N900 encrypted mass-storage mode
Imported to this wiki: 2018-11-11
Content date: 2011-??-??
An idea for an alternative to some of those "Crypto USB sticks" around there(which are often, even if NIST certified, insecure anyway. The principle is simple: You just map an encrypted file/partition and make it available for mass-storage mode. The system your N900 is connected to will never see the key nor know about the encryption that will happen on the N900.
Encryption of the Swap-Partition
- cat /proc/swaps - Find out which device is your swap partition. Usually it is /dev/mmcblk0p3
- Open /etc/event.d/rcS-late
- Find "swapon -a"
- Replace it with:
/sbin/cryptsetup -d /dev/urandom create swapenc /dev/mmcblk0p3 #or your swap device
/dev/urandom is the key file. Obviously, with every reboot a new key will be used. Furthermore we haven't really done a secure delete of the already existing data.
Connect your N900 to the computer, choose "mass-storage mode". Target volume must not be mounted.
Example with TrueCrypt
truecrypt --filesystem=none [additional-options] [path to volume]
/usr/sbin/osso-usb-mass-storage-enable.sh `truecrypt -t -l | grep [path to volume] | cut -f3 -d" "`
Example with LUKS
cryptsetup luksOpen [path to volume] [name for mapping]
/usr/sbin/osso-usb-mass-storage-enable.sh /dev/mapper/[name for mapping]
This should simply work. Problems with encryption software are usually the result of missing crypto kernel modules. XTS is needed for TC(if started without -m nokernelcrypto). You can find them here. AES has been compiled into the kernel, twofish is available as a module. The module for serpent has to be compiled.
Addendum: LUKS and filecontainers:
dd if=/dev/zero of=/home/user/MyDocs/bla bs=1024 count=3000 # 3MB
losetup /dev/loop[0-7] /home/user/MyDocs/bla #choose a loop device which is not already used by other programs. (simple "losetup" for list)
cryptsetup luksFormat /dev/loop[0-7]
cryptsetup luksOpen /dev/loop[0-7] mappingname
mkfs.ext3 /dev/mapper/mappingname #Or any other fs