Here's a brief HOWTO for encrypting personal data using LUKS/dm-crypt, on N900.

(I have not tried truecrypt, which is significantly less efficient than dm-crypt as it uses FUSE. But I don't see why we can't make it work with similarly hacks.)

We will do the following:

• Reduce the 27G FAT partition at MyDocs, to 8G, and create a LUKS partition of size 19G, mounted at /home/user at startup
• Encrypt the swap partition /dev/mmcblk0p3 at startup
• There's no need to encrypt /tmp since it's an in-memory tmpfs

HOWEVER: Since the Titan kernel has no support(?) for framebuffer console, there is currently no way to enter the passphrase during boot. For now, I'm using a key-file saved as /etc/LUKS-key. This temporary workaround is insecure in theory, but should work well in practice, if you choose a cryptic name (instead of LUKS-key) and obfuscate the startup script that unlocks the encrypted partition.

In future, the key-file should be disabled using cryptsetup's luksRemoveKey command, as soon as we have framebuffer console. (See http://talk.maemo.org/showthread.php?t=40154 for a kernel with console support - but I couldn't give up titan's kernel for it )

************************************************** ****

NOTE: The hack works for the latest rootfs version (2010.36). Original data on /dev/mmcblk0p1 will be lost, so do a backup.

REQUIRED: cryptsetup from extra-devel, a kernel with dm_crypt support - eg Titan's kernel-power. Root access.

STEPS:

• Unmount /dev/mmcblk0p1: umount /home/user/MyDocs
  
• Generate key file:
  
  Code:

  dd if=/dev/urandom of=/etc/LUKS-key bs=512 count=1

• Partition mmcblk0 using "sfdisk --no-reread /dev/mmcblk0 < table", in my case "table" has content
  
  Code:

  # partition table of /dev/mmcblk0
  unit: sectors
  
  /dev/mmcblk0p1 : start=       64, size= 16777216, Id= c
  /dev/mmcblk0p2 : start= 56631360, size=  4194304, Id=83
  /dev/mmcblk0p3 : start= 60825664, size=  1572864, Id=82
  /dev/mmcblk0p4 : start= 16777280, size= 39854080, Id=e8

  Reboot.
  
• Set up LUKS on /dev/mmcblk0p4:
  
  Code:

  modprobe dm_crypt
  cryptsetup luksFormat /dev/mmcblk0p4
  cryptsetup luksAddKey /dev/mmcblk0p4 /etc/LUKS-key
  cryptsetup luksOpen /dev/mmcblk0p4 user

  (You'll be prompted for a passphrase when you do luksFormat - there is a chance that the passphrase you enter gets written on the swap partition if RAM is tight, so pick a temporary passphrase for now.)
  
• Format mmcblk0p4:
  
  Code:

  mkfs.ext3 /dev/mapper/user
  tune2fs -c 0 -i 0 /dev/mapper/user
  mount /dev/mapper/user /mnt; chown user:users /mnt

  Now is a good time to copy the settings under /home/user to /mnt
  
• In /etc/event.d/rcS-late, right after the block
  
  Code:

      # Initialize PRNG pool with the HW RNG. Slow, but that's ok.
      URANDOM_POOLSZ=512
      if [ -e /dev/hwrng ]; then
        echo "Seeding entropy pool"
        dd if=/dev/hwrng of=/dev/urandom bs=$URANDOM_POOLSZ count=1
      fi

  add the following lines
  (NOTE: we need to wait for /dev/urandom to be seeded and for /home to be mounted)
  
  Code:

  #### Colin's hack ####
      modprobe dm_crypt
  
      swapoff -a
      cryptsetup -d /dev/urandom create swap /dev/mmcblk0p3
      mkswap /dev/mapper/swap && swapon /dev/mapper/swap
  
      echo "user /dev/mmcblk0p4 /etc/LUKS-key luks" > /etc/crypttab
      /etc/init.d/cryptdisks start
      rm -rf /home/user; mkdir /home/user; chown user:users /home/user
      mount -o noatime /dev/mapper/user /home/user
      initctl emit MOUNTS_OK
  #####################

  and comment out any earlier occurrence of "initctl emit MOUNTS_OK".
• Add the following to /etc/init.d/minishutdown and /etc/init.d/minireboot, after the line "usr/sbin/umountfs"
  
  Code:

  /etc/init.d/cryptdisks stop

• Since Maemo mistakes /dev/dm-* (newly created device mapper nodes) for MMC, we need to explicitly tell it to use /dev/mmcblk0p1. (a) In /usr/sbin/osso-mmc-mount.sh, add a line "set /dev/mmcblk0p1 $2" at the beginning (b) In /usr/sbin/osso-usb-mass-storage-enable.sh and /usr/sbin/osso-usb-mass-storage-disable.sh, add "set /dev/mmcblk0p1" at the beginning. That's it, but this is assuming you don't need external cards to be auto-managed by Maemo. To fix that, only replace by "/dev/mmcblk0p1" if the $1 is "/dev/dm-*". (I didn't bother to do that as I don't use external storage cards.)

If you have made to this point without any problem, reboot and check with "df". You should have something like

I don't know much about dm-crypt, but it seems, as it uses a loop device, that the same procedure as with the truecrypt home encryption could be used.
That is, do a normal startup, mount the home folder afterwards and restart most of the programs to make them use the new home folder.
see also http://talk.maemo.org/showthread.php?p=1008309

Thank your jcolinzheng for this how-to. I had been searching for a way to encrypt my personal data with LUKS and DM-crypt the way I do on my laptop. I've followed your instructions and it works just as you describe.

I want to have to enter a password to unencrypt every time I start the device. I was actually able to get a framebuffer console running with the titan kernel version 47 y following these instructions for editing /sbin/preinit
After that I went ahead and removed LUKS-key... but I am not sure how/where to edit your code so that it prompts me for the password and automatically mounts the partitions.

Maybe in /etc/event.d/rcS-late ?