Thread: TrueCrypt 7 with GUI and kernel crypto
View Single Post
NIN101 is offline NIN101
2011-01-15 , 20:43
Posts: 115 | Thanked: 342 times | Joined on Dec 2010
#1
You are doing everything at own risk if you follow the instructions.

Kernel Crypto
Without crypto modules, TC will be probably slower and you have to mount with truecrypt -m nokernelcrypto. AES and Twofish with the block cipher mode XTS are supported by power kernel v48 out of the box.

If you want kernel crypto for older versions, take a look at this page.

Precompiled
Available in extras-devel

Compilation in scratchbox
Verification of the downloaded packages is up to you.

Setup scratchbox as described here http://wiki.maemo.org/Documentation/...l_Installation
Log in and choose the ARM target.

Add these two friends to /etc/apt/sources.list
Code:
deb http://repository.maemo.org/extras/ fremantle-1.3 free non-free
deb http://repository.maemo.org/extras-devel fremantle free non-free
Get the truecrypt source, unpack it and copy it to scratchbox (usually accessible through the symlink $USER/Desktop/sbhome)

Code:
apt-get update ; apt-get install g++ nasm make libwxgtk2.8-dev libwxgtk2.8-0 libfuse-dev libfuse2 pkg-config
Code:
cd truecrypt-7.0a-source
wget ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs11.h 
wget ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs11t.h
wget ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs11f.h
make

copy truecrypt-7.0a-source/Main/truecrypt to /usr/bin/truecrypt on your N900

Code:
apt-get install libwxgtk2.8-0 libfuse2 dmsetup (on your N900)
You may need to add the extra* repos to apt for this.





If you don't want to use kernel crypto, you have to mount it with something like this: truecrypt -m nokernelcrypto [disk/container] [mountpoint]. Otherwise you will have some errors.

Security Tips
Password leaks
If the auto complete function of maemo is enabled, most of the passwords entered to a GUI will be saved into a database. Turn this feature off before using TC. Database path: /home/user/.osso/dictionaries/.personal.dictionary.

Protection when mounted
There is of course no protection when your device is turned on and the partition or file container mounted. If someone steals your phone, your tc protected files will become accessible. To prevent this, you can enable the lock code. This should be secure unless your attacker has SSH access or something similar to that.

Swap
See some paragraphs below.

Issues

GUI does not fit. To fix this, we can deactivate the Maemo Theme for tc:

Code:
:~# unset GTK2_RC_FILES
:~# truecrypt

Autostart Script


/etc/event.d/truecrypt
Originally Posted by /etc/event.d/truecrypt
start on started hildon-desktop
exec run-standalone.sh /usr/bin/tcmount
stop on starting shutdown
/usr/bin/tcmount
Originally Posted by /usr/bin/tcmount
#!/bin/sh
truecrypt -m nokernelcrypto [tcvolume] [mountpoint]
chmod u+x /usr/bin/tcmount

This will mount the volumes you want on hildon start up. The known dialog("Enter password for...") will ask you to enter your password and to provide the keys etc.



Protection of private data in /home/user/
The following steps are very messy. A better solution - but harder - is the encryption of the /home/ partition. check this

If the partition or the file container which contains these things is not mounted, you can't use your crypted data and this will result in some error messages. And again, you are doing it at your own risk and only you are responsible for data loss.

So, mount your TC volume.

Please keep in mind that the following steps are not recommended/possible if you are using FAT thanks to user permissions and stuff like that which fat can not handle the way traditional linux filesystems do.

a) Moving phonebook
This will move your phone book. Symbolic links will point to the path in your encrypted volume. However, this is just a "mv", which means, no secure delete will occur on the source directories.
Code:
cd /home/user/
mv .osso-abook/ [tcvolume]
mv .osso-abook-backup/ [tcvolume]
ln -s [tcvolume]/.osso-abook/ .
ln -s [tcvolume]/.osso-abook-backup .
chown user -R [tcvolume]/.osso-abook/
b) Moving SMS
Code:
cd /home/user
mv .rtcom-eventlogger [tcvolume]
ln -s [tcvolume]/.rtcom-eventlogger .
chown user -R [tcvolume]/.rtcom-eventlogger

The same principle can be adapted to other directories, for example .mozilla.



Swap encryption
Unencrypted parts can remain in the swap partition. We should deal with that. Please make sure that you have the tools and the kernel modules!
Encryption of the Swap-Partition

1. cat /proc/swaps - Find out which device is your swap partition. Usually it is /dev/mmcblk0p3.
2. Open /etc/event.d/rcS-late
3. Find "swapon -a"
4. Replace it with:
Code:
        modprobe dm_crypt
        modprobe dm_mod
        /sbin/cryptsetup -d /dev/urandom create swapenc /dev/mmcblk0p3 #it must be your swap devic
        /sbin/mkswap /dev/mapper/swapenc
        /sbin/swapon /dev/mapper/swapenc
/dev/urandom is the key file. Obviously, with every reboot a new key will be used.
It's recommended to test it first without editing the bootscripts.

General tips
FAT
If you want to write to FAT volumes as user, read this (--fs-options).

ext performance
For ext volumes, the following options are recommended.

Code:
truecrypt [source] [mountpoint] --fs-options=noatime,nodiratime,data=writeback
Those options give you some significant performance increase (especially noticeable in the media player, no lags anymore).

root user
To avoid multiple issues (e. g. setting device mappings and mounting), run tc as root.
Last edited by NIN101; 2014-08-07 at 14:27. Reason: link
 

The Following 17 Users Say Thank You to NIN101 For This Useful Post: