N900 encrypted mass-storage mode

Abstract

An idea for an alternative to some of those "Crypto USB sticks" around there(which are often, even if NIST certified, insecure anyway. The principle is simple: You just map an encrypted file/partition and make it available for mass-storage mode. The system your N900 is connected to will never see the key nor know about the encryption that will happen on the N900.

Encryption of the Swap-Partition

cat /proc/swaps - Find out which device is your swap partition. Usually it is /dev/mmcblk0p3

Open /etc/event.d/rcS-late

Find "swapon -a"

Replace it with:

/dev/urandom is the key file. Obviously, with every reboot a new key will be used. Furthermore we haven't really done a secure delete of the already existing data.

Connect your N900 to the computer, choose "mass-storage mode". Target volume must not be mounted.

Example with TrueCrypt

truecrypt --filesystem=none [additional-options] [path to volume]
/usr/sbin/osso-usb-mass-storage-enable.sh `truecrypt -t -l | grep [path to volume] | cut -f3 -d" "`

Example with LUKS

cryptsetup luksOpen [path to volume] [name for mapping]
/usr/sbin/osso-usb-mass-storage-enable.sh /dev/mapper/[name for mapping]

Troubleshooting

This should simply work. Problems with encryption software are usually the result of missing crypto kernel modules. XTS is needed for TC(if started without -m nokernelcrypto). You can find them here. AES has been compiled into the kernel, twofish is available as a module. The module for serpent has to be compiled.

Addendum: LUKS and filecontainers:

dd if=/dev/zero of=/home/user/MyDocs/bla bs=1024 count=3000 # 3MB
losetup /dev/loop[0-7] /home/user/MyDocs/bla #choose a loop device which is not already used by other programs. (simple "losetup" for list)
cryptsetup luksFormat /dev/loop[0-7]
cryptsetup luksOpen /dev/loop[0-7] mappingname
mkfs.ext3 /dev/mapper/mappingname #Or any other fs