 |
 |
 |
|
 |
You are not logged in.
Pages: 1
In HOW-TO create and use an encrypted SD card as a folder on your eee I showed a way to store files easily in an encrypted SD card. However, for complete security, this is not enough. As you use your eee, all sorts of potentially sensitive information may be written to your Home Folder without you being able to divert it to your encrypted folder - copies of emails, log on information for web sites, etc. What is needed is a way to store all your Home Folder on an encrypted SD card.
In an ideal world, it should be possible to interrupt the eee PC boot process to allow you to enter a Truecryt password, and then allow the boot to continue as normal. Alternatively it should be possible to use the Linux pam mechanism to share your login password with Truecrypt. I've not been able to get either of these to work. The process I'm documenting here has been working successfully for me - please comment here to suggest better ways.
Warning - the initial setup is a bit flakey and may result in an unbootable eee, so don't try it unless you're happy you can restore your Eee using some other method.
Install Truecrypt and create an encrypted SD card
See HOW-TO create and use an encrypted SD card as a folder on your eee. The HOW-TO you are reading now assumes you have done worked through the previous HOW-TO successfully.
Store the necessary files on /opt
We need to move the myfolder.sh out of harm's way off the Home Folder. I'm putting it on /opt.
home/user> cd /opt
/opt> sudo mkdir /opt/truecrypt
/opt> sudo chown user:user /opt/truecrypt
/opt> cd truecrypt
/opt/truecrypt> mv -v /home/user/myfolder.sh .
I now need to change myfolder.sh and simpleui.rc to point to the new locations.
Edit /opt/truecrypt/myfolder.sh:
#!/bin/bash STORE="/dev/sdcard1" HOME="/home/user"
Sudo edit /opt/xandros/share/AsusLauncher/simpleui.rc:
<parcel simplecat="Work" extraargs="/opt/truecrypt/myfolder.sh"
icon="disk_utility_norm.png"
selected_icon="disk_utility_hi.png">
<name lang="en">Disk</name>
</parcel>If you're still using the default desktop theme, I suggest you change it now (the reason will be obvious later) using Settings -> Personalization -> Desktop Theme. Close down any running applications except your terminal window.
Copy your Home Folder to the encrypted SD card
Note: the -a archive flag copies all sub folders too.
/opt/truecrypt> mkdir user
/opt/truecrypt> truecrypt /dev/sdcard1 user
Enter password for '/dev/sdcard1':
/opt/truecrypt> sudo cp -av /home/user .
/opt/truecrypt> truecrypt -d
Backup your Home Folder and create a new empty one
This is the scary bit. Once we've moved /home/user to /home/backup, we have effectively cut the ground away from under our feet. Even though we quickly create a new /home/user, it's empty, and any programs currently running on the eee which are expecting to write to the old /home/user might die terribly. Cross your fingers ... and type quickly 
/opt/truecrypt> sudo mv -v /home/user /home/backup
/opt/truecrypt> sudo mkdir /home/user
/opt/truecrypt> sudo chown user:user /home/user
Reboot your eee
You'll probably find nothing much works, but you should be able to <Alt><Ctrl><Backspace> to reboot the eee. You should see the initial set-up screens - as if you had a brand new eee. Login as normal - set the eee for automatic login. Note the theme - it will be the eee default.
Now find the 'Disk' icon you put on the 'Work' tab. Click on it, and give your Truecrypt password. You may or may not see the 'Successful' message. Now <Alt><Ctrl><Backspace>. The eee will reboot, and you should see everything as normal (the desktop theme will change).
Using the encrypted SD card
From now on, when you switch on your eee, it will always boot into the 'empty' home folder (having a different theme reminds you that you aren't connected to your encrypted drive yet). Click on the 'Disk' icon, enter your Truecrypt password, <Alt><Ctrl><Backspace>, and you're in business.
A simpler boot up process
Note: once you are happy everything is working correctly you can remove the backup with sudo rm -rf /home/backup.
I also recommend you download and use this modified myfile.sh script which automatically does the <Alt><Ctrl><Backspace> as soon as the Truecrypt disk is connected. With this script, all you need to do is click on the Disk icon, enter your Truecrypt password, and click <OK>. Just like logging on.
Have you a better way to do this?
Please post replies below.
Do not ever ever forget your Truecrypt password
Last edited by jpmcc (2008-01-22 2:01:34 pm)
Offline
I've now been using this encrypted home disk for three weeks without any problems, so I've edited the text above to remove the warnings about it being experimental. I've also uploaded an improved login script.
Enjoy - and if you've found a better way, please post here!
Offline
Hi John,
Thanks again! This is really great stuff.
I've set it up in a slightly different way - let me knwo whats you think.
I have it set up with something short of the entire /home directory on the encrypted card.
I wanted my eeepc to be ready for use by guests and friends, but to store some of my personal setrtings (email, msn chat logs, etc) on the secure card.
I have left it so that the encrypted card maps to /home/user/files when it mounts, and then set up a number of symbolic links for setting files, pointing from the /home directory to the /home/files directory. This way, when the card is unmounted, users see e.g. a regular kopete setup screen when they run it, can enter their info, etc. But when the card is mounted, kopete sees my settings file, and loads with my account, etc.
Is it safe to use symbolic links for the settings, etc. in this way?
a
Offline
Software developers may assume that your home directory is private and secure, and may store all sorts of information there without telling you, especially in 'hidden' files (file names tarting with a .). If you 'ls -la' from a terminal you may be surprised at how many files you find. Do you know what is in the files stored under .mozilla or .thunderbird, or in .bash_history for example?
I believe the only safe solution in a highly portable/loseable device like the Eee is to have a wholly encrypted home directory.
John
Offline
When I mount the /home/user, a curious thing happens. If I open the File Manager the encrypted disk contents show up, but if I open a Terminal window, the contents of the unmounted /home/user are displayed when I do "ls -a". If I start Midnight Commander from a Terminal window, the mounted directory contents show up! It is possible to edit files on the mounted device, but "ls" does not display them.
This problem is remedied when I do a ctrl-alt-backspace, but this slows down the login process a lot.
Maybe this is something to do with bash remembering the contents of the old $HOME directory??
Is it possible to mount the /home/user partition earlier in the startup sequence? This might avoid these problems. I've tried a few things with no success. Unfortunately the contents of /etc/fstab seem to be ignored in the stock Xandros installation.
Offline
I recommend doing the Ctrl Alt Backspace routine to guarantee that all the right config files (the ones from your encrypted disk) etc are loaded into memory. If you use the script I reference in the first post, it does the Ctrl Alt Backspace for you - the delay is minimal.
Offline
Which line in the script does the ctrl-alt-backspace occur at? It doesn't seem to happen and I couldn't find such a thing in the script at http://www.mealldubh.org/wp-content/stuff/myfolder.sh - it just puts a "success" dialog and exits.
Another note - if you use version 5 of truecrypt you don't need to load the dm-crypt and truecrypt kernel modules. I have managed to do this on my 900 and have encrypted my entire /dev/sdb1.
Offline
It looks like I had an old version of mydisk.sh on the site - apologies. I've uploaded the latest one - there's a line in it pkill -x icewm which does the Alt Ctrl backspace equivalent.
I must give truecrypt 5 a go - thanks for the tip
Offline
Thanks. I've incorporated your script in my /usr/bin/startsimple.sh. Its possible to do a ctrl-alt-bksp by exiting this script on a successful mount. A few modifications are required for truecrypt5.
It would be great if the truecrypt volume could be mounted earlier in the bootup sequence to avoid the untidiness and slowness of restarting X. So far any attempt at doing this has failed. Do you or anybody else have any suggestions? I fear that this might involve hacking /sbin/fastinit and I haven't managed to get hold of the code for this for the 900.
BTW - the modified mydisk.sh script doesn't have "pkill" etc in it yet.
Offline
Pages: 1