One method to encrypt /home/phablet

trainailleur

@chrisc As I recall I had this working last spring or summer. Returning to it on a Nexus 5 today (following upgrade to the RC for OTA-7), the lightdm restart is only working for me if called by a root shell over ssh from another machine, not from a sudo -i in the built in terminal, which kills lightdm and gives me a black screen without lightdm ever coming up again.

I tried ssh-ing to localhost and running the commands from sudo -i in that ssh session, but that too does not result in lightdm coming back. I also tried using "stop" followed by a sleep and a "start" thereafter, but again, lightdm does not return.

Have you encountered this on any of your devices? Any idea what could be causing it, or what to try as a workaround?

malditobastardo

Hi any news about this workaround? i would like to try it on my nexus 5

trainailleur

@malditobastardo

I haven't had much time to diagnose the failures on my devices (hammerhead and bacon). When I next have time to look at it, I'll try collecting the lightdm logs over ssh after a failed attempt at restarting lightdm locally.

Have you given it a try on your Nexus? Worst case is you have to make a hard shutdown, so it's not especially invasive if it fails, and I'd be interested to know if it's only happening to me (in which case I could conclude I'm probably deviating from the instructions in some way).

trainailleur

@trainailleur said in One method to encrypt /home/phablet:

I haven't had much time to diagnose the failures on my devices (hammerhead and bacon). When I next have time to look at it, I'll try collecting the lightdm logs over ssh after a failed attempt at restarting lightdm locally.

Decided to do some quick testing while I was thinking about it. Logs in /var/log/lightdm aren't telling me much.

What I did get to work was:

sudo -i
cd /tmp
nohup /etc/init.d/lightdm force-reload

Without nohup, lightdm will die but not restart unless I'm logged in via ssh over wifi.

The purpose of cd-ing to /tmp is to get to a writable filesystem, else nohup will fail.

Restart did not prove as reliable as force-reload, and also I sometimes lost wifi when it did work.

Now that I have the lightdm restart piece cracked, I can take another stab at this. (Unfortunately blanked both test devices since the last time I tried encrypted home so have to redo the cryptsetup piece.)

trainailleur

@trainailleur said in One method to encrypt /home/phablet:

Now that I have the lightdm restart piece cracked, I can take another stab at this. (Unfortunately blanked both test devices since the last time I tried encrypted home so have to redo the cryptsetup piece.)

Got it working using @chrisc's instructions, with the exception that the apt sources do not need to be changed if you are on xenial.

Many thanks to @chrisc for the instructions and guidance and to all the developers of Ubuntu Touch (both Canonical and UBPorts) for developing and maintaining commonality with a standard OS so we can relatively easily manipulate it for our needs in this fashion.

Encryption of some sort was a prerequisite of my using UT for anything more than basic testing. I'm not under any illusions about the ultimate security of a four year old phone with closed source drivers and an unlocked bootloader, but I'm also not expecting any adversary stronger than the average phone thief. With LUKS-encrypted home, I'm now sufficiently comfortable that my personal data will be protected in the event of a device loss or theft that I can start to use Ubuntu Touch for real outside the house.

malditobastardo

@trainailleur Hello sir, I am trying to to install cryptsetup after a clean install (devel) but I can't get to install cryptsetup using the xenial sources:

phablet@ubuntu-phablet:~$ apt-get install cryptsetup
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package cryptsetup is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
bash-completion

W: Not using locking for read only lock file /var/lib/dpkg/lock-frontend
W: Not using locking for read only lock file /var/lib/dpkg/lock
E: Package 'cryptsetup' has no installation candidate

Any hint about why this is happening? Thank you in advance

advocatux

@malditobastardo check that you have the correct entries in your sources.list and do an apt update before trying to install that package

chrisc

@malditobastardo run apt-get update first, it is in Xenial.

malditobastardo

@chrisc Hello Sir, thank you for your answer.

I just realized that I am getting tons of errors when trying to do apt-get update

( Could not open file /var/lib/apt/lists/partial/ports.ubuntu.com_ubuntu-ports_dists_xenial-updates_main_source_Sources.xz - open (13: Permission denied) [IP: 91.189.88.150 80])
Similar lo this.

Maybe is a ubports server issue?
@advocatux

and this:

"phablet@ubuntu-phablet:~$ sudo mount -o rw,remount /
[sudo] password for phablet:
phablet@ubuntu-phablet:~$ apt-get update
Reading package lists... Done
W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (1: Operation not permitted)
E: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)
E: Unable to lock directory /var/lib/apt/lists/
W: Problem unlinking the file /var/cache/apt/pkgcache.bin - RemoveCaches (13: Permission denied)
W: Problem unlinking the file /var/cache/apt/srcpkgcache.bin - RemoveCaches (13: Permission denied)"

Ok I needed "sudo", is that normal??? (installing cryptsetup)

chrisc

@malditobastardo run sudo -i to become root.

chrisc

@trainailleur I only have a OnePlus One at the moment and sometimes it takes a while for the display to come back up after a /etc/init.d/lightdm restart and yes it is easier doing it via SSH.

malditobastardo

@chrisc First step done! I am getting this in the second part:

sent 40,788,174 bytes received 21,557 bytes 16,323,892.40 bytes/sec
total size is 40,668,865 speedup is 1.00
root@ubuntu-phablet:/home# umount /media/phablet/
root@ubuntu-phablet:/home# mount /dev/mapper/phablet /home/phablet
root@ubuntu-phablet:/home# cd /tmp
root@ubuntu-phablet:/tmp# nohup /etc/init.d/lightdm force-reload
nohup: ignoring input and appending output to 'nohup.out'
root@ubuntu-phablet:/tmp# cd
root@ubuntu-phablet:~# cryptsetup luksOpen phablet.img phablet
Device phablet.img doesn't exist or access denied.

edit: is this step needed? (I did this in a fresh install). Should I just leave the "phablet.img" sitting there (2GB) in /home/phablet?

edit2: ok I am starting to understand how this works.. I think. So after a restart of the phone I can't see any of my files, config, photos, etc. so it looks like every time I restart or shutdown my phone I need to "decrypt" the disk manually. The issue is that I am trying to follow the steps mentioned in the guide but I am getting access denied? Is this correct? Its normal that I have to decrypt everytime i restart the phone?

Edit3: Ok so I managed to "decrypt" and I have all of my files back again. I had to run the commands in /home to make it work (mybad).
Anyway, whats the best way to decrypt the phone? Because most of the times in don't have the chance to ssh into my phone and I usually restart the device 2-3 times per day, so doing this everytime is kind of PIA . There is no easy way to deal with this? Otherwise I may just reset the phone and wait for a proper way to Encrypt the phone in the future .
Thanks everyone for everything specially @chrisc !!!

jezek

@malditobastardo said in One method to encrypt /home/phablet:

...
phablet@ubuntu-phablet:~$ apt-get update
...
Ok I needed "sudo", is that normal??? (installing cryptsetup)

As far I know, you always need sudo when doing apt-get install, or apt-get update. For me this works:

phablet@ubuntu-phablet:~$ sudo apt-get update

trainailleur

@chrisc said in One method to encrypt /home/phablet:

@trainailleur I only have a OnePlus One at the moment and sometimes it takes a while for the display to come back up after a /etc/init.d/lightdm restart and yes it is easier doing it via SSH.

I had inconsistent results with restart (sometimes display would never return, and other times it would return but with wifi broken, though I admit I have no idea what would cause that to happen. ), but force-reload has worked every time so far.

Thank you again for your help with this!

@malditobastardo said in One method to encrypt /home/phablet:

edit: is this step needed? (I did this in a fresh install). Should I just leave the "phablet.img" sitting there (2GB) in /home/phablet?

Sorry I was offline when all of your questions came up. Glad @chrisc was here to help!

You could put it anywhere, so long as it's on a writable filesystem. Since much of the UBPorts filesystem is not writable by default, /home seems a good place to me.

edit2: ok I am starting to understand how this works.. I think. So after a restart of the phone I can't see any of my files, config, photos, etc. so it looks like every time I restart or shutdown my phone I need to "decrypt" the disk manually. The issue is that I am trying to follow the steps mentioned in the guide but I am getting access denied? Is this correct? Its normal that I have to decrypt everytime i restart the phone?

Yes, normal. You could write a script or create a bash alias to make it simpler. Since I'm still tinkering, I've not yet done this but plan to.

Edit3: Ok so I managed to "decrypt" and I have all of my files back again. I had to run the commands in /home to make it work (mybad).
Anyway, whats the best way to decrypt the phone? Because most of the times in don't have the chance to ssh into my phone and I usually restart the device 2-3 times per day, so doing this everytime is kind of PIA . There is no easy way to deal with this? Otherwise I may just reset the phone and wait for a proper way to Encrypt the phone in the future .

Use the built in terminal application, and you won't have to ssh. ssh is useful for doing a lot of setup, but just to unlock and mount the crypt is only a few commands and easy enough to type in the terminal. Just note what my earlier posts said about the steps I had to take to get lightdm to restart when run from the local terminal on the phone as opposed to ssh. I agree that ssh isn't a good solution to unlocking the phone, which is why I kept chipping away at it until I found steps which would work in the on-board terminal.

I may have a bit of an advantage in that from other work I'm extremely used to typing cryptsetup commands by hand and could type them in my sleep (I have in fact dreamt them before ), but it's pretty easy to set up bash aliases or write a simple bash script if you have trouble remembering the steps or syntax or simply want to save the hassle of typing on a software keyboard.

Thanks everyone for everything specially @chrisc !!!

I'm delighted to know there are now at least three of us doing this.

chrisc

@trainailleur thanks for you help with this and I'm glad it has been of use, I have updated the top post with your method to restart the display manager.

As I said in the top post, "I'd strongly suggest that only people who know their way around Linux via the command line do this…"

I have also added a e2fsck /dev/mapper/phablet line — if your phone goes flat or has to be forcibly power cycled it can result in some disk inconsistency so best check before mounting.

I don't have a SIM card in my Ubuntu Touch OnePlus One (in fact I have the mobile phone network modem switched off via /usr/share/ofono/scripts/disable-modem /ril_0), I only use WiFi and also have an encrypted Debian Stretch chroot on the phone (which also runs a SSH server) that I use for most things and I run all my terminal sessions in screen so that when there is the occasional display manager crash I don't lose them. I also make a lot of use of git and mosh and ansible (via Debian backports) — I don't like carrying a laptop around all the time but I like to be able to do emergency sysadmin work from anywhere and the Ubuntu Touch phone enables this.

I have terrible battery life when WiFi is on, I generally only have it on when it is plugged in or when doing something in an emergency, I use my LineageOS OnePlus 3 (without Gapps) as a hotspot and connect via that. When the WiFi is off I have excellent battery life, the phone might only drop 1% overnight even with multiple mosh sessions running in screen in the Debian chroot with Prevent app suspension enabled for the Terminal app via the UT Tweak Tool.

I have some old notes on some other tricks on a wiki, but I haven't updated that for a couple of years so much of it might be outdated.

malditobastardo

@chrisc @trainailleur Hey guys, thanks for your help!

Ok so everything is working fine with ssh after each restart etc. I was also experimenting doing it by the phone terminal but when I go that route I only get half of my config working. For example, the contacts are not visible, the changes made with UTweaktool are not present, the keyboard theme etc. Sadly for some reason doing it by the terminal only decrypt half of my config or something like that. I don't know why.
Also I noticed a worse battery perfomance in my Nexus 5. It was 65% 8 hours ago before going to sleep and today in the morning the phone was dead. Other than that. I will try to figure out why decrypting the phone via the terminal is not working for me, if I manage to get that working or by a script/bash alias I will keep with the encryption long term. Let's see.. Thank you again.

One more thing, I am also experiencing the wifi dissapearing sometimes, usually I fix that by restarting once the phone.

edit2: after trying to decrypt with the new commands, it worked well doing it from the phone terminal

trainailleur

Revisiting this a year later, following a fresh install of OTA-12 on a OnePlus One. It still works.

I did have to bind mount /var/cache/apt as per @jezek 's tip here: https://forums.ubports.com/post/20297

I also dispensed with the cd to /tmp when I remembered that nohup is just writing standard output to a file anyway, so there was no reason not to write to /dev/null, obviating the need to write to a filesystem that will survive the lightdm reload:

nohup /etc/init.d/lightdm force-reload > /dev/null

Will test on PinePhone when I get the chance, but unfortunately my BraveHeart device has been gathering dust for a few months. (Too many projects, too little time, even with all this extra quarantine time in my life. )

As always, DON'T do this unless you know what you're doing* and are prepared to accept the risk of a broken system, either now or at the next OTA.

*A good litmus test might be: you understand what all of the commands in this thread are doing and why they were chosen, as that comprehension implies understanding of the potential consequences as well as the limitations.

trainailleur

@trainailleur said in One method to encrypt /home/phablet:

Will test on PinePhone when I get the chance, but unfortunately my BraveHeart device has been gathering dust for a few months. (Too many projects, too little time, even with all this extra quarantine time in my life. )

I finally tested this on the PinePhone (dev channel). It works fine, as expected, though instead of using a file as the encrypted block device, I created a new partition on the sdcard I'm using for testing.

trainailleur

Have gone further on the PinePhone and copied all of the writable data into a new luks-encrypted partition.

I now have a shell script in my home directory as initially booted that will:

1. check to see if cryptsetup is installed and if not kick off an install script
2. turn off swap so we don't end up with encryption keys in swap
3. unlock the encrypted partition
4. cd to /tmp (because not doing so was tripping me up in the next step)
5. force umount /userdata using "umount -l"
6. remount the encrypted partition on it
7. in sequence force umount each userdata-mounted writeable part of the filesystem using "umount -l" then bind mount it back on the new, encrypted userdata (the bind mounts for your system can be found with findmnt)
8. turn swap back on using a new swap file in the encrypted partition with the same -1 setting that the original swap had (a larger swap file, in my case)
9. force-reload lightdm

Is anything aside from updates writen to permanent storage other than to bind mounts on /userdata? I didn't find anything, but there's always the possibility that I missed something.

All of this adds a couple of minutes to getting the phone ready for use, of course, and there may be things I've not yet discovered which will turn out to be broken.

Given how much is not yet working in the PinePhone, I should probably replicate this on an Android-based UBPorts device like the OnePlus One or the Nexus 5 for further testing. I'm thinking it should probably work with a large container in /userdata, skipping the umount of /userdata and mounting the decrypted block file (and the consequent bind mounts) on a file within /userdata, but this isn't testing I plan to pursue for now, as other tests take priority.

I am not posting my script here because it only applies to how I have set up my PinePhone. There are a few choices I made which would break completely for someone who made different setup choices. Anyone capable of getting this working on their device will need to understand what is meant by each step above so should be able to develop a process that works for them. If anyone who does want to try this and does know what they're doing hits a snag and has a question, I'll try to answer it.

Standard caveat applies: this could break everything on your phone, and UBPorts developers will not support this or help you fix it. Proceed at your own risk.

ernest

Seems that lightdm doesn't restart with the latest OTA. Any tips ?