112 rader
4.0 KiB
Plaintext
112 rader
4.0 KiB
Plaintext
The scripts to encrypt /home/ and swap with /dev/urandom as the keyfile.
|
|
|
|
|
|
Update:
|
|
=======
|
|
The method as described below is not be the best for the most paranoid
|
|
users. The N900 may not have enough entropy when generating the keys.
|
|
The result: low-quality keys.
|
|
Please refer to the cryptsetup manual for more details, especially
|
|
the section. "NOTES ON RANDOM NUMBER GENERATORS".
|
|
Thanks to "robotanarchy" for pointing this out.
|
|
In practise, if you are not protecting yourself against
|
|
certain 3 letter organizations you should be ok anyway...
|
|
|
|
The method as described below was pretty much the only possible way back
|
|
then when this document was written.
|
|
These days, a much simpler approach would be to use rescueOS
|
|
to mount the home partition, copy all the data to your HDD on your PC,
|
|
overwriting the partition with /dev/urandom data
|
|
and then to use cryptsetup, e. g. with --use-random to luksFormat
|
|
the home partition. Then you simply copy all the data back.
|
|
However, you still need to modify bootscripts, therefore
|
|
you can still refer to the instructions below.
|
|
Of course, you can also use rescueOS to modify the bootscripts.
|
|
This should make things easier.
|
|
|
|
|
|
Partially outdated:
|
|
|
|
Required for installation:
|
|
==========================
|
|
-busybox's loadkmap and watchdog. You can get these packages by installing "busybox-power".
|
|
-dmcrypt, cryptsetup etc. Verify these things work before putting them in init scripts.
|
|
-Console skills.
|
|
|
|
Reflashing COMBINED with an encrypted home partition is funny. Hope that
|
|
you never have to.
|
|
|
|
Read the warning in rcS.
|
|
|
|
|
|
Getting started
|
|
========================
|
|
WARNING: It's easy to mess it up (in the first try).
|
|
You are doing everything at own risk. Don't expect support if something
|
|
goes wrong.
|
|
|
|
|
|
As long as we are in hildon, the partition is in use, which means we can
|
|
not just unmount and encrypt it. In R&D mode(with disabled watchdogs)
|
|
through ssh, after killing hildon and other stuff, it might be possible, but it is
|
|
too messy.
|
|
|
|
First, we need the fbcon kernel module. power kernel >=v47 ships it,
|
|
but you can also compile it into the kernel in case you use a different kernel.
|
|
|
|
If you have the module:
|
|
++++++++++++++++++++++++
|
|
Open /sbin/preinit
|
|
Go to the init_system() function.
|
|
above of the "}" insert: modprobe fbcon.
|
|
+++++++++++++++++++++++++
|
|
This seems to be a good place for it. /sbin/preinit is under
|
|
some nokia licence which prohibits sharing that file.
|
|
|
|
1. Backup /home/ without /home/user/MyDocs using cp -a to preserve permissions.
|
|
|
|
2. Now we just need a shell. /etc/init.d/rcS asks for it. After
|
|
"/sbin/hwclock -s || true" we can add it this code:
|
|
|
|
watchdog -t 10 /dev/twl4030_wdt #To feed watchdogs
|
|
watchdog -t 10 /dev/watchdog
|
|
loadkmap < /nokia-n900.kmap #To get special characters working
|
|
echo "Press any key to enable shell"
|
|
read -n 1 -t 2 shellmode
|
|
if [ -n "$shellmode" ] ; then
|
|
sh
|
|
fi
|
|
killall watchdog #so that later dsme can continue doing this job.
|
|
|
|
You need something like the busybox-power package(stock version doesn't
|
|
have loadkmap and watchdog included).
|
|
|
|
They keymap can be found in meego-ce or here:
|
|
http://bazaar.launchpad.net/~pali/+junk/maemo_recovery-boot/view/head:/nokia-n900.map
|
|
However, you have to convert it (not on the N900) by using "loadkeys -b nokia-n900.map > nokia-n900.kmap"
|
|
|
|
|
|
3. Reboot.
|
|
4. An example setup:
|
|
cryptsetup luksFormat /dev/mmcblk0p2
|
|
cryptsetup luksOpen /dev/mmcblk0p2 home_luks
|
|
mkfs.ext3 /dev/mapper/home_luks
|
|
mount -t ext3 /dev/mapper/home_luks /mnt/
|
|
#and now copy back with permissions and unmount /mnt/
|
|
|
|
NOTE: This does not perform a secure delete. Keep this in mind!
|
|
|
|
5. If you type exit now, your device won't boot because you still have the old bootscripts.
|
|
Study the scripts in the directory you got this README from.
|
|
|
|
Start with rcS-late (it mounts the home partition).
|
|
|
|
Then modify rcS (after your first successful bootup with an encrypted home partition).
|
|
It'll ask you on every boot for the LUKS password.
|
|
|
|
If everything looks fine for you, replace the scripts.
|
|
|
|
osso-mmc-mount.sh is also useful.
|
|
|
|
Happy hacking!
|