TrueCrypt 7 with GUI and kernel crypto - maemo.org

NIN101 | # 1 | 2011-01-15, 20:43 | Report

You are doing everything at own risk if you follow the instructions.

Kernel Crypto
Without crypto modules, TC will be probably slower and you have to mount with truecrypt -m nokernelcrypto. AES and Twofish with the block cipher mode XTS are supported by power kernel v48 out of the box.

If you want kernel crypto for older versions, take a look at this page.

Precompiled
Available in extras-devel

Compilation in scratchbox
Verification of the downloaded packages is up to you.

Setup scratchbox as described here http://wiki.maemo.org/Documentation/...l_Installation
Log in and choose the ARM target.

Add these two friends to /etc/apt/sources.list

Code:

deb http://repository.maemo.org/extras/ fremantle-1.3 free non-free
deb http://repository.maemo.org/extras-devel fremantle free non-free

Get the truecrypt source, unpack it and copy it to scratchbox (usually accessible through the symlink $USER/Desktop/sbhome)

Code:

apt-get update ; apt-get install g++ nasm make libwxgtk2.8-dev libwxgtk2.8-0 libfuse-dev libfuse2 pkg-config

Code:

cd truecrypt-7.0a-source
wget ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs11.h 
wget ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs11t.h
wget ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs11f.h
make

copy truecrypt-7.0a-source/Main/truecrypt to /usr/bin/truecrypt on your N900

Code:

apt-get install libwxgtk2.8-0 libfuse2 dmsetup (on your N900)

You may need to add the extra* repos to apt for this.

If you don't want to use kernel crypto, you have to mount it with something like this: truecrypt -m nokernelcrypto [disk/container] [mountpoint]. Otherwise you will have some errors.

Security Tips
Password leaks
If the auto complete function of maemo is enabled, most of the passwords entered to a GUI will be saved into a database. Turn this feature off before using TC. Database path: /home/user/.osso/dictionaries/.personal.dictionary.

Protection when mounted
There is of course no protection when your device is turned on and the partition or file container mounted. If someone steals your phone, your tc protected files will become accessible. To prevent this, you can enable the lock code. This should be secure unless your attacker has SSH access or something similar to that.

Swap
See some paragraphs below.

Issues

GUI does not fit. To fix this, we can deactivate the Maemo Theme for tc:

Code:

:~# unset GTK2_RC_FILES
:~# truecrypt

Autostart Script

/etc/event.d/truecrypt

Originally Posted by /etc/event.d/truecrypt

start on started hildon-desktop
exec run-standalone.sh /usr/bin/tcmount
stop on starting shutdown

/usr/bin/tcmount

Originally Posted by /usr/bin/tcmount

#!/bin/sh
truecrypt -m nokernelcrypto [tcvolume] [mountpoint]

chmod u+x /usr/bin/tcmount

This will mount the volumes you want on hildon start up. The known dialog("Enter password for...") will ask you to enter your password and to provide the keys etc.

Protection of private data in /home/user/
The following steps are very messy. A better solution - but harder - is the encryption of the /home/ partition. check this

If the partition or the file container which contains these things is not mounted, you can't use your crypted data and this will result in some error messages. And again, you are doing it at your own risk and only you are responsible for data loss.

So, mount your TC volume.

Please keep in mind that the following steps are not recommended/possible if you are using FAT thanks to user permissions and stuff like that which fat can not handle the way traditional linux filesystems do.

a) Moving phonebook
This will move your phone book. Symbolic links will point to the path in your encrypted volume. However, this is just a "mv", which means, no secure delete will occur on the source directories.

Code:

cd /home/user/
mv .osso-abook/ [tcvolume]
mv .osso-abook-backup/ [tcvolume]
ln -s [tcvolume]/.osso-abook/ .
ln -s [tcvolume]/.osso-abook-backup .
chown user -R [tcvolume]/.osso-abook/

b) Moving SMS

Code:

cd /home/user
mv .rtcom-eventlogger [tcvolume]
ln -s [tcvolume]/.rtcom-eventlogger .

chown user -R [tcvolume]/.rtcom-eventlogger

The same principle can be adapted to other directories, for example .mozilla.

Swap encryption
Unencrypted parts can remain in the swap partition. We should deal with that. Please make sure that you have the tools and the kernel modules!
Encryption of the Swap-Partition

1. cat /proc/swaps - Find out which device is your swap partition. Usually it is /dev/mmcblk0p3.
2. Open /etc/event.d/rcS-late
3. Find "swapon -a"
4. Replace it with:

Code:

        modprobe dm_crypt
        modprobe dm_mod
        /sbin/cryptsetup -d /dev/urandom create swapenc /dev/mmcblk0p3 #it must be your swap devic
        /sbin/mkswap /dev/mapper/swapenc
        /sbin/swapon /dev/mapper/swapenc

/dev/urandom is the key file. Obviously, with every reboot a new key will be used.
It's recommended to test it first without editing the bootscripts.

General tips
FAT
If you want to write to FAT volumes as user, read this (--fs-options).

ext performance
For ext volumes, the following options are recommended.

Code:

truecrypt [source] [mountpoint] --fs-options=noatime,nodiratime,data=writeback

Those options give you some significant performance increase (especially noticeable in the media player, no lags anymore).

root user
To avoid multiple issues (e. g. setting device mappings and mounting), run tc as root.

Last edited by NIN101; 2014-08-07 at 14:27. Reason: link

The Following 17 Users Say Thank You to NIN101 For This Useful Post:
capitannemo, clasificado, confusedfella, Estel, foobar, hawaii, Jedibeeftrix, laasonen, lohner, Mentalist Traceur, panta, peterleinchen, petur, reinob, sph, tuxsavvy, woody14619

lohner | # 2 | 2011-05-17, 16:19 | Report

Great post, I'm trying to get full system encryption to work without any major issues. If that's not possible, I will use your softlink method instead. If anyone is interested in sharing their experiences, please do so in this thread.

Last edited by lohner; 2011-05-17 at 16:20. Reason: Typo

sph | # 3 | 2011-06-10, 11:53 | Report

truecrypt gui just doesn't fit on the screen, better to build without

sph | # 4 | 2011-06-10, 12:40 | Report

couldn't actually build without gui, wxWidgets decency hell

nevertheless, I can't mount a volume, any idea what is wrong?

Code:

Nokia-N900:/home/user/MyDocs# truecrypt -t test.tc                                            
Enter mount directory [default]: 
Enter password for /home/user/MyDocs/test.tc: 
Enter keyfile [none]: 
Protect hidden volume (if any)? (y=Yes/n=No) [No]: 
Error: mount: mounting /dev/mapper/truecrypt1 on /media/truecrypt1 failed: Invalid argument

UPD: container was broken, recreated and and it worked fine

Last edited by sph; 2011-06-10 at 14:03.

blck | # 5 | 2011-06-13, 16:59 | Report

Hey there,
great tutorial. After six hours of trying I finally got it working. Wouldn't it be possible to load the compiled Trucrypt7.0a into extra-devel? It would safe a lot of time, since the newest desktop-version is Truecrypt7.0a and you need the same version for encrypt MyDocs via the PC. Anyway I got the following problem:
I mount my encrypted MyDocs like this

Code:

truecrypt -m nokernelcrypto --protect-hidden=no /dev/mmcblk0p1 /home/user/MyDocs

If mounted like this right at the start of the hildon-desktop (with the help of your script) I'm not able to accsess MyDocs as the normal user, only as root. If mounted afterwards via the terminal I could enter MyDocs without any problems. Hope you could help me and thanks a lot again!
Cheers blck

EDIT: Got it! Adding --fs-options=rw,uid=29999 to the tcmount did it.

Last edited by blck; 2011-06-13 at 19:08.

NIN101 | # 6 | 2011-06-15, 17:28 | Report

Originally Posted by

truecrypt gui just doesn't fit on the screen, better to build without

But only if the maemo theme is used by TrueCrypt. I once started it somehow without, so it looked like a normal GTK application. Still not sure if some parts of the GUI would be more useable with that. Anyway, I'm using the GUI mostly for the mounting like in the screenshot because the rest can often be easier achieved with the CLI.

Edit:
:~# unset GTK2_RC_FILES
:~# truecrypt

Screenshots:
http://img7.imagebanana.com/img/px4n...0625134520.png

http://www.imagebanana.com/view/kegr...0625134600.png

It is useable.

Originally Posted by

couldn't actually build without gui, wxWidgets decency hell

Yep the building process depends on wxWidgets anyway, even if you only want to build a command line version.

Originally Posted by

Wouldn't it be possible to load the compiled Trucrypt7.0a into extra-devel?

Yes I probably could do that once I get my N900 back from repairment.

Originally Posted by

EDIT: Got it! Adding --fs-options=rw,uid=29999 to the tcmount did it.

Good point. Especially needed if the filesystem of the volume you are mounting is FAT, as the Unix file permission concept does not apply to it, so you could'nt make it work with a simple chown.

Last edited by NIN101; 2011-06-25 at 11:51. Reason: Screenshots and GUI finetuning

NIN101 | # 7 | 2011-08-22, 22:17 | Report

Boom. Now that v48 is out we finally got the xts block cipher mode kernel module coming with the kernel. This (should) give faster performance for disk encryption software like TrueCrypt, which uses XTS by default. Version 6* which is in the repos is now actually obsolete (it's hardcoded with -m nokernelcrypto).

The Following 2 Users Say Thank You to NIN101 For This Useful Post:
Estel, reinob

Estel | # 8 | 2011-12-01, 21:21 | Report

<Estel cast thread resurrection sign> *boom*

NIN101, any chances of putting latest truecrypt into maemo repos? It's a little shame, that we still got hardcoded -nokernelcrypto version in -devel. Anyway, thanks for doing 7.1, whenever it sits

Also, please remember, that You don't need to be maintainer, to upload new version into -devel.

/Estel

Last edited by Estel; 2011-12-01 at 21:24.

NIN101 | # 9 | 2011-12-02, 20:27 | Report

I considered months ago to package it, even created debs, but I finally didn't upload the stuff to extras-devel. Because I have no motivation to deal with problems like kernel fragmentation¹. Of course, we could depend on kernel-power. But it's not that cool to force kernels. Users who install KP should manage to do a cp to /usr/bin or compile it (the best way). Modules for most known kernels could be shipped with some postinstall magic - but this is not exactly brilliant. A wrapper script with a fallback to -m nokernelcrypto if the needed modules are not found is cool, but... dunno.

Pretty annoying starting situation

woody14619 | # 10 | 2011-12-02, 20:45 | Report

Originally Posted by NIN101 View Post

Of course, we could depend on kernel-power. But it's not that cool to force kernels.

It is if you make is a separate package. ( eg. kp-truecrypt)