asked 2013-12-26 01:26:45 +0300
Option for encryption of $HOME and Android directories containing user data is needed.
Use case: I do not want to worry about my data stored on the device (including various access tokens and keys) in case I loose the phone or it gets stolen.
answered 2015-10-23 03:47:23 +0300
little workaround i just tried:
cryptsetup -y -c aes-cbc-essiv:sha256 create sdcard /dev/mmcblk1mkfs.ext4 /dev/mapper/sdcardmkdir /home/nemo/cryptomount /dev/mapper/sdcard /home/nemo/cryptomv /home/nemo/Pictures /home/nemo/crypto/Picturesln - /home/nemo/crypto/Pictures /home/nemo/Picturesdo the same with .cache/.nemothumbs
add this line to /etc/fstab/:
/dev/mapper/sdcard /home/nemo/crypt ext4 defaults,noatime,user,noauto 0 0
sudo /usr/sbin/cryptsetup open /dev/mmcblk1 sdcard --type plain
mount /dev/mapper/sdcard
sudo /bin/chown nemo /home/nemo/crypt
umount /home/nemo/crypt
sudo /usr/sbin/cryptsetup close sdcard
/etc/sudoers:nemo ALL=NOPASSWD: /usr/sbin/cryptsetup close sdcard
nemo ALL=NOPASSWD: /usr/sbin/cryptsetup open /dev/mmcblk1 sdcard --type plain
nemo ALL=NOPASSWD: /bin/chown nemo /home/nemo/crypt
there you are! More a hack than a solution, but this will protect your photos.
PS: this comes with absolutely no warranty, do not just copy+paste!
Hello, all! Is it possible to put this into one complete "instruction manual" to move everything into an encrypted "box"? I have nothing against some work in the terminal, but see: a newbie would have some trouble with these instructions. To be able to learn, some explanation would be nice. For instance, the usage of the instructions means that you make up a whole new file system on the SD card. The stuff on the SD card will be lost! This should be written down in there! Furthermore: is it possible to use it on the whole "home" folder? I am not so much into linux, so I'd better ask. As far as I see, you mount the SD card into /home/crypto and link the original pictures folder to a new encrypted folder on the SD card. Is this right? Such comments would make it far more readable and understandable for any newbie. What does the line "do the same with .cache/.nemothumbs" exactly mean? until I know this, I won't start working on a running system. How would I make a backup and put it back, if parts of the system were encrypted? Would this work?
ds1979 ( 2018-01-22 11:31:40 +0300 )editHi,
my Jolla phone broke a few month after I wrote this comment. It had this series defect with the battery. I never touched a Jolla again. And I never will!
For me the Nokia N9 is still the best phone ever.
But the Jolla thing was garbage in hard- and software. And it was a fraud to sell this prototype as a product. Even basic functionality wasn't working well.
Maybe they wanted to much. they had fancy GUI, android support etc. everything with bugs. Instead cronstructing just a simple and working, phone. Someone who wants to run android applications just buys an android tlephone.
I thought Jolla was bankrupt and dead. now I read on wikipedia that the last release of the OS was a few month ago ...
fuckup23 ( 2018-01-22 22:35:05 +0300 )editToo bad for you. :-(
Could you please still read your text and hopefully answer most of my questions? Thank you in advance! Especially "do the same with .cache/.nemothumbs" is of interest.
Well, I see your comment very differently. The Sailfish OS works - except for anything that needs the Google stuff. But I use my smartphone only as second device besides my laptop, so I am not so much affected by it. I have had a device, which has lost connection to the battery all the time. But I think that for the first device, it was not such a bad product. If I remember the iPhone 1, I would say that the Jolla was more useable and you were able to add functionality by yourself if you wanted to learn or ask. I don't want to use Android apps, but unfortunately there are some that work. I like the principle in Sailfish OS from Unix: "Do one thing and do it well". I have found many apps with minor functionality to Android apps, but they do their work well. And: I have control above my own data. I have a home folder which is analog to my linux laptop. I can install very many stuff on the command line as a user who wants to know how and what. Here might be the difference: Jolla is not a phone for the iPhone user. It is one for people who are interested in how it works and who would do some research in forums and the internet to find out, how to get something working - like the encryption. :-) If you have your old device, try to get it working. :-) I still like it better than my old iPhone or my new Nokia 5. For me, it is more usable and much faster in every day use. Cheers!
ds1979 ( 2018-01-23 08:36:23 +0300 )editanswered 2016-04-09 22:40:53 +0300
Implement the encryption using whatever seems to be the most compatible standard Linux toolset for btrfs/systemd etc (probably LUKS/cryptfs or ecryptfs) but most importantly, utlize the SIM card for secure key storage. SIM cards are very suitable for that and this is an excellent opportunity unlike laptops, where SIM cards (=smart cards) are rare.
See technical description at https://together.jolla.com/question/3099/save-encryption-keys-on-sim-card-eg-draft-sms/
answered 2016-08-17 19:48:46 +0300
This post is a wiki. Anyone with karma >75 is welcome to improve it.
Hi All, I successfully created an encrypted partition using crypsetup tool available from warehouse. My aim is to encrypt all data at /home including application config files and user data.
However, mounting the partition on top of hone and restarting lipstick and other services does not load the user config files from the binded home partition.
Why would this be?
Cheers, M.
Steps to reproduce cryptsetup loopmounted /home partition:
enabe developer mode
ssh into device (ssh nemo@ip)
Run commands:
#gain root devel-su #reset root password passwd
curl -O https://openrepos.net/sites/default/files/packages/500/cryptsetup-1.6.4-1.armv7hl.rpm
curl -O https://openrepos.net/sites/default/files/packages/500/libcryptsetup4-1.6.4-1.armv7hl.rpm
pkcon install-local libcryptsetup4-1.6.4-1.armv7hl.rpm
pkcon install-local cryptsetup-1.6.4-1.armv7hl.rpm
#Setup crypt disk devel-su fallocate -l 10G /root/.crypt.img
cryptsetup luksFormat /root/.crypt.img -c aes-cbc-essiv:sha256
cryptsetup luksOpen /root/.crypt.img crypt
devel-su
mkfs.ext4 /dev/mapper/crypt
mkdir /crypt
mkdir /mounts
rsync -av /mounts/ /crypt
su - -c "cryptsetup luksOpen /root/.crypt.img crypt"
su - -c " mount /dev/mapper/crypt /crypt/"
su - -c " mount -o bind /crypt/nemo/.cache /home/nemo/.cache"
su - -c " mount -o bind /crypt/nemo/.local /home/nemo/.local"
su - -c " mount -o bind /crypt/nemo/.mozilla /home/nemo/.mozilla"
su - -c " mount -o bind /crypt/nemo/.qmf /home/nemo/.cache"
su - -c " mount -o bind /crypt/nemo/.sailfish-accounts-tool /home/nemo/.sailfish-accounts-tool"
su - -c " mount -o bind /crypt/nemo/.timed /home/nemo/.timed"
su - -c "mount -o bind /crypt/data/ /opt/alien/data/"
su - -c " systemctl restart user@100000"
Hi All, After some Android time I'm back on Jolla and am impressed by the good battery life and still up to date platform.
Again I am trying to encrypt my device as it's terrible to lose it and have all my data leaked. cryptsetup is easy enough to install via
devel-su
pkcon install cryptsetup
Like my earlier post, after creating an encrypted device and moving all my data there, how do I replace the /home/nemo folder and refresh all the apps with the new configuration files?
Or is there a way to drop to a terminal during boot where I can run the script to over-mount the /home/nemo directory before all the apps are opened?
The problem is that allthough I mount the new cryptdevice at /home/nemo, none of the apps pick up the new configuration and files.
I've tried reloading the overview app, no luck.
magahugu2 ( 2018-04-04 14:52:42 +0300 )editanswered 2016-08-17 22:33:46 +0300
For the next official device I want ask for hardware-based encryption through the memory itself.
Rational: As fast, as without encryption. Works transparently, for all operating-systems (rescue-system, adb, sailfish and so on). Laptops and most modern SSDs with ATA-Secure have shown, it works.
Please note, you don't need unlock the key for the drive during runtime (i.e. devicelock) only during power-up. During runtime the the device-lock protects your device.
Benefit for Jolla: Less code to develop, less surface to make mistakes.
Asked: 2013-12-26 01:26:45 +0300
Seen: 13,160 times
Last updated: Aug 18 '16
see also keychain linked to TOH & link all/previous changes to TOH
AL13N ( 2013-12-26 01:45:17 +0300 )editThis should be fairly easy, as Linux already has all these LUKS/dmcrypt and eCryptFS stuff done. It might however need more CPU and thus consume battery. Maybe better put it as an option users can choose it they want to.
Please add tag 'securiity'
otto ( 2013-12-26 23:34:48 +0300 )editBesides home directory ecryption, also include option to encrypt SD card contents. That would be something that not even Android supports yet. And please use some standard Linux crypto so that the SD card can be mounted and opened without the original phone.
otto ( 2013-12-26 23:36:42 +0300 )edit@otto this isn't as easy as one might think, because there's a lot of catch 22's here... order of services becomes important, etc... in theory all elements are available, but i can guarantee that alot of time will be spent in order to combine it into "1 feature"
AL13N ( 2013-12-26 23:38:28 +0300 )editLooking at the locked bootloader shitstorm today, we need encryption ASAP to allow the boot loader opened again: vote, vote, vote!
We must not loose any more developers!
ortylp ( 2013-12-28 13:25:13 +0300 )edit