One method to encrypt /home/phablet



  • Hi, I'm posting this here in case anyone else wants to encrypt their /home/phablet directory, I'd strongly suggest that only people who know their way around Linux via the command line do this…

    This is easier to do if you have ssh access to the phone, to enable that:

    android-gadget-service enable ssh
    cd
    mkdir .ssh
    chmod 700 .ssh
    cd .ssh
    wget https://github.com/$GITHUBUSERNAME.keys -O authorized_keys
    chmod 600 authorized_keys
    

    You can then ssh to the phone as the phablet user.

    Install cryptsetup, by remounting root read write and updating the /etc/apt/sources.list (changing ports.ubuntu.com/ubuntu-ports to old-releases.ubuntu.com/ubuntu):

    mount -o rw,remount /
    vi /etc/apt/sources.list
    :1,$s;ports.ubuntu.com/ubuntu-ports;old-releases.ubuntu.com/ubuntu;
    apt-get update
    apt-get install cryptsetup
    mount -o ro,remount /
    

    Create a 2G disk, encrypt it, format it, mount it, rsync data to it, unmount and remount it and restart the display manager:

    sudo -i
    cd /home
    fallocate -l 2G phablet.img
    cryptsetup luksFormat phablet.img
    cryptsetup luksOpen phablet.img phablet
    mkfs.ext4 /dev/mapper/phablet
    mkdir /media/phablet
    mount /dev/mapper/phablet /media/phablet
    rsync -av /home/phablet/ /media/phablet/
    umount /media/phablet/
    mount /dev/mapper/phablet /home/phablet
    /etc/init.d/lightdm restart
    

    If everything is OK you might then want to delete the extra copy of the data at /home/phablet, or if you have done this on an initial install install of the phone you might want to leave that where it is since the phone will then appear to have no data on it when booted and your data will only appear after you have decrypted and mounted the disk:

    sudo -i
    cryptsetup luksOpen phablet.img phablet
    mount /dev/mapper/phablet /home/phablet
    /etc/init.d/lightdm restart
    


  • @chrisc Thanks. I had been tinkering with this on one of my test devices, based on your old instructions ( https://ubuntu.webarch.uk/wiki/Encrypted_Home ). The restart of lightdm was the piece I was missing, so this post here is extremely helpful. I'll try this out when I get back home to my main test phone next week.

    Edit to add: I realize from looking at my earlier posts that I never thanked you for pointing me to your earlier instructions in a reply you wrote me about encryption here last autumn. My deepest apologies. I'd certainly not intended to be so rude, so all I can think is it slipped my mind. In any case, I was very grateful for that post, as I am for this post.



  • I've got several questions!

    Firstly, have you noticed much performance penalty for enabling encryption?

    And second... supposing that I did this, and later perform an OTA that wipes out the cryptsetup (and its dependencies)... is that going to make the phone unusable? if so, how could I fix it with a "real" computer, or safely test this situation?



  • @trainailleur no worries, glad to have helped :-)

    @Osndok I haven't used Ubuntu Touch without an encrypted partition so I don't have anything to compare with, sometime I do get rapid battery drain, the phone will go flat over night, but that is very rare, most the time it'll only lose 1% or 2% overnight when in airplane mode.

    I do find I have a rapid battery drain when using wifi, I don't know the reason for this. I have used the UT Tweak Tool to ensure that suspension is prevented for the Terminal App and I use mosh in screen in a Debian chroot for most things.

    The last OTA upgrade didn't remove cryptsetup, I'm not exactly sure why, in any case it is easy enough to reinstall it, in any case, if need be, just copy the file with the encrypted filesystem to a Linux machine and decrypt it there.


Log in to reply
 

Looks like your connection to UBports Forum was lost, please wait while we try to reconnect.