One method to encrypt /home/phablet

  • Hi, I'm posting this here in case anyone else wants to encrypt their /home/phablet directory, I'd strongly suggest that only people who know their way around Linux via the command line do this…

    This is easier to do if you have ssh access to the phone, to enable that use the UT Tweak Tool or do it using the command line, in this example $GITHUBUSERNAME is your GitHub username and it assumes your public SSH keys are available at this URL, you could also use adb to push your public keys to the phone:

    android-gadget-service enable ssh
    mkdir .ssh
    chmod 700 .ssh
    cd .ssh
    wget$GITHUBUSERNAME.keys -O authorized_keys
    chmod 600 authorized_keys

    You can then ssh to the phone as the phablet user.

    Install cryptsetup, by remounting root read write (do not run apt-get upgrade — only install packages that are essential to you like this):

    mount -o rw,remount /
    apt-get update
    apt-get install cryptsetup
    mount -o ro,remount /

    Create a 2G disk, encrypt it, format it, mount it, rsync data to it, unmount and remount it and restart the display manager:

    sudo -i
    cd /home
    fallocate -l 2G phablet.img
    cryptsetup luksFormat phablet.img
    cryptsetup luksOpen phablet.img phablet
    mkfs.ext4 /dev/mapper/phablet
    mkdir /media/phablet
    mount /dev/mapper/phablet /media/phablet
    rsync -av /home/phablet/ /media/phablet/
    umount /media/phablet/
    mount /dev/mapper/phablet /home/phablet
    cd /tmp
    nohup /etc/init.d/lightdm force-reload

    If everything is OK you might then want to delete the extra copy of the data at /home/phablet, or if you have done this on an initial install install of the phone you might want to leave that where it is since the phone will then appear to have no data on it when booted and your data will only appear after you have decrypted and mounted the disk:

    sudo -i
    cryptsetup luksOpen phablet.img phablet
    e2fsck /dev/mapper/phablet 
    mount /dev/mapper/phablet /home/phablet
    cd /tmp
    nohup /etc/init.d/lightdm force-reload

  • @chrisc Thanks. I had been tinkering with this on one of my test devices, based on your old instructions ( ). The restart of lightdm was the piece I was missing, so this post here is extremely helpful. I'll try this out when I get back home to my main test phone next week.

    Edit to add: I realize from looking at my earlier posts that I never thanked you for pointing me to your earlier instructions in a reply you wrote me about encryption here last autumn. My deepest apologies. I'd certainly not intended to be so rude, so all I can think is it slipped my mind. In any case, I was very grateful for that post, as I am for this post.

  • I've got several questions!

    Firstly, have you noticed much performance penalty for enabling encryption?

    And second... supposing that I did this, and later perform an OTA that wipes out the cryptsetup (and its dependencies)... is that going to make the phone unusable? if so, how could I fix it with a "real" computer, or safely test this situation?

  • @trainailleur no worries, glad to have helped 🙂

    @Osndok I haven't used Ubuntu Touch without an encrypted partition so I don't have anything to compare with, sometime I do get rapid battery drain, the phone will go flat over night, but that is very rare, most the time it'll only lose 1% or 2% overnight when in airplane mode.

    I do find I have a rapid battery drain when using wifi, I don't know the reason for this. I have used the UT Tweak Tool to ensure that suspension is prevented for the Terminal App and I use mosh in screen in a Debian chroot for most things.

    The last OTA upgrade didn't remove cryptsetup, I'm not exactly sure why, in any case it is easy enough to reinstall it, in any case, if need be, just copy the file with the encrypted filesystem to a Linux machine and decrypt it there.

  • Regarding speed
    Some time ago I tested this on a BQ Aquaris 4.5 (krillin) and got the following results:
    simple write 10 Mb/s, ecryptfs 7.5 Mb/s, luks 6.3 Mb/s
    IIRC it was with 500mb of random data in /home/phablet. The BQ 4.5 does not have hardware AES acceleration, which means slow and energy-consuming encryption.
    Note: you can check if your device has hw aes with grep aes /proc/cpuinfo - it should be listed under 'Features'.

    Regarding Usability / Stability
    For some month I used the folders ~/Pictures, ~/Videos, ~/Downloads and ~/Documents with ecryptfs. Let it put me this way: my phone didn't crash more than it did before. It wasn't really stable before ubports' OTA-1. But taking photos, downloading files etc. all worked out fine. Really annoying was that after each crash, I needed to enter the passphrase again.
    I did not observed change in energy consumption in standby, probably because then there is not much file access.

    A good option would be showing a dialog at boot time that asks for entering the passphrase. Like the first-time installer that asks you for the timezone etc.
    Going forward it would be reasonable to look into what TPM capabilities our supported phones have. A good direction would be composite keys between securely stored secrets in the phone and the user's notoriously low-entropy passphrase.

    I'd like to continue testing. My new M10 FHD seems to have aes cpu instructions, we'll see how that goes.

  • FWIW, ecryptfs is deprecated.

  • @dobey oh. Wasn't that the Ubuntu method to encrypt your home folder? what do they use now?

  • @doniks I'm not sure, but I think the 18.04 installer does not have home directory encryption, only full disk/partition encryption with luks.

  • Recommending full disk encryption is a good choice in my opinion. The default installer gives options, e.g. Ext4 encryption.

  • @chrisc As I recall I had this working last spring or summer. Returning to it on a Nexus 5 today (following upgrade to the RC for OTA-7), the lightdm restart is only working for me if called by a root shell over ssh from another machine, not from a sudo -i in the built in terminal, which kills lightdm and gives me a black screen without lightdm ever coming up again.

    I tried ssh-ing to localhost and running the commands from sudo -i in that ssh session, but that too does not result in lightdm coming back. I also tried using "stop" followed by a sleep and a "start" thereafter, but again, lightdm does not return.

    Have you encountered this on any of your devices? Any idea what could be causing it, or what to try as a workaround?

  • Hi any news about this workaround? i would like to try it on my nexus 5

  • @malditobastardo

    I haven't had much time to diagnose the failures on my devices (hammerhead and bacon). When I next have time to look at it, I'll try collecting the lightdm logs over ssh after a failed attempt at restarting lightdm locally.

    Have you given it a try on your Nexus? Worst case is you have to make a hard shutdown, so it's not especially invasive if it fails, and I'd be interested to know if it's only happening to me (in which case I could conclude I'm probably deviating from the instructions in some way).

  • @trainailleur said in One method to encrypt /home/phablet:

    I haven't had much time to diagnose the failures on my devices (hammerhead and bacon). When I next have time to look at it, I'll try collecting the lightdm logs over ssh after a failed attempt at restarting lightdm locally.

    Decided to do some quick testing while I was thinking about it. Logs in /var/log/lightdm aren't telling me much.

    What I did get to work was:

    sudo -i
    cd /tmp
    nohup /etc/init.d/lightdm force-reload

    Without nohup, lightdm will die but not restart unless I'm logged in via ssh over wifi.

    The purpose of cd-ing to /tmp is to get to a writable filesystem, else nohup will fail.

    Restart did not prove as reliable as force-reload, and also I sometimes lost wifi when it did work.

    Now that I have the lightdm restart piece cracked, I can take another stab at this. (Unfortunately blanked both test devices since the last time I tried encrypted home so have to redo the cryptsetup piece.)

  • @trainailleur said in One method to encrypt /home/phablet:

    Now that I have the lightdm restart piece cracked, I can take another stab at this. (Unfortunately blanked both test devices since the last time I tried encrypted home so have to redo the cryptsetup piece.)

    Got it working using @chrisc's instructions, with the exception that the apt sources do not need to be changed if you are on xenial.

    Many thanks to @chrisc for the instructions and guidance and to all the developers of Ubuntu Touch (both Canonical and UBPorts) for developing and maintaining commonality with a standard OS so we can relatively easily manipulate it for our needs in this fashion.

    Encryption of some sort was a prerequisite of my using UT for anything more than basic testing. I'm not under any illusions about the ultimate security of a four year old phone with closed source drivers and an unlocked bootloader, but I'm also not expecting any adversary stronger than the average phone thief. With LUKS-encrypted home, I'm now sufficiently comfortable that my personal data will be protected in the event of a device loss or theft that I can start to use Ubuntu Touch for real outside the house.

  • @trainailleur Hello sir, I am trying to to install cryptsetup after a clean install (devel) but I can't get to install cryptsetup using the xenial sources:

    phablet@ubuntu-phablet:~$ apt-get install cryptsetup
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    Package cryptsetup is not available, but is referred to by another package.
    This may mean that the package is missing, has been obsoleted, or
    is only available from another source
    However the following packages replace it:

    W: Not using locking for read only lock file /var/lib/dpkg/lock-frontend
    W: Not using locking for read only lock file /var/lib/dpkg/lock
    E: Package 'cryptsetup' has no installation candidate

    Any hint about why this is happening? Thank you in advance

  • @malditobastardo check that you have the correct entries in your sources.list and do an apt update before trying to install that package

  • @malditobastardo run apt-get update first, it is in Xenial.

  • @chrisc Hello Sir, thank you for your answer.

    I just realized that I am getting tons of errors when trying to do apt-get update

    ( Could not open file /var/lib/apt/lists/partial/ports.ubuntu.com_ubuntu-ports_dists_xenial-updates_main_source_Sources.xz - open (13: Permission denied) [IP: 80])
    Similar lo this.

    Maybe is a ubports server issue?

    and this:

    "phablet@ubuntu-phablet:~$ sudo mount -o rw,remount /
    [sudo] password for phablet:
    phablet@ubuntu-phablet:~$ apt-get update
    Reading package lists... Done
    W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (1: Operation not permitted)
    E: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)
    E: Unable to lock directory /var/lib/apt/lists/
    W: Problem unlinking the file /var/cache/apt/pkgcache.bin - RemoveCaches (13: Permission denied)
    W: Problem unlinking the file /var/cache/apt/srcpkgcache.bin - RemoveCaches (13: Permission denied)"

    Ok I needed "sudo", is that normal??? (installing cryptsetup)

  • @malditobastardo run sudo -i to become root.

Log in to reply