Maemo 5 N900 - Encrypted home resources
Go to file
Albert S. 6ab22efc9d (reset history) 2017-01-08 10:06:30 +01:00
README (reset history) 2017-01-08 10:06:30 +01:00 (reset history) 2017-01-08 10:06:30 +01:00
rcS (reset history) 2017-01-08 10:06:30 +01:00
rcS-late (reset history) 2017-01-08 10:06:30 +01:00


The scripts to encrypt /home/ and swap with /dev/urandom as the keyfile. 

The method as described below is not be the best for the most paranoid
users. The N900 may not have enough entropy when generating the keys.
The result: low-quality keys. 
Please refer to the cryptsetup manual for more details, especially
Thanks to "robotanarchy" for pointing this out. 
In practise, if you are not protecting yourself against 
certain 3 letter organizations you should be ok anyway...

The method as described below was pretty much the only possible way back
then when this document was written.
These days, a much simpler approach would be to use rescueOS
to mount the home partition, copy all the data to your HDD on your PC,
overwriting the partition with /dev/urandom data
and then to use cryptsetup, e. g. with --use-random to luksFormat
the home partition. Then you simply copy all the data back.
However, you still need to modify bootscripts, therefore 
you can still refer to the instructions below. 
Of course, you can also use rescueOS to modify the bootscripts.
This should make things easier.

Partially outdated:

Required for installation:
-busybox's loadkmap and watchdog. You can get these packages by installing "busybox-power".
-dmcrypt, cryptsetup etc. Verify these things work before putting them in init scripts.
-Console skills. 

Reflashing COMBINED with an encrypted home partition is funny. Hope that 
you never have to.

Read the warning in rcS.

Getting started
WARNING: It's easy to mess it up (in the first try). 
You are doing everything at own risk. Don't expect support if something
goes wrong.

As long as we are in hildon, the partition is in use, which means we can 
not just unmount and encrypt it. In R&D mode(with disabled watchdogs) 
through ssh, after killing hildon and other stuff, it might be possible, but it is
too messy. 

First, we need the fbcon kernel module. power kernel >=v47 ships it, 
but you can also compile it into the kernel in case you use a different kernel. 

If you have the module:
Open /sbin/preinit
Go to the init_system() function.
above of the "}" insert: modprobe fbcon. 
This seems to be a good place for it. /sbin/preinit is under
some nokia licence which prohibits sharing that file. 

1. Backup /home/ without /home/user/MyDocs using cp -a to preserve permissions. 

2. Now we just need a shell. /etc/init.d/rcS asks for it. After
"/sbin/hwclock -s || true" we can add it this code: 

watchdog -t 10 /dev/twl4030_wdt #To feed watchdogs
watchdog -t 10 /dev/watchdog
loadkmap < /nokia-n900.kmap		#To get special characters working
echo "Press any key to enable shell"
read -n 1 -t 2 shellmode
if [ -n "$shellmode"  ] ; then
killall watchdog #so that later dsme can continue doing this job. 

You need something like the busybox-power package(stock version doesn't 
have loadkmap and watchdog included).

They keymap can be found in meego-ce or here:
However, you have to convert it (not on the N900) by using "loadkeys -b > nokia-n900.kmap"

3. Reboot. 
4. An example setup:
   cryptsetup luksFormat /dev/mmcblk0p2
   cryptsetup luksOpen /dev/mmcblk0p2 home_luks
   mkfs.ext3 /dev/mapper/home_luks
   mount -t ext3 /dev/mapper/home_luks /mnt/
   #and now copy back with permissions and unmount /mnt/
  NOTE: This does not perform a secure delete. Keep this in mind!
5. If you type exit now, your device won't boot because you still have the old bootscripts. 
Study the scripts in the directory you got this README from. 

Start with rcS-late (it mounts the home partition). 

Then modify rcS (after your first successful bootup with an encrypted home partition). 
It'll ask you on every boot for the LUKS password. 

If everything looks fine for you, replace the scripts. is also useful. 

Happy hacking!