Securing OwnCloud With Truecrypt

I've been using OwnCloud on a Raspberry Pi at home for my file exchange needs as well as for calendar and address book synchronization across my devices for a couple of months now. It works perfectly and leaves little to be desired except for one thing: Encryption of all data on the server. Agreed, the only purpose of encrypting data on the server at home is to prevent data to fall into the wrong hands in case the server is physically stolen. While this is very unlikely, it's not impossible and security conscious as I am I wanted a solution for this. On my PC and backup drives I trust Truecrypt to keep my data safe so I was looking for a way to also use it on my OwnCloud server.

Truecrypt can be downloaded as a binary installation file for a number of Intel x86 based Linux distributions so installation and use is quite straight forward. The Raspberry Pi is based on an ARM processor, however, for which no binary package is available. But Truecrypt is open source so it can be compiled for ARM as well. This process is a bit tricky. Fortunately, there are a number of descriptions on how to do this and this is the most accurate one I found. Unfortunately it's written in German so it's of little use for many. So I decided to translate it into English and appended it to the end of this post.

Compiling the Truecrypt source takes a while but once done, using it from the command line works in exactly the same way as on any other Linux distribution. It took me a couple of hours to get everything working but now all data resides on a Truecrypt volume on my Raspi OwnCloud server. Without entering the password after the boot process, e.g. remotely over a secure ssh session, nothing is accessible.

One additional thing to consider is that when uploading a file, Owncloud and the underlying PHP libraries use the default temp directory and only copy the file to the Ownlcoud directory on the Truecrypt volume once the upload is complete. This is of course not very secure as the deleted files could still be recovered later on. But fortunately, PHP can be configured to use a different temporary directory, e.g. inside the secure Truecrypt directory. I'll also describe how to do this in the detailed description of compiling and using Truecrypt for Owncloud on the Raspi below.

And here are the details of how to compile and use Truecrypt on the Raspi:

Go to the home directory

cd ~

Get the current Truecrypt sources for Linux

wget http://www.truecrypt.org/downloads/transient/0d82764e6c/TrueCrypt%207.1a%20Source.tar.gz

In addition to the Truecrypt source the WXWidget library is required

wget http://prdownloads.sourceforge.net/wxwindows/wxWidgets-2.8.12.tar.gz

Next, libfuse has to be installed

sudo aptitude install libfuse-dev

And finally before starting the compile run, a number of header files are required

mkdir pkcs-header-dir

cd ~/pkcs-header-dir/ && wget ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/*.h

Unpack the Truecrypt Tar File

tar -xf TrueCrypt 7.1a Source.tar.gz && tar -xf wxWidgets-2.8.12.tar.gz

Include the directory with the header files into the path so they can be found

cd

export PKCS11_INC=/home/pi/pkcs-header-dir/

Now WXWidget has to be compiled, which takes about 15 minutes

cd truecrypt-7.1a-source/

make NOGUI=1 WX_ROOT=/home/pi/wxWidgets-2.8.12 wxbuild

And finally, compile truecrypt. This takes between 30 minutes and one hour, so be patient

make NOGUI=1 WXSTATIC=1

sudo cp -v Main/truecrypt /usr/local/bin/

Now see if it works:

truecrypt –help

Create a new volume (Interactive)

truecrypt –create

Rename the Owncloud folder and mount the Truecrypt volume it's place

truecrypt -t -k "" –protect-hidden=no /media/xxx/owncloud-crypt.tc /media/xxx/owncloud -v -m=nokernelcrypto

(Note: truecrypt -d unmounts the Truecrypt volume again)

Move the TMP Directory for PHP to the Truecrpyt folders to prevent data leackage

Create a tmp folder in the Truecrypt path and give it full access writes

sudo mkdir /media/pi-data/owncloud/tmp

sudo chmod 1777 /media/pi-data/owncloud/tmp

Web interface uploads are first put into /tmp and then into the Owncloud directory. To put tmp into the truecrypt volume uncomment and edit the following line ''/etc/php5/apache2/php.ini'' as follows:

upload_tmp_dir = /media/pi-data/owncloud/tmp

To make sure the changes are used restart Apache

sudo service apache2 restart

Note: WebDav uploads go directly to the Owncloud directory and hence the file does not have to be copied out of tmp. Thus, for larger files this is much faster!