LUKS/dm-crypt stores for /home/user and swap - maemo.org

jcolinzheng · #1 2010-12-14, 21:13

Here's a brief HOWTO for encrypting personal data using LUKS/dm-crypt, on N900.

(I have not tried truecrypt, which is significantly less efficient than dm-crypt as it uses FUSE. But I don't see why we can't make it work with similarly hacks.)

We will do the following:

Reduce the 27G FAT partition at MyDocs, to 8G, and create a LUKS partition of size 19G, mounted at /home/user at startup
Encrypt the swap partition /dev/mmcblk0p3 at startup
There's no need to encrypt /tmp since it's an in-memory tmpfs

HOWEVER: Since the Titan kernel has no support(?) for framebuffer console, there is currently no way to enter the passphrase during boot. For now, I'm using a key-file saved as /etc/LUKS-key. This temporary workaround is insecure in theory, but should work well in practice, if you choose a cryptic name (instead of LUKS-key) and obfuscate the startup script that unlocks the encrypted partition.

In future, the key-file should be disabled using cryptsetup's luksRemoveKey command, as soon as we have framebuffer console. (See http://talk.maemo.org/showthread.php?t=40154 for a kernel with console support - but I couldn't give up titan's kernel for it

)

************************************************** ****

NOTE: The hack works for the latest rootfs version (2010.36). Original data on /dev/mmcblk0p1 will be lost, so do a backup.

REQUIRED: cryptsetup from extra-devel, a kernel with dm_crypt support - eg Titan's kernel-power. Root access.

STEPS:

Unmount /dev/mmcblk0p1: umount /home/user/MyDocs

Generate key file:

Code:

dd if=/dev/urandom of=/etc/LUKS-key bs=512 count=1

Partition mmcblk0 using "sfdisk --no-reread /dev/mmcblk0 < table", in my case "table" has content

Code:

# partition table of /dev/mmcblk0
unit: sectors

/dev/mmcblk0p1 : start=       64, size= 16777216, Id= c
/dev/mmcblk0p2 : start= 56631360, size=  4194304, Id=83
/dev/mmcblk0p3 : start= 60825664, size=  1572864, Id=82
/dev/mmcblk0p4 : start= 16777280, size= 39854080, Id=e8

Reboot.

Set up LUKS on /dev/mmcblk0p4:
Code:
```
modprobe dm_crypt
cryptsetup luksFormat /dev/mmcblk0p4
cryptsetup luksAddKey /dev/mmcblk0p4 /etc/LUKS-key
cryptsetup luksOpen /dev/mmcblk0p4 user
```
(You'll be prompted for a passphrase when you do luksFormat - there is a chance that the passphrase you enter gets written on the swap partition if RAM is tight, so pick a temporary passphrase for now.)

Format mmcblk0p4:

Code:

mkfs.ext3 /dev/mapper/user
tune2fs -c 0 -i 0 /dev/mapper/user
mount /dev/mapper/user /mnt; chown user:users /mnt

Now is a good time to copy the settings under /home/user to /mnt

In /etc/event.d/rcS-late, right after the block

Code:

    # Initialize PRNG pool with the HW RNG. Slow, but that's ok.
    URANDOM_POOLSZ=512
    if [ -e /dev/hwrng ]; then
      echo "Seeding entropy pool"
      dd if=/dev/hwrng of=/dev/urandom bs=$URANDOM_POOLSZ count=1
    fi

add the following lines
(NOTE: we need to wait for /dev/urandom to be seeded and for /home to be mounted)

Code:

#### Colin's hack ####
    modprobe dm_crypt

    swapoff -a
    cryptsetup -d /dev/urandom create swap /dev/mmcblk0p3
    mkswap /dev/mapper/swap && swapon /dev/mapper/swap

    echo "user /dev/mmcblk0p4 /etc/LUKS-key luks" > /etc/crypttab
    /etc/init.d/cryptdisks start
    rm -rf /home/user; mkdir /home/user; chown user:users /home/user
    mount -o noatime /dev/mapper/user /home/user
    initctl emit MOUNTS_OK
#####################

and comment out any earlier occurrence of "initctl emit MOUNTS_OK".

Add the following to /etc/init.d/minishutdown and /etc/init.d/minireboot, after the line "usr/sbin/umountfs"
Code:
```
/etc/init.d/cryptdisks stop
```
Since Maemo mistakes /dev/dm-* (newly created device mapper nodes) for MMC, we need to explicitly tell it to use /dev/mmcblk0p1. (a) In /usr/sbin/osso-mmc-mount.sh, add a line "set /dev/mmcblk0p1 $2" at the beginning (b) In /usr/sbin/osso-usb-mass-storage-enable.sh and /usr/sbin/osso-usb-mass-storage-disable.sh, add "set /dev/mmcblk0p1" at the beginning. That's it, but this is assuming you don't need external cards to be auto-managed by Maemo. To fix that, only replace by "/dev/mmcblk0p1" if the $1 is "/dev/dm-*". (I didn't bother to do that as I don't use external storage cards.)

If you have made to this point without any problem, reboot and check with "df". You should have something like

Code:

/dev/mapper/user      19613660    190348  18426988   1% /home/user
/dev/mmcblk0p1         8372236        28   8372208   0% /home/user/MyDocs

lohner · #2 2011-05-17, 18:41

I don't know much about dm-crypt, but it seems, as it uses a loop device, that the same procedure as with the truecrypt home encryption could be used.
That is, do a normal startup, mount the home folder afterwards and restart most of the programs to make them use the new home folder.
see also http://talk.maemo.org/showthread.php?p=1008309

sourcedriver · #3 2011-05-28, 18:04

Thank your jcolinzheng for this how-to. I had been searching for a way to encrypt my personal data with LUKS and DM-crypt the way I do on my laptop. I've followed your instructions and it works just as you describe.

I want to have to enter a password to unencrypt every time I start the device. I was actually able to get a framebuffer console running with the titan kernel version 47 y following these instructions for editing /sbin/preinit
After that I went ahead and removed LUKS-key... but I am not sure how/where to edit your code so that it prompts me for the password and automatically mounts the partitions.

Maybe in /etc/event.d/rcS-late ?

The Following User Says Thank You to jcolinzheng For This Useful Post:
lohner