George Foot <gfoot@users.sf.net>
TrueCrypt is a portable volume encryption system, which encrypts volume (disk partition) data and embeds it either within other files, or on raw disk partitions.
I've built the latest version (5.1) for the EeePC's default Xandros OS, and compiled here some notes on how to do this yourself (if you want to).
On my own EeePC, I've encrypted the entire user partition, which seems to work really well - see below for more details.
It wasn't too hard to build TrueCrypt on the EeePC, so with a little self-confidence you should be able to build your own binary if you want to. I already had gcc and make ready to go. I had to install pkg-config from the Debian repositories, and libfuse-dev. I used the 5.1a TrueCrypt sources, with wxWidgets 2.8.7. Then I just followed the instructions for installing without GUI support, as I didn't want to install libgtk-dev.
I used a tarball of fuse at one point, but stopped doing that when I realised that the EeePC already has fuse libraries installed as standard. So don't do that - just get the dev package to go with the end-user package you've already got.
The TrueCrypt documentation is a bit geared up to GUI use, but the command line is really easy to use. Running:
truecrypt
with no parameters will give you a full option list, if you need it, and:
truecrypt -h
will give more details and some examples.
Probably what you want to do is encrypt the user partition but not the system partition, as the system partition's contents are fixed and standard. This could give some speed advantages over whole disk encryption, as application files and shared libraries will tend to load from the unencrypted system partition anyway.
I'll try to get a vaguely automated installer together sometime, but in the meantime I've written some fairly detailed notes below, and include the following files for reference:
My broad approach to this was as follows:
I wanted to have the system prompt for a password on bootup, mounting the volume and continuing as normal after that.
Beyond that, it would be nice if the regular F9 menu options work roughly as they already do, so things like user partition disk scans are still possible.
Additional options would also be handy, e.g. remove encryption, change password, etc. I also wanted to allow a guest login, if you don't know the password, which would operate in the so-called "read only" mode, using a ramdisk as the user partition to allow system use without saving settings.
Initially, I decided not to bother with adding further menu options to the boot menu, and also didn't bother with guest login. (I still haven't implemented these things.)
The truecrypt binary needs to be accessible at boot time, which means it should either be on the initrd, or on the system partition. Since we need to modify the system partition anyway, we might as well just put it in /sbin on there - then it will always be available at runtime too.
The truecrypt binary has various direct and indirect prerequisites, which you need to set up:
insmod /mnt-system/lib/modules/$VERSION/kernel/drivers/fs/fuse/fuse.ko
Hopefully I didn't forget anything there... it's hard to remember, as it took a few iterations to identify all these things.
I had planned to replace the Xandros scan and format scripts with new versions that use TrueCrypt. So far I didn't bother doing the scan script, but I used a new format script to set the volume up initially - this works well.
I can't see an easy way to get truecrypt to encrypt the data in-place, so you need to either start from scratch with a blank user partition, or restore a backup. Raw partition backups probably won't work so well here because the available space after encryption will probably be slightly less. Your best bet is probably to shrink the filesystem first, with resize2fs, then unshrink it after restoring it. The backup will still get truncated, but the missing data will be irrelevant.
Alternatively, use a tar backup - this is what I actually did. The main difficulty here is that the rescue console doesn't work very well - actually it works OK, but there are a lot of steps involved now to mount the user partition in a rescue console, so it's not as trivial as it once was.
So far I've avoided changing /boot/grub/menu.lst, but I'll come to that soon. I badly want a decent way to get a rescue console with all the truecrypt setup already done, even if the partition itself isn't mounted yet.