Ask / Submit
504

optional encryption of the device

Tracked by Jolla

asked 2013-12-26 01:26:45 +0300

ortylp gravatar image

updated 2015-05-03 14:50:13 +0300

chemist gravatar image

Option for encryption of $HOME and Android directories containing user data is needed.

Use case: I do not want to worry about my data stored on the device (including various access tokens and keys) in case I loose the phone or it gets stolen.

edit retag flag offensive close delete

Comments

see also keychain linked to TOH & link all/previous changes to TOH

AL13N ( 2013-12-26 01:45:17 +0300 )edit
6

This should be fairly easy, as Linux already has all these LUKS/dmcrypt and eCryptFS stuff done. It might however need more CPU and thus consume battery. Maybe better put it as an option users can choose it they want to.

Please add tag 'securiity'

otto ( 2013-12-26 23:34:48 +0300 )edit
23

Besides home directory ecryption, also include option to encrypt SD card contents. That would be something that not even Android supports yet. And please use some standard Linux crypto so that the SD card can be mounted and opened without the original phone.

otto ( 2013-12-26 23:36:42 +0300 )edit
2

@otto this isn't as easy as one might think, because there's a lot of catch 22's here... order of services becomes important, etc... in theory all elements are available, but i can guarantee that alot of time will be spent in order to combine it into "1 feature"

AL13N ( 2013-12-26 23:38:28 +0300 )edit
12

Looking at the locked bootloader shitstorm today, we need encryption ASAP to allow the boot loader opened again: vote, vote, vote!

We must not loose any more developers!

ortylp ( 2013-12-28 13:25:13 +0300 )edit

14 Answers

Sort by » oldest newest most voted
45

answered 2013-12-26 01:34:02 +0300

Kondou gravatar image

I did spot a "jolla-devicelock-plugin-encpartition" package when rumaging through repositories, so it looks like jolla is working on something alike.

edit flag offensive delete publish link more

Comments

7

yes, I got some unofficial confirmation on IRC, but it has low priority at the moment, so vote it up

ortylp ( 2013-12-26 01:41:00 +0300 )edit
40

answered 2014-01-12 18:15:14 +0300

rainisto gravatar image

Thanks for the input, we will look how to imprive the situation. Most likely some future kernel will have ecryptfs support added builtin. In a meanwhile you should enable devicelock code, as that will protect most of the use cases (not sd-card, and not people with access to hardware chip readers) against theft.

edit flag offensive delete publish link more

Comments

3

Any information if this full device encryption available on next (March) update?

jaekkay ( 2014-03-07 11:02:54 +0300 )edit

modprobe ecryptfs works. So people with developer mode can play with CLI.

rainisto ( 2014-03-17 12:51:05 +0300 )edit
4

Also add the ability of precting the sd card with a password in a future update please. :)

Alex ( 2014-04-18 16:53:02 +0300 )edit

any news on this? How high (or low) on the priority list is this?

velimir ( 2014-11-07 14:44:31 +0300 )edit
2

Is the full device encryption feature part of Sailfish OS 2?

bawaji ( 2014-11-20 07:46:20 +0300 )edit
25

answered 2015-04-06 21:39:43 +0300

gabs5807 gravatar image

This is an very old feature-request. But now, with the announcement of mobile security, it is nesseccary to give this a higher priority. What help secure data/voice transfer, when the content on the mobile device is not crypted. The linux kernel used in SailfishOS supports LUKS/cryptsetup and the dmcrypt kenel modul. The standard boot mechanism with systemd also support loading the modul during boot and ask for a passphrase to unlock the device. Unlocking the root, the home and the sim card with the same passphrase should be possible and the UI to wayland grafic engine should also be possible. I hope at SailfishOS V2.0 this feature request wil be implemented.

Greetings

edit flag offensive delete publish link more
14

answered 2014-02-08 18:29:58 +0300

Rolfa gravatar image

As an alternative, I suggest porting TrueCrypt to the Jolla phone (TrueCrypt runs very well on my N900).

edit flag offensive delete publish link more

Comments

2

Truecrypt is IMHO not a good fit here as it creates containers with a fixed size. Additionally there may be license issues as the Truecrypt license allows to view the source code but prohibits changing it.

schmittlauch ( 2014-03-16 20:29:20 +0300 )edit
7

"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues" see: http://www.truecrypt.org/

utkiek ( 2014-05-29 18:13:01 +0300 )edit
2

@utkiek "...as any written software on the planet" :-)

simosagi ( 2014-06-07 10:53:12 +0300 )edit
2

@schmittlauch@utkiek TrueCrypt should work out as intended, audit came out clean. And there are optional forks, like VeraCrypt being actively developed - it supports TrueCrypt-containers too. While dm-crypt with luks might be the best option, having support for encrypted containers made with True/VeraCrypt would be really nice to have.

tuotantoarvio ( 2015-04-23 02:12:17 +0300 )edit
1

why use a non-free unsupported software, when there is a free and supported one (dm_crypt/luks) in linux?

fuckup23 ( 2015-10-28 21:14:31 +0300 )edit
14

answered 2015-10-23 03:47:23 +0300

fuckup23 gravatar image

updated 2015-10-23 03:48:48 +0300

little workaround i just tried:

  • Install cryptsetup from openrepos.net
  • plug in a sd card
  • cryptsetup -y -c aes-cbc-essiv:sha256 create sdcard /dev/mmcblk1
  • mkfs.ext4 /dev/mapper/sdcard
  • mkdir /home/nemo/crypto
  • mount /dev/mapper/sdcard /home/nemo/crypto
  • mv /home/nemo/Pictures /home/nemo/crypto/Pictures
  • ln - /home/nemo/crypto/Pictures /home/nemo/Pictures
  • do the same with .cache/.nemothumbs

  • add this line to /etc/fstab/:

/dev/mapper/sdcard /home/nemo/crypt ext4 defaults,noatime,user,noauto 0 0

  • unlock script:

sudo /usr/sbin/cryptsetup open /dev/mmcblk1 sdcard --type plain

mount /dev/mapper/sdcard

sudo /bin/chown nemo /home/nemo/crypt

  • lock script:

umount /home/nemo/crypt

sudo /usr/sbin/cryptsetup close sdcard

  • install sudo and edit /etc/sudoers:

nemo ALL=NOPASSWD: /usr/sbin/cryptsetup close sdcard

nemo ALL=NOPASSWD: /usr/sbin/cryptsetup open /dev/mmcblk1 sdcard --type plain

nemo ALL=NOPASSWD: /bin/chown nemo /home/nemo/crypt

there you are! More a hack than a solution, but this will protect your photos.


PS: this comes with absolutely no warranty, do not just copy+paste!

edit flag offensive delete publish link more

Comments

1

if there was the option of activating the boot screen with a virtual keyboard, we could just mount /home to the crypt-device. Would this be so hard to implement?

fuckup23 ( 2015-11-03 23:16:11 +0300 )edit

Thank you for the tip, has anyone tried this on SailfishOS 2 maybe? How does cryptsetup know what key to use, is it stored on the disk somewhere? Also, would it be much different to use luks (and safer as well, as in easier not to overwrite your data eg.)?

omichalek ( 2016-01-17 18:16:54 +0300 )edit
7

answered 2014-01-08 14:30:43 +0300

chemist gravatar image

updated 2014-01-16 02:25:08 +0300

I know from @Aard that this is WIP/OnToDoList. This will take a while, crypt modules will get to the kernel soon but only for testing purpose for the mean time.

edit flag offensive delete publish link more

Comments

2

just repeating my comment from 26th Dec... WTF?

ortylp ( 2014-01-15 22:45:35 +0300 )edit

@ortylp Sry did not read the comments and this is a valid answer and not a comment! I talked to aard myself.

chemist ( 2014-01-16 02:23:54 +0300 )edit
6

answered 2014-12-08 23:19:35 +0300

the_mgt gravatar image

Part of the SD Card specification is the ability to lock cards with a password. Nokia phones supported that. http://en.wikipedia.org/wiki/Secure_Digital#Card_password Of course, the card will probably only be readable with the phone that it was encrypted on. Sources on the web say, it might be compatible to identical devices.

I guess the NSA and the Bavarian Illuminati have a master key for that encryption, but at least your local police might not be able to search your sd card. It would be totally neat of course if all photos taken with the Jolla were stored on the locked card.

This was already proposed by @Alex in Apr 18 '14, but this feature of the SD cards seem to be neglected throughout tjc.

edit flag offensive delete publish link more

Comments

Simply use Secrecy an Android app that encrypts image and file data, you would have to copy it into the container and delete the unprotected file.

http://m.playboi2nv.store.aptoide.com/app/market/com.doplgangr.secrecy/53/7898510/SECRECY+-+Encrypt%2FHide+Files+α#

DarkTuring ( 2016-10-28 03:25:38 +0300 )edit
6

answered 2015-05-03 02:38:33 +0300

pisco gravatar image

"A set of patches adding encryption to the ext4 filesystem" is announced for kernel version 4.1.  󠀠󠀠It is said to be easier on the resources than other approaches.

Any chance to benefit from it?

edit flag offensive delete publish link more

Comments

No, we probably will never get 4.1, at least not for the phone.

chemist ( 2015-05-03 12:37:38 +0300 )edit

@chemist please explain ...

luchmhor ( 2015-07-03 11:03:09 +0300 )edit
2

As long as Qualcomm sits on their drivers we are stuck with what we have now, and as it is very unlikely that they upgrade them even themselves there won't be a newer Kernel possible.

chemist ( 2015-07-03 14:40:07 +0300 )edit

that is disappointing

strayobject ( 2015-09-16 16:46:10 +0300 )edit
5

answered 2016-08-17 19:48:46 +0300

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2016-08-18 18:06:34 +0300

magahugu gravatar image

Hi All, I successfully created an encrypted partition using crypsetup tool available from warehouse. My aim is to encrypt all data at /home including application config files and user data.

However, mounting the partition on top of hone and restarting lipstick and other services does not load the user config files from the binded home partition.

Why would this be?

Cheers, M.

Steps to reproduce cryptsetup loopmounted /home partition:

  1. enabe developer mode

  2. ssh into device (ssh nemo@ip)

  3. Run commands:

    #gain root devel-su #reset root password passwd

    curl -O https://openrepos.net/sites/default/files/packages/500/cryptsetup-1.6.4-1.armv7hl.rpm

    curl -O https://openrepos.net/sites/default/files/packages/500/libcryptsetup4-1.6.4-1.armv7hl.rpm

    pkcon install-local libcryptsetup4-1.6.4-1.armv7hl.rpm

    pkcon install-local cryptsetup-1.6.4-1.armv7hl.rpm

    #Setup crypt disk devel-su fallocate -l 10G /root/.crypt.img

      cryptsetup luksFormat /root/.crypt.img -c aes-cbc-essiv:sha256
      cryptsetup luksOpen /root/.crypt.img crypt
      devel-su
      mkfs.ext4 /dev/mapper/crypt
    

copy over data

mkdir /crypt

mkdir /mounts

rsync -av /mounts/ /crypt

Create and run mount script:

su - -c "cryptsetup luksOpen /root/.crypt.img crypt"

su - -c "      mount /dev/mapper/crypt /crypt/"

su - -c "      mount -o bind /crypt/nemo/.cache /home/nemo/.cache"

su - -c "      mount -o bind /crypt/nemo/.local /home/nemo/.local"

su - -c "      mount -o bind /crypt/nemo/.mozilla /home/nemo/.mozilla"

su - -c "      mount -o bind /crypt/nemo/.qmf /home/nemo/.cache"

su - -c "      mount -o bind /crypt/nemo/.sailfish-accounts-tool /home/nemo/.sailfish-accounts-tool"

su - -c "      mount -o bind /crypt/nemo/.timed /home/nemo/.timed"

su - -c "mount -o bind /crypt/data/ /opt/alien/data/"

su - -c " systemctl restart user@100000"
edit flag offensive delete publish link more

Comments

Nice work. I really want my Jolla devices to be encrypted.

On the config file loading, no idea, perhaps they are only not processed at start-up?

Pim ( 2016-08-19 12:33:30 +0300 )edit
5

answered 2016-08-17 22:33:46 +0300

hoschi gravatar image

updated 2016-08-17 22:36:54 +0300

For the next official device I want ask for hardware-based encryption through the memory itself.
Rational: As fast, as without encryption. Works transparently, for all operating-systems (rescue-system, adb, sailfish and so on). Laptops and most modern SSDs with ATA-Secure have shown, it works.

Please note, you don't need unlock the key for the drive during runtime (i.e. devicelock) only during power-up. During runtime the the device-lock protects your device.

Benefit for Jolla: Less code to develop, less surface to make mistakes.

edit flag offensive delete publish link more
Login/Signup to Answer

Question tools

Follow
79 followers

Stats

Asked: 2013-12-26 01:26:45 +0300

Seen: 9,949 times

Last updated: Aug 18 '16