Notices


Reply
Thread Tools
Posts: 355 | Thanked: 566 times | Joined on Nov 2009 @ Redstone Canyon, Colorado
#1
I have built a kernel package and the userspace tool for using encrypted filesystems on the N900.

See:
http://wiki.maemo.org/User:Jebba/Cryptsetup

Have fun.
 

The Following 12 Users Say Thank You to jebba For This Useful Post:
Posts: 74 | Thanked: 142 times | Joined on Oct 2009 @ Chicago, US
#2
Nice. How is the file system performance when using this (relative to no encryption)?
 
Posts: 40 | Thanked: 18 times | Joined on Dec 2009
#3
Originally Posted by pinsh View Post
Nice. How is the file system performance when using this (relative to no encryption)?
That script he has on the linked page just sets up a loopback device and then encrypts that. I don't think it's really intended to be used to encrypt your entire filesystem. (First question that springs to mind is, why? protect the open source n900 firmware?)

but really I think he intends it to be used to store the naked pictures your girlfriend MMS's you or the photos you've been saving of that girl you've been stalking on facebook.

you know, stuff you don't use all the time.
 

The Following User Says Thank You to t7g For This Useful Post:
Posts: 45 | Thanked: 54 times | Joined on Oct 2009 @ Uppsala,Sweden
#4
On the line
dd if=/dev/urandom of=$CRYPTFILE bs=1M count=$CRYPTSIZE

why not /dev/random instead? Isn't that more secure?
 
Posts: 22 | Thanked: 6 times | Joined on Dec 2009 @ Utrecht, the Netherlands
#5
Thanks. The n900 really could use some encryption software. I hope eventually there will be some easy-to-use application for the end user to at least create password-protected vaults.
 
Posts: 355 | Thanked: 566 times | Joined on Nov 2009 @ Redstone Canyon, Colorado
#6
Originally Posted by davost View Post
On the line
dd if=/dev/urandom of=$CRYPTFILE bs=1M count=$CRYPTSIZE

why not /dev/random instead? Isn't that more secure?
I don't think so, it also requires more entropy. If you come up with a good doc explaining why it's better, let me know. Many docs I see use /dev/zero, so this is definitely an improvement over that.
 
Posts: 355 | Thanked: 566 times | Joined on Nov 2009 @ Redstone Canyon, Colorado
#7
Originally Posted by pinsh View Post
Nice. How is the file system performance when using this (relative to no encryption)?
I just got it set up, I haven't had a chance to benchmark it. It would be interesting to see how AES performs versus twofish as well.

Encrypted root filesystem (e.g. the *entire* system is encrypted), would be cool, but likely quite difficult with Maemo.
 
deadmalc's Avatar
Posts: 415 | Thanked: 182 times | Joined on Nov 2007 @ Leeds UK
#8
Originally Posted by davost View Post
On the line
dd if=/dev/urandom of=$CRYPTFILE bs=1M count=$CRYPTSIZE

why not /dev/random instead? Isn't that more secure?
urandom is non blocking, so using random maybe "more secure" but you are likely to suffer file system freezes using random - not something you would want.

random is generally used for cert generation and one off stuff like that
__________________
Life on the edge....always waiting to fall

Last edited by deadmalc; 2010-01-12 at 21:03. Reason: !probably, maybe - maybe not (I am too lazy to check)
 

The Following 3 Users Say Thank You to deadmalc For This Useful Post:
Posts: 22 | Thanked: 8 times | Joined on Nov 2009
#9
Originally Posted by davost View Post
On the line
dd if=/dev/urandom of=$CRYPTFILE bs=1M count=$CRYPTSIZE

why not /dev/random instead? Isn't that more secure?
/dev/random blocks until more entropy can be gathered

On the N900, producing even 1 kilobyte of random data with /dev/random takes ages (it just sits there waiting for environment "noise")

/dev/urandom takes less a second to fill 1 MB of random data

Unless you are exchanging above top secret government documents, /dev/urandom is good enough.
 

The Following 3 Users Say Thank You to Relativistic For This Useful Post:
Posts: 451 | Thanked: 334 times | Joined on Sep 2009
#10
Originally Posted by t7g View Post
That script he has on the linked page just sets up a loopback device and then encrypts that. I don't think it's really intended to be used to encrypt your entire filesystem.
Maybe not the whole filesystem, though root could feasibly be encrypted...

Anyhow, I've been testing Jebba's packages and kernel, and they work really well for cryptsetup encryption.

Basically, I use it to encrypt the whole SD card, therefore protecting everything that's on it. That's where your data is to be stored, that's the best protection you can have and it's OTF, you just mount it and then use it as normal. You can do the same for the free space on the internal drive.

BTW, anyone tried mounting encrypted partitions via fstab/crypttab on boottime on the N900 with this?

I'm thinking of trying, but had to reflash a couple of times this past day, due to setting this up, and am not sure I wanna reflash again, in case it coughs up some prob when booting. Though it shouldn't and should probably boot... Any thoughts on this? Or rather anyone tried yet?
 
Reply

Thread Tools

 
Forum Jump


All times are GMT. The time now is 17:45.