TrueCrypt 7 with GUI and kernel crypto
 

You are doing everything at own risk if you follow the instructions.

Kernel Crypto
Without crypto modules, TC will be probably slower and you have to mount with truecrypt -m nokernelcrypto. AES and Twofish with the block cipher mode XTS are supported by power kernel v48 out of the box.

If you want kernel crypto for older versions, take a look at this page.

Precompiled
Available in extras-devel

Compilation in scratchbox
Verification of the downloaded packages is up to you.

Setup scratchbox as described here http://wiki.maemo.org/Documentation/...l_Installation
Log in and choose the ARM target.

Add these two friends to /etc/apt/sources.list
Get the truecrypt source, unpack it and copy it to scratchbox (usually accessible through the symlink $USER/Desktop/sbhome)


copy truecrypt-7.0a-source/Main/truecrypt to /usr/bin/truecrypt on your N900

You may need to add the extra* repos to apt for this.





If you don't want to use kernel crypto, you have to mount it with something like this: truecrypt -m nokernelcrypto [disk/container] [mountpoint]. Otherwise you will have some errors.

Security Tips
Password leaks
If the auto complete function of maemo is enabled, most of the passwords entered to a GUI will be saved into a database. Turn this feature off before using TC. Database path: /home/user/.osso/dictionaries/.personal.dictionary.

Protection when mounted
There is of course no protection when your device is turned on and the partition or file container mounted. If someone steals your phone, your tc protected files will become accessible. To prevent this, you can enable the lock code. This should be secure unless your attacker has SSH access or something similar to that.

Swap
See some paragraphs below.

Issues

GUI does not fit. To fix this, we can deactivate the Maemo Theme for tc:


Autostart Script
http://img5.imagebanana.com/img/2q6e...0115212646.png

/etc/event.d/truecrypt
/usr/bin/tcmount
chmod u+x /usr/bin/tcmount

This will mount the volumes you want on hildon start up. The known dialog("Enter password for...") will ask you to enter your password and to provide the keys etc.



Protection of private data in /home/user/
The following steps are very messy. A better solution - but harder - is the encryption of the /home/ partition. check this

If the partition or the file container which contains these things is not mounted, you can't use your crypted data and this will result in some error messages. And again, you are doing it at your own risk and only you are responsible for data loss.

So, mount your TC volume.

Please keep in mind that the following steps are not recommended/possible if you are using FAT thanks to user permissions and stuff like that which fat can not handle the way traditional linux filesystems do.

a) Moving phonebook
This will move your phone book. Symbolic links will point to the path in your encrypted volume. However, this is just a "mv", which means, no secure delete will occur on the source directories.
b) Moving SMS
chown user -R [tcvolume]/.rtcom-eventlogger

The same principle can be adapted to other directories, for example .mozilla.



Swap encryption
Unencrypted parts can remain in the swap partition. We should deal with that. Please make sure that you have the tools and the kernel modules!
Encryption of the Swap-Partition

1. cat /proc/swaps - Find out which device is your swap partition. Usually it is /dev/mmcblk0p3.
2. Open /etc/event.d/rcS-late
3. Find "swapon -a"
4. Replace it with:
/dev/urandom is the key file. Obviously, with every reboot a new key will be used.
It's recommended to test it first without editing the bootscripts.

General tips
FAT
If you want to write to FAT volumes as user, read this (--fs-options).

ext performance
For ext volumes, the following options are recommended.

Those options give you some significant performance increase (especially noticeable in the media player, no lags anymore).

root user
To avoid multiple issues (e. g. setting device mappings and mounting), run tc as root.

Re: [HOWTO]TrueCrypt with GUI and kernel crypto
 

Great post, I'm trying to get full system encryption to work without any major issues. If that's not possible, I will use your softlink method instead. If anyone is interested in sharing their experiences, please do so in this thread.

Re: [HOWTO]TrueCrypt 7 with GUI and kernel crypto
 

truecrypt gui just doesn't fit on the screen, better to build without

Re: [HOWTO]TrueCrypt 7 with GUI and kernel crypto
 

couldn't actually build without gui, wxWidgets decency hell

nevertheless, I can't mount a volume, any idea what is wrong?
UPD: container was broken, recreated and and it worked fine

Re: [HOWTO]TrueCrypt 7 with GUI and kernel crypto
 

Hey there,
great tutorial. After six hours of trying I finally got it working. Wouldn't it be possible to load the compiled Trucrypt7.0a into extra-devel? It would safe a lot of time, since the newest desktop-version is Truecrypt7.0a and you need the same version for encrypt MyDocs via the PC. Anyway I got the following problem:
I mount my encrypted MyDocs like this
If mounted like this right at the start of the hildon-desktop (with the help of your script) I'm not able to accsess MyDocs as the normal user, only as root. If mounted afterwards via the terminal I could enter MyDocs without any problems. Hope you could help me and thanks a lot again!
Cheers blck

EDIT: Got it! Adding --fs-options=rw,uid=29999 to the tcmount did it.

Re: [HOWTO]TrueCrypt 7 with GUI and kernel crypto
 

But only if the maemo theme is used by TrueCrypt. I once started it somehow without, so it looked like a normal GTK application. Still not sure if some parts of the GUI would be more useable with that. Anyway, I'm using the GUI mostly for the mounting like in the screenshot because the rest can often be easier achieved with the CLI.

Edit:
:~# unset GTK2_RC_FILES
:~# truecrypt

Screenshots:
http://img7.imagebanana.com/img/px4n...0625134520.png

http://www.imagebanana.com/view/kegr...0625134600.png

It is useable.



Yep the building process depends on wxWidgets anyway, even if you only want to build a command line version.

Yes I probably could do that once I get my N900 back from repairment.

Good point. Especially needed if the filesystem of the volume you are mounting is FAT, as the Unix file permission concept does not apply to it, so you could'nt make it work with a simple chown.

Re: TrueCrypt 7 with GUI and kernel crypto
 

Boom. Now that v48 is out we finally got the xts block cipher mode kernel module coming with the kernel. This (should) give faster performance for disk encryption software like TrueCrypt, which uses XTS by default. Version 6* which is in the repos is now actually obsolete (it's hardcoded with -m nokernelcrypto).

Re: TrueCrypt 7 with GUI and kernel crypto
 

<Estel cast thread resurrection sign> *boom*

NIN101, any chances of putting latest truecrypt into maemo repos? It's a little shame, that we still got hardcoded -nokernelcrypto version in -devel. Anyway, thanks for doing 7.1, whenever it sits ;)

Also, please remember, that You don't need to be maintainer, to upload new version into -devel.

/Estel

Re: TrueCrypt 7 with GUI and kernel crypto
 

I considered months ago to package it, even created debs, but I finally didn't upload the stuff to extras-devel. Because I have no motivation to deal with problems like kernel fragmentation¹. Of course, we could depend on kernel-power. But it's not that cool to force kernels. Users who install KP should manage to do a cp to /usr/bin or compile it (the best way). Modules for most known kernels could be shipped with some postinstall magic - but this is not exactly brilliant. A wrapper script with a fallback to -m nokernelcrypto if the needed modules are not found is cool, but... dunno.

Pretty annoying starting situation

Re: TrueCrypt 7 with GUI and kernel crypto
 

It is if you make is a separate package. ( eg. kp-truecrypt)

Re: TrueCrypt 7 with GUI and kernel crypto
 

+1 for above. Also, it's beter to have version depending on kp, than version with -nokernelcrypto hardcoded - it's even less fun, than forcing kernels ;)

Not to mention, that average (even power-) user can miss this thread, while it's not likely to miss package in repositories. At least my order for getting this is:
1) search repos, read package dates, changelogs, descriptions etc
2) IF 1) fail, search wiki, OR if plentora of competing packages found, do the same.
3) if 2) fails, search forum.

Also, if by any case, Your website with precompiled debs get down (You hit by a bus and no one to pay bills, or "they" taking it down), community still get repos version.

/Estel

Re: TrueCrypt 7 with GUI and kernel crypto
 

Shredding on an Flash-based medium is utterly useless, as the wear-levelling will reallocate sectors all over the "disk". This is also the case with SSD-drives in computers.

The only way is to delete the file and then overwrite the whole free space with zeroes. Not with random numbers, as zeroed memory blocks are usually faster when being written to.

Re: TrueCrypt 7 with GUI and kernel crypto
 

Uff. Sigh. The license. This is the reason why Debian, Ubuntu, Fedora etc. do not package it. The web is full of debates about the supercool license and its restrictions. Clearly, it isn't cool. Otoh, for example, arch linux has it.

To put that aside I just created a new package here. It won't depend on kernel power or anything, but instead use a wrapper script which checks if the kernel has the xts moduleavailable. If not, it will start it tc with -m nokernelcrypto. That simple. Will upload it in the coming weeks once the license concerns disappear (IANAL).


You are right. I realized this after a while that paragraph was written, but forgot to modify it (no excuse). Thx for pointing that out.

Re: TrueCrypt 7 with GUI and kernel crypto
 

Hi! Is it possible to mount for example external hard disks entirely encrypted? I've installed USB hostmode, but the hard disk is not recognized.

Re: TrueCrypt 7 with GUI and kernel crypto
 

Sounds like a hostmode/udev/driver/kernel/whatever problem, not related to TrueCrypt.
Besides that, the answer is probably: yes.

Re: TrueCrypt 7 with GUI and kernel crypto
 

NIN101, not demanding anything, but what about packaging latest TrueCrypt and putting it into repos? I know one can do it manually, but when you declared that you're going to do it, I decided to wait... ;)

/Estel

Re: TrueCrypt 7 with GUI and kernel crypto
 

I said I will package it. Done (based on the previous package). And now you are going to upload it to the repo with your details, because you are the one wanting it there so much. Deal? :P

Re: TrueCrypt 7 with GUI and kernel crypto
 

I'll try, but uploading pre-builded packages with autobuilder (sounds like and oxy*****, I'm not sure if it's even possible) is out of my scope. i'll check if it's possible via dput and public key. don't blame me if it result in version that eats Your device, though ;)

AFAIK, if You have code and build environment on Your machine, it's all a matter of creating a debian .control file, then autobuilder will swallow it. Unfortunately, I don't have build environment (promising myself, that one day, I'm going to prepare one) , as I'm not coder, which I mentioned many times in the past.

/Estel

// Edit

I think i know how to upload it to extras with less possible hassle included. Can you provide here Debian-compliant (=Maemo-compliant = exactly same You used to build package)...
...? As you've already builded it, you probably know what I'm talking about - heck, most likely, You know it better than me, as I'm actually even pretty unsure, if all mentioned files are mandatory, or only some of them (.tar.gz probably is, <truecrypt_version>.changes is nice to have but not mandatory I think, and .dsc seems to be mandatory also).

then, i'll try to upload them via my garage account. If it succeed, we would only need to make You maintainer of this package, or it won't be able to go out of -devel.

Re: TrueCrypt 7 with GUI and kernel crypto
 

TrueCrypt 7.1 is available in extras-devel:
http://talk.maemo.org/showthread.php?t=81435

Re: TrueCrypt 7 with GUI and kernel crypto
 

moving the SMS and IM messages folder and using link works good, even if you don't insert the password and activate the conversations application - you will find that it is empty. To make it work again - mount the drive and use:

kill `pgrep -f ".*rtcom-messaging-ui.*"`

to kill all old processes (if you don't do that, you will have to restart before you can see the conversations).

The problem i find is that i cannot do the same for the contacts application - moving it to the encrypted drive causes a problem - the integration with the Instant Messaging statuses will not work and you will get error messages. Anyone got this solved?

Thanks.

Re: TrueCrypt 7 with GUI and kernel crypto
 

Did not use it until now (but am going to...).

Do I understood right?
It is about the addressbook not showing the contacts? Or not showing the current status of IM partners (away, offline,...)

Either way I would go with a
killall osso-addressbook
or
kill `pgrep /usr/bin/osso-addressbook`
Try this first, then:

What also may be needed is to "restart" the telepathy processes
like
~# ps |grep telepathy
1278 user 4688 S /usr/lib/telepathy/telepathy-ring
2331 user 16892 S /usr/lib/telepathy/telepathy-haze
2334 user 7472 S /usr/lib/telepathy/telepathy-sofiasip

afaik:
sofiasip is for sip/voip accounts, haze (and others) for IM.
Output may look different depending on installed extensions.
You may go one by one (preferred, pls post back result) with a
killall telepathy-...
or all together
kill `pgrep telepathy-*`
kill `pgrep -f

Re: TrueCrypt 7 with GUI and kernel crypto
 

Well, the original scenario I had:
1. Disconnected secured drive
2. Run "Contacts" -> no contacts (as expected)
3. Connect secured drive
4. Run "Contacts" -> still no contacts shown

I then used the following between 3 and 4:
kill `pgrep /usr/bin/osso-addressbook`
kill `pgrep telepathy-*`
I checked that all these processes changed process ids to make sure they were killed.

After these steps - starting the "Contacts" application shows all the contacts, but not the statuses of the IM accounts (I'm logged in to them of course) and you cannot send IM messages because you are getting "Unable to perform operation - internal error" message if you try too.

Anything else should be restarted?

Encrypted contacts is a very nice ability I would like to use. Other than that this secured drive is a great second protection for my already encrypted Password safe data file.

Thanks for the help :)

Re: TrueCrypt 7 with GUI and kernel crypto
 

I'm pretty sure, that all of this can be achieved by bootup or contextual scripts (that automatically restart corresponding services after mounting encrypted partition/container). Ho ever, as for IM bug, we must wait for NIN101 answer - he's specialist of such trick.

Sorry for not being able to help on that.

Re: TrueCrypt 7 with GUI and kernel crypto
 

Of course you did kill rtcom-call-ui also?

There is another candidate to be killed/restarted
rtcom-messaging-ui

And maybe (just guessing from here)
osso-connectivity-ui-conndlgs

If not, try to find out with
ps | grep xxx
to find any processes maybe related to that part.
Sorry, thats all I can do for you.

Re: TrueCrypt 7 with GUI and kernel crypto
 

killed everything you suggested too. still same problem when running contacts...

Re: TrueCrypt 7 with GUI and kernel crypto
 

There is another issue I'm facing now:

I'm running the truecrypt mount command with root user and when I start an application like "photos" it has no access to the mounted drive (because it is run with the "user" user).

What is the best way to solve this? Of course I can change the shortcuts to be run with "root" but I would like to avoid that.

Re: TrueCrypt 7 with GUI and kernel crypto
 

This is why I absolutely hate solid-state storage devices implementing built-in wear-leveling. As I understand it, spinny disk harddrives always did and still do the grown up thing and let the OS tell them what to do like a good obedient piece of hardware.

I get that when flash storage first got made there was a reason to let the storage medium do **** like that, since OSs didn't come with support for that kind of stuff, but at this point there's no good reason to not give that kind of raw control to the OS itself.

Re: TrueCrypt 7 with GUI and kernel crypto
 

Permissions? http://talk.maemo.org/showpost.php?p...38&postcount=5
If extX filesystem, set them with chown etc..

--
Regarding the symlink method: It's indeed a pain and not convenient. Maybe this super killall party can help you; permission problems?

Re: TrueCrypt 7 with GUI and kernel crypto
 

--fs-options=rw,uid=29999 did the trick for my (FAT) FS storage.

What do you mean by super killall? :) (the link you added was for the FAT FS issue - probably by mistake?)

Re: TrueCrypt 7 with GUI and kernel crypto
 

Forget it, my style of writing :-).
Yes, wrong link. Wanted to link to this

Re: TrueCrypt 7 with GUI and kernel crypto
 

Sorry for the lateness, but I can tell you the opposite is true, as I've done just that in the past. You can setup a partition on the N900 that can then be mounted on Win/Linux/Mac. So I can't imagine the opposite would not be true.

Re: TrueCrypt 7 with GUI and kernel crypto
 

Ok... then I'll try later with a pendrive entirely encrypted and see if it's recognized and it's possible to mount it and post here.

Re: TrueCrypt 7 with GUI and kernel crypto
 

Well, after trying the kill alls i can say it is not solving the problem - still not possible to send IM + IM integration is not working.

Re: TrueCrypt 7 with GUI and kernel crypto
 

Confirming what's woody said - it's absolutely possible to open any TrueCrypt encrypted partition/file, no matter is using hostmode, network or whatsnot. Even reading containers written in optical disks is working - well, at least if You actually can enumerate then at all, because current bug in KP is (again...) preventing that (I hope it will get fixed in new release).

/Estel

Re: TrueCrypt 7 with GUI and kernel crypto
 

Ok... I encrypted a pendrive partition, connected to N900, mounted with H-E-N, but, when I try to mount the partition with TrueCrypt, I get this error:

device-mapper: reload ioctl failed: Invalid argument
Command failed

Anyone knows what it means?

Re: TrueCrypt 7 with GUI and kernel crypto
 

Take a look at the output of the dmesg command (and paste it for us) after that error.

Re: TrueCrypt 7 with GUI and kernel crypto
 

Ok... here you go! I selected the messages which should be related to the problem

[ 3408.497833] usb-storage: device scan complete
[ 3408.500610] scsi 0:0:0:0: Direct-Access DIKOM USB Flash Drive 0.00 PQ: 0 ANSI: 2
[ 3408.518798] sd 0:0:0:0: [sda] 1967616 512-byte hardware sectors: (1.00 GB/960 MiB)
[ 3408.519775] sd 0:0:0:0: [sda] Write Protect is off
[ 3408.519805] sd 0:0:0:0: [sda] Mode Sense: 00 00 00 00
[ 3408.519836] sd 0:0:0:0: [sda] Assuming drive cache: write through
[ 3408.527374] sd 0:0:0:0: [sda] 1967616 512-byte hardware sectors: (1.00 GB/960 MiB)
[ 3408.528259] sd 0:0:0:0: [sda] Write Protect is off
[ 3408.528320] sd 0:0:0:0: [sda] Mode Sense: 00 00 00 00
[ 3408.528350] sd 0:0:0:0: [sda] Assuming drive cache: write through
[ 3408.528381] sda: sda1
[ 3408.593353] sd 0:0:0:0: [sda] Attached SCSI removable disk
[ 3428.436492] NTFS driver 2.1.29 [Flags: R/O MODULE].
[ 3428.556427] NTFS-fs warning (device sda1): parse_options(): Option utf8 is no longer supported, using option nls=utf8. Please use option nls=utf8 in the future and make sure utf8 is compiled either as a module or into the kernel.
[ 3437.301910] slide (GPIO 71) is now open
[ 3496.448699] device-mapper: ioctl: 4.14.0-ioctl (2008-04-23) initialised: dm-devel@redhat.com
[ 3496.643524] device-mapper: table: 254:0: crypt: Error allocating crypto tfm
[ 3496.643554] device-mapper: ioctl: error adding target to table

Re: TrueCrypt 7 with GUI and kernel crypto
 

What version of power kernel are you running? (if < v48, it's likely the xts problem, which means you didn't read the initial post...). Are you using the newest TrueCrypt version from extras-devel? With what cipher is this volume encrypted?

Re: TrueCrypt 7 with GUI and kernel crypto
 

I've installed this kernel:
http://maemo.org/packages/package_in...settings/0.11/
And I'm using this version of TrueCrypt:
http://216.189.8.164/N900/software/truecrypt/

Re: TrueCrypt 7 with GUI and kernel crypto
 

Useless information. You linked to Linux kernel for power user (settings and overclock) 0.11, and this doesn't tell anything about the used version.
Doesn't exist there anymore. It is in extras-devel now.