll try later with a pendrive entirely encrypted and see if it's recognized and it's possible to mount it and post here.
|
Re: TrueCrypt 7 with GUI and kernel crypto
Quote:
|
Re: TrueCrypt 7 with GUI and kernel crypto
Quote:
/Estel |
Re: TrueCrypt 7 with GUI and kernel crypto
Ok... I encrypted a pendrive partition, connected to N900, mounted with H-E-N, but, when I try to mount the partition with TrueCrypt, I get this error:
device-mapper: reload ioctl failed: Invalid argument Command failed Anyone knows what it means? |
Re: TrueCrypt 7 with GUI and kernel crypto
Quote:
|
Re: TrueCrypt 7 with GUI and kernel crypto
Ok... here you go! I selected the messages which should be related to the problem
[ 3408.497833] usb-storage: device scan complete [ 3408.500610] scsi 0:0:0:0: Direct-Access DIKOM USB Flash Drive 0.00 PQ: 0 ANSI: 2 [ 3408.518798] sd 0:0:0:0: [sda] 1967616 512-byte hardware sectors: (1.00 GB/960 MiB) [ 3408.519775] sd 0:0:0:0: [sda] Write Protect is off [ 3408.519805] sd 0:0:0:0: [sda] Mode Sense: 00 00 00 00 [ 3408.519836] sd 0:0:0:0: [sda] Assuming drive cache: write through [ 3408.527374] sd 0:0:0:0: [sda] 1967616 512-byte hardware sectors: (1.00 GB/960 MiB) [ 3408.528259] sd 0:0:0:0: [sda] Write Protect is off [ 3408.528320] sd 0:0:0:0: [sda] Mode Sense: 00 00 00 00 [ 3408.528350] sd 0:0:0:0: [sda] Assuming drive cache: write through [ 3408.528381] sda: sda1 [ 3408.593353] sd 0:0:0:0: [sda] Attached SCSI removable disk [ 3428.436492] NTFS driver 2.1.29 [Flags: R/O MODULE]. [ 3428.556427] NTFS-fs warning (device sda1): parse_options(): Option utf8 is no longer supported, using option nls=utf8. Please use option nls=utf8 in the future and make sure utf8 is compiled either as a module or into the kernel. [ 3437.301910] slide (GPIO 71) is now open [ 3496.448699] device-mapper: ioctl: 4.14.0-ioctl (2008-04-23) initialised: dm-devel@redhat.com [ 3496.643524] device-mapper: table: 254:0: crypt: Error allocating crypto tfm [ 3496.643554] device-mapper: ioctl: error adding target to table |
Re: TrueCrypt 7 with GUI and kernel crypto
What version of power kernel are you running? (if < v48, it's likely the xts problem, which means you didn't read the initial post...). Are you using the newest TrueCrypt version from extras-devel? With what cipher is this volume encrypted?
|
Re: TrueCrypt 7 with GUI and kernel crypto
I've installed this kernel:
http://maemo.org/packages/package_in...settings/0.11/ And I'm using this version of TrueCrypt: http://216.189.8.164/N900/software/truecrypt/ |
Re: TrueCrypt 7 with GUI and kernel crypto
Quote:
Quote:
|
All times are GMT. The time now is 11:05. |
vBulletin® Version 3.8.8