Ask / Submit

optional encryption of the device

Tracked by Jolla

asked 2013-12-26 01:26:45 +0300

ortylp gravatar image

updated 2015-05-03 14:50:13 +0300

chemist gravatar image

Option for encryption of $HOME and Android directories containing user data is needed.

Use case: I do not want to worry about my data stored on the device (including various access tokens and keys) in case I loose the phone or it gets stolen.

edit retag flag offensive close delete


see also keychain linked to TOH & link all/previous changes to TOH

AL13N ( 2013-12-26 01:45:17 +0300 )edit

This should be fairly easy, as Linux already has all these LUKS/dmcrypt and eCryptFS stuff done. It might however need more CPU and thus consume battery. Maybe better put it as an option users can choose it they want to.

Please add tag 'securiity'

otto ( 2013-12-26 23:34:48 +0300 )edit

Besides home directory ecryption, also include option to encrypt SD card contents. That would be something that not even Android supports yet. And please use some standard Linux crypto so that the SD card can be mounted and opened without the original phone.

otto ( 2013-12-26 23:36:42 +0300 )edit

@otto this isn't as easy as one might think, because there's a lot of catch 22's here... order of services becomes important, etc... in theory all elements are available, but i can guarantee that alot of time will be spent in order to combine it into "1 feature"

AL13N ( 2013-12-26 23:38:28 +0300 )edit

Looking at the locked bootloader shitstorm today, we need encryption ASAP to allow the boot loader opened again: vote, vote, vote!

We must not loose any more developers!

ortylp ( 2013-12-28 13:25:13 +0300 )edit

14 Answers

Sort by » oldest newest most voted

answered 2013-12-26 01:34:02 +0300

Kondou gravatar image

I did spot a "jolla-devicelock-plugin-encpartition" package when rumaging through repositories, so it looks like jolla is working on something alike.

edit flag offensive delete publish link more



yes, I got some unofficial confirmation on IRC, but it has low priority at the moment, so vote it up

ortylp ( 2013-12-26 01:41:00 +0300 )edit

answered 2014-01-12 18:15:14 +0300

rainisto gravatar image

Thanks for the input, we will look how to imprive the situation. Most likely some future kernel will have ecryptfs support added builtin. In a meanwhile you should enable devicelock code, as that will protect most of the use cases (not sd-card, and not people with access to hardware chip readers) against theft.

edit flag offensive delete publish link more



Any information if this full device encryption available on next (March) update?

jaekkay ( 2014-03-07 11:02:54 +0300 )edit

modprobe ecryptfs works. So people with developer mode can play with CLI.

rainisto ( 2014-03-17 12:51:05 +0300 )edit

Also add the ability of precting the sd card with a password in a future update please. :)

Alex ( 2014-04-18 16:53:02 +0300 )edit

any news on this? How high (or low) on the priority list is this?

velimir ( 2014-11-07 14:44:31 +0300 )edit

Is the full device encryption feature part of Sailfish OS 2?

bawaji ( 2014-11-20 07:46:20 +0300 )edit

answered 2015-04-06 21:39:43 +0300

gabs5807 gravatar image

This is an very old feature-request. But now, with the announcement of mobile security, it is nesseccary to give this a higher priority. What help secure data/voice transfer, when the content on the mobile device is not crypted. The linux kernel used in SailfishOS supports LUKS/cryptsetup and the dmcrypt kenel modul. The standard boot mechanism with systemd also support loading the modul during boot and ask for a passphrase to unlock the device. Unlocking the root, the home and the sim card with the same passphrase should be possible and the UI to wayland grafic engine should also be possible. I hope at SailfishOS V2.0 this feature request wil be implemented.


edit flag offensive delete publish link more

answered 2014-02-08 18:29:58 +0300

Rolfa gravatar image

As an alternative, I suggest porting TrueCrypt to the Jolla phone (TrueCrypt runs very well on my N900).

edit flag offensive delete publish link more



Truecrypt is IMHO not a good fit here as it creates containers with a fixed size. Additionally there may be license issues as the Truecrypt license allows to view the source code but prohibits changing it.

schmittlauch ( 2014-03-16 20:29:20 +0300 )edit

"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues" see:

utkiek ( 2014-05-29 18:13:01 +0300 )edit

@utkiek " any written software on the planet" :-)

simosagi ( 2014-06-07 10:53:12 +0300 )edit

@schmittlauch@utkiek TrueCrypt should work out as intended, audit came out clean. And there are optional forks, like VeraCrypt being actively developed - it supports TrueCrypt-containers too. While dm-crypt with luks might be the best option, having support for encrypted containers made with True/VeraCrypt would be really nice to have.

tuotantoarvio ( 2015-04-23 02:12:17 +0300 )edit

why use a non-free unsupported software, when there is a free and supported one (dm_crypt/luks) in linux?

fuckup23 ( 2015-10-28 21:14:31 +0300 )edit

answered 2015-10-23 03:47:23 +0300

fuckup23 gravatar image

updated 2015-10-23 03:48:48 +0300

little workaround i just tried:

  • Install cryptsetup from
  • plug in a sd card
  • cryptsetup -y -c aes-cbc-essiv:sha256 create sdcard /dev/mmcblk1
  • mkfs.ext4 /dev/mapper/sdcard
  • mkdir /home/nemo/crypto
  • mount /dev/mapper/sdcard /home/nemo/crypto
  • mv /home/nemo/Pictures /home/nemo/crypto/Pictures
  • ln - /home/nemo/crypto/Pictures /home/nemo/Pictures
  • do the same with .cache/.nemothumbs

  • add this line to /etc/fstab/:

/dev/mapper/sdcard /home/nemo/crypt ext4 defaults,noatime,user,noauto 0 0

  • unlock script:

sudo /usr/sbin/cryptsetup open /dev/mmcblk1 sdcard --type plain

mount /dev/mapper/sdcard

sudo /bin/chown nemo /home/nemo/crypt

  • lock script:

umount /home/nemo/crypt

sudo /usr/sbin/cryptsetup close sdcard

  • install sudo and edit /etc/sudoers:

nemo ALL=NOPASSWD: /usr/sbin/cryptsetup close sdcard

nemo ALL=NOPASSWD: /usr/sbin/cryptsetup open /dev/mmcblk1 sdcard --type plain

nemo ALL=NOPASSWD: /bin/chown nemo /home/nemo/crypt

there you are! More a hack than a solution, but this will protect your photos.

PS: this comes with absolutely no warranty, do not just copy+paste!

edit flag offensive delete publish link more



if there was the option of activating the boot screen with a virtual keyboard, we could just mount /home to the crypt-device. Would this be so hard to implement?

fuckup23 ( 2015-11-03 23:16:11 +0300 )edit

Thank you for the tip, has anyone tried this on SailfishOS 2 maybe? How does cryptsetup know what key to use, is it stored on the disk somewhere? Also, would it be much different to use luks (and safer as well, as in easier not to overwrite your data eg.)?

omichalek ( 2016-01-17 18:16:54 +0300 )edit

answered 2014-01-08 14:30:43 +0300

chemist gravatar image

updated 2014-01-16 02:25:08 +0300

I know from @Aard that this is WIP/OnToDoList. This will take a while, crypt modules will get to the kernel soon but only for testing purpose for the mean time.

edit flag offensive delete publish link more



just repeating my comment from 26th Dec... WTF?

ortylp ( 2014-01-15 22:45:35 +0300 )edit

@ortylp Sry did not read the comments and this is a valid answer and not a comment! I talked to aard myself.

chemist ( 2014-01-16 02:23:54 +0300 )edit

answered 2015-05-03 02:38:33 +0300

pisco gravatar image

"A set of patches adding encryption to the ext4 filesystem" is announced for kernel version 4.1.  󠀠󠀠It is said to be easier on the resources than other approaches.

Any chance to benefit from it?

edit flag offensive delete publish link more


No, we probably will never get 4.1, at least not for the phone.

chemist ( 2015-05-03 12:37:38 +0300 )edit

@chemist please explain ...

luchmhor ( 2015-07-03 11:03:09 +0300 )edit

As long as Qualcomm sits on their drivers we are stuck with what we have now, and as it is very unlikely that they upgrade them even themselves there won't be a newer Kernel possible.

chemist ( 2015-07-03 14:40:07 +0300 )edit

that is disappointing

strayobject ( 2015-09-16 16:46:10 +0300 )edit

answered 2014-12-08 23:19:35 +0300

the_mgt gravatar image

Part of the SD Card specification is the ability to lock cards with a password. Nokia phones supported that. Of course, the card will probably only be readable with the phone that it was encrypted on. Sources on the web say, it might be compatible to identical devices.

I guess the NSA and the Bavarian Illuminati have a master key for that encryption, but at least your local police might not be able to search your sd card. It would be totally neat of course if all photos taken with the Jolla were stored on the locked card.

This was already proposed by @Alex in Apr 18 '14, but this feature of the SD cards seem to be neglected throughout tjc.

edit flag offensive delete publish link more


Simply use Secrecy an Android app that encrypts image and file data, you would have to copy it into the container and delete the unprotected file.α#

DarkTuring ( 2016-10-28 03:25:38 +0300 )edit

answered 2016-08-17 19:48:46 +0300

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2016-08-18 18:06:34 +0300

magahugu gravatar image

Hi All, I successfully created an encrypted partition using crypsetup tool available from warehouse. My aim is to encrypt all data at /home including application config files and user data.

However, mounting the partition on top of hone and restarting lipstick and other services does not load the user config files from the binded home partition.

Why would this be?

Cheers, M.

Steps to reproduce cryptsetup loopmounted /home partition:

  1. enabe developer mode

  2. ssh into device (ssh nemo@ip)

  3. Run commands:

    #gain root devel-su #reset root password passwd

    curl -O

    curl -O

    pkcon install-local libcryptsetup4-1.6.4-1.armv7hl.rpm

    pkcon install-local cryptsetup-1.6.4-1.armv7hl.rpm

    #Setup crypt disk devel-su fallocate -l 10G /root/.crypt.img

      cryptsetup luksFormat /root/.crypt.img -c aes-cbc-essiv:sha256
      cryptsetup luksOpen /root/.crypt.img crypt
      mkfs.ext4 /dev/mapper/crypt

copy over data

mkdir /crypt

mkdir /mounts

rsync -av /mounts/ /crypt

Create and run mount script:

su - -c "cryptsetup luksOpen /root/.crypt.img crypt"

su - -c "      mount /dev/mapper/crypt /crypt/"

su - -c "      mount -o bind /crypt/nemo/.cache /home/nemo/.cache"

su - -c "      mount -o bind /crypt/nemo/.local /home/nemo/.local"

su - -c "      mount -o bind /crypt/nemo/.mozilla /home/nemo/.mozilla"

su - -c "      mount -o bind /crypt/nemo/.qmf /home/nemo/.cache"

su - -c "      mount -o bind /crypt/nemo/.sailfish-accounts-tool /home/nemo/.sailfish-accounts-tool"

su - -c "      mount -o bind /crypt/nemo/.timed /home/nemo/.timed"

su - -c "mount -o bind /crypt/data/ /opt/alien/data/"

su - -c " systemctl restart user@100000"
edit flag offensive delete publish link more


Nice work. I really want my Jolla devices to be encrypted.

On the config file loading, no idea, perhaps they are only not processed at start-up?

Pim ( 2016-08-19 12:33:30 +0300 )edit

answered 2016-08-17 22:33:46 +0300

hoschi gravatar image

updated 2016-08-17 22:36:54 +0300

For the next official device I want ask for hardware-based encryption through the memory itself.
Rational: As fast, as without encryption. Works transparently, for all operating-systems (rescue-system, adb, sailfish and so on). Laptops and most modern SSDs with ATA-Secure have shown, it works.

Please note, you don't need unlock the key for the drive during runtime (i.e. devicelock) only during power-up. During runtime the the device-lock protects your device.

Benefit for Jolla: Less code to develop, less surface to make mistakes.

edit flag offensive delete publish link more
Login/Signup to Answer

Question tools



Asked: 2013-12-26 01:26:45 +0300

Seen: 9,317 times

Last updated: Aug 18 '16