(reset history)
This commit is contained in:
111
README
Normal file
111
README
Normal file
@ -0,0 +1,111 @@
|
||||
The scripts to encrypt /home/ and swap with /dev/urandom as the keyfile.
|
||||
|
||||
|
||||
Update:
|
||||
=======
|
||||
The method as described below is not be the best for the most paranoid
|
||||
users. The N900 may not have enough entropy when generating the keys.
|
||||
The result: low-quality keys.
|
||||
Please refer to the cryptsetup manual for more details, especially
|
||||
the section. "NOTES ON RANDOM NUMBER GENERATORS".
|
||||
Thanks to "robotanarchy" for pointing this out.
|
||||
In practise, if you are not protecting yourself against
|
||||
certain 3 letter organizations you should be ok anyway...
|
||||
|
||||
The method as described below was pretty much the only possible way back
|
||||
then when this document was written.
|
||||
These days, a much simpler approach would be to use rescueOS
|
||||
to mount the home partition, copy all the data to your HDD on your PC,
|
||||
overwriting the partition with /dev/urandom data
|
||||
and then to use cryptsetup, e. g. with --use-random to luksFormat
|
||||
the home partition. Then you simply copy all the data back.
|
||||
However, you still need to modify bootscripts, therefore
|
||||
you can still refer to the instructions below.
|
||||
Of course, you can also use rescueOS to modify the bootscripts.
|
||||
This should make things easier.
|
||||
|
||||
|
||||
Partially outdated:
|
||||
|
||||
Required for installation:
|
||||
==========================
|
||||
-busybox's loadkmap and watchdog. You can get these packages by installing "busybox-power".
|
||||
-dmcrypt, cryptsetup etc. Verify these things work before putting them in init scripts.
|
||||
-Console skills.
|
||||
|
||||
Reflashing COMBINED with an encrypted home partition is funny. Hope that
|
||||
you never have to.
|
||||
|
||||
Read the warning in rcS.
|
||||
|
||||
|
||||
Getting started
|
||||
========================
|
||||
WARNING: It's easy to mess it up (in the first try).
|
||||
You are doing everything at own risk. Don't expect support if something
|
||||
goes wrong.
|
||||
|
||||
|
||||
As long as we are in hildon, the partition is in use, which means we can
|
||||
not just unmount and encrypt it. In R&D mode(with disabled watchdogs)
|
||||
through ssh, after killing hildon and other stuff, it might be possible, but it is
|
||||
too messy.
|
||||
|
||||
First, we need the fbcon kernel module. power kernel >=v47 ships it,
|
||||
but you can also compile it into the kernel in case you use a different kernel.
|
||||
|
||||
If you have the module:
|
||||
++++++++++++++++++++++++
|
||||
Open /sbin/preinit
|
||||
Go to the init_system() function.
|
||||
above of the "}" insert: modprobe fbcon.
|
||||
+++++++++++++++++++++++++
|
||||
This seems to be a good place for it. /sbin/preinit is under
|
||||
some nokia licence which prohibits sharing that file.
|
||||
|
||||
1. Backup /home/ without /home/user/MyDocs using cp -a to preserve permissions.
|
||||
|
||||
2. Now we just need a shell. /etc/init.d/rcS asks for it. After
|
||||
"/sbin/hwclock -s || true" we can add it this code:
|
||||
|
||||
watchdog -t 10 /dev/twl4030_wdt #To feed watchdogs
|
||||
watchdog -t 10 /dev/watchdog
|
||||
loadkmap < /nokia-n900.kmap #To get special characters working
|
||||
echo "Press any key to enable shell"
|
||||
read -n 1 -t 2 shellmode
|
||||
if [ -n "$shellmode" ] ; then
|
||||
sh
|
||||
fi
|
||||
killall watchdog #so that later dsme can continue doing this job.
|
||||
|
||||
You need something like the busybox-power package(stock version doesn't
|
||||
have loadkmap and watchdog included).
|
||||
|
||||
They keymap can be found in meego-ce or here:
|
||||
http://bazaar.launchpad.net/~pali/+junk/maemo_recovery-boot/view/head:/nokia-n900.map
|
||||
However, you have to convert it (not on the N900) by using "loadkeys -b nokia-n900.map > nokia-n900.kmap"
|
||||
|
||||
|
||||
3. Reboot.
|
||||
4. An example setup:
|
||||
cryptsetup luksFormat /dev/mmcblk0p2
|
||||
cryptsetup luksOpen /dev/mmcblk0p2 home_luks
|
||||
mkfs.ext3 /dev/mapper/home_luks
|
||||
mount -t ext3 /dev/mapper/home_luks /mnt/
|
||||
#and now copy back with permissions and unmount /mnt/
|
||||
|
||||
NOTE: This does not perform a secure delete. Keep this in mind!
|
||||
|
||||
5. If you type exit now, your device won't boot because you still have the old bootscripts.
|
||||
Study the scripts in the directory you got this README from.
|
||||
|
||||
Start with rcS-late (it mounts the home partition).
|
||||
|
||||
Then modify rcS (after your first successful bootup with an encrypted home partition).
|
||||
It'll ask you on every boot for the LUKS password.
|
||||
|
||||
If everything looks fine for you, replace the scripts.
|
||||
|
||||
osso-mmc-mount.sh is also useful.
|
||||
|
||||
Happy hacking!
|
||||
Reference in New Issue
Block a user