asked 2013-12-26 01:26:45 +0200
Option for encryption of $HOME and Android directories containing user data is needed.
Use case: I do not want to worry about my data stored on the device (including various access tokens and keys) in case I loose the phone or it gets stolen.
answered 2015-08-25 00:55:35 +0200
Hi all you sailors,
device- and SD-Card-encryption is a MUST in my point of view. Two years ago i got a Blackberry because of this opportunity. Now i can't read the SD-Card on my Linux-PC. That's a pit.., but okay! (Maybe in a couple of years my lokal police will do. I mean, do you really use 8-char-passwords today?) If there would be an easy2use GUI for LUKS (and LVM) it would be a winning tool for linux desktop and mobile!
so, thank you very much for your great work!
p.s.: shouldn't it be possible in the future the recrypt LUKS-devices on a higher enc-level without rebuilding the whole installation?
answered 2016-08-17 19:48:46 +0200
This post is a wiki. Anyone with karma >75 is welcome to improve it.
Hi All, I successfully created an encrypted partition using crypsetup tool available from warehouse. My aim is to encrypt all data at /home including application config files and user data.
However, mounting the partition on top of hone and restarting lipstick and other services does not load the user config files from the binded home partition.
Why would this be?
Cheers, M.
Steps to reproduce cryptsetup loopmounted /home partition:
enabe developer mode
ssh into device (ssh nemo@ip)
Run commands:
#gain root devel-su #reset root password passwd
curl -O https://openrepos.net/sites/default/files/packages/500/cryptsetup-1.6.4-1.armv7hl.rpm
curl -O https://openrepos.net/sites/default/files/packages/500/libcryptsetup4-1.6.4-1.armv7hl.rpm
pkcon install-local libcryptsetup4-1.6.4-1.armv7hl.rpm
pkcon install-local cryptsetup-1.6.4-1.armv7hl.rpm
#Setup crypt disk devel-su fallocate -l 10G /root/.crypt.img
cryptsetup luksFormat /root/.crypt.img -c aes-cbc-essiv:sha256
cryptsetup luksOpen /root/.crypt.img crypt
devel-su
mkfs.ext4 /dev/mapper/crypt
mkdir /crypt
mkdir /mounts
rsync -av /mounts/ /crypt
su - -c "cryptsetup luksOpen /root/.crypt.img crypt"
su - -c " mount /dev/mapper/crypt /crypt/"
su - -c " mount -o bind /crypt/nemo/.cache /home/nemo/.cache"
su - -c " mount -o bind /crypt/nemo/.local /home/nemo/.local"
su - -c " mount -o bind /crypt/nemo/.mozilla /home/nemo/.mozilla"
su - -c " mount -o bind /crypt/nemo/.qmf /home/nemo/.cache"
su - -c " mount -o bind /crypt/nemo/.sailfish-accounts-tool /home/nemo/.sailfish-accounts-tool"
su - -c " mount -o bind /crypt/nemo/.timed /home/nemo/.timed"
su - -c "mount -o bind /crypt/data/ /opt/alien/data/"
su - -c " systemctl restart user@100000"
Hi All, After some Android time I'm back on Jolla and am impressed by the good battery life and still up to date platform.
Again I am trying to encrypt my device as it's terrible to lose it and have all my data leaked. cryptsetup is easy enough to install via
devel-su
pkcon install cryptsetup
Like my earlier post, after creating an encrypted device and moving all my data there, how do I replace the /home/nemo folder and refresh all the apps with the new configuration files?
Or is there a way to drop to a terminal during boot where I can run the script to over-mount the /home/nemo directory before all the apps are opened?
The problem is that allthough I mount the new cryptdevice at /home/nemo, none of the apps pick up the new configuration and files.
I've tried reloading the overview app, no luck.
magahugu2 ( 2018-04-04 14:52:42 +0200 )editanswered 2016-04-09 22:40:53 +0200
Implement the encryption using whatever seems to be the most compatible standard Linux toolset for btrfs/systemd etc (probably LUKS/cryptfs or ecryptfs) but most importantly, utlize the SIM card for secure key storage. SIM cards are very suitable for that and this is an excellent opportunity unlike laptops, where SIM cards (=smart cards) are rare.
See technical description at https://together.jolla.com/question/3099/save-encryption-keys-on-sim-card-eg-draft-sms/
answered 2014-05-30 09:16:59 +0200
I may be a valid option to have a master key fallback for when people forget their passwords and want their data unlocked. I don't know if this is feasible, but Shamir Shared Secret should for example, allow the user to unlock the data, but for example at the same time, a minimum of 3 of 9 possible sailors could also unlock the data in order to reset the password or something.
At the same time, a security value stored in the NFC of TOH might be required too... this makes it sort of a 2point authentication.
I don't know if people want this, but i'm just giving the option. (complex though it might be).
As I understand it, you want to enable Jolla to unlock our data if we forget the keys? As much as I trust Jolla, that is never a good idea. If they would happen to be compromised, all your data would immediately be compromised as well. Just as you don't give the keys of your house to the mayor of your village, you shouldn't give the keys to your data to whoever created your data carrier.
nthn ( 2014-05-30 13:41:08 +0200 )editI don't think having an universal master key is a good idea. Even if it is somehow split between multiple persons. This is an unnecessary security risk. So I prefer a simple encrypted drive. If the passphrase is lost all data is lost. If there are important files on the phone they should be backed up somewhere.
blubdibub ( 2014-11-21 00:57:59 +0200 )editHow about using cryptsetup and luks? It allows for multiple key slots to unlock the encryption key itself.
That way if the user trusts Jolla, they leave the Jolla pre-shared key in slot N (ideally ability to toggle off in settings). If they do not, or if their employer wants/needs key escrow, they use cruptsetup for luksAddKey, luksRemoveKey, luksKillSlot, etc. maybe with some parts exposed via settings UI.
User key, entered via settings UI, would ideally allows setting a slot, so one can easily give e.g. a trusted spouse an unlock code.
pcfe ( 2014-11-22 18:29:04 +0200 )editcryptsetup has (per default) eight slots for passphrases (per partition). And you are able to dump the slots and save them on an other place. So you can restore the partition if the sector with the slots are corrupt (if you are able to transfer the rest of the partition). The 'default' configuration of a secure linux system is to create a uncrypted /boot partition and a crypted / (root), swap and eventually /home partition. To unlock all crypted partitions at once, i use ond crypted partition used by LVM and place the favored partitions as logical volumes. But there are many other ways to get a secure device :-).
gabs5807 ( 2015-08-11 15:54:28 +0200 )editAsked: 2013-12-26 01:26:45 +0200
Seen: 13,293 times
Last updated: Aug 18 '16
see also keychain linked to TOH & link all/previous changes to TOH
AL13N ( 2013-12-26 01:45:17 +0200 )editThis should be fairly easy, as Linux already has all these LUKS/dmcrypt and eCryptFS stuff done. It might however need more CPU and thus consume battery. Maybe better put it as an option users can choose it they want to.
Please add tag 'securiity'
otto ( 2013-12-26 23:34:48 +0200 )editBesides home directory ecryption, also include option to encrypt SD card contents. That would be something that not even Android supports yet. And please use some standard Linux crypto so that the SD card can be mounted and opened without the original phone.
otto ( 2013-12-26 23:36:42 +0200 )edit@otto this isn't as easy as one might think, because there's a lot of catch 22's here... order of services becomes important, etc... in theory all elements are available, but i can guarantee that alot of time will be spent in order to combine it into "1 feature"
AL13N ( 2013-12-26 23:38:28 +0200 )editLooking at the locked bootloader shitstorm today, we need encryption ASAP to allow the boot loader opened again: vote, vote, vote!
We must not loose any more developers!
ortylp ( 2013-12-28 13:25:13 +0200 )edit