One method to encrypt /home/phablet



  • Hi, I'm posting this here in case anyone else wants to encrypt their /home/phablet directory, I'd strongly suggest that only people who know their way around Linux via the command line do this…

    This is easier to do if you have ssh access to the phone, to enable that:

    android-gadget-service enable ssh
    cd
    mkdir .ssh
    chmod 700 .ssh
    cd .ssh
    wget https://github.com/$GITHUBUSERNAME.keys -O authorized_keys
    chmod 600 authorized_keys
    

    You can then ssh to the phone as the phablet user.

    Install cryptsetup, by remounting root read write and updating the /etc/apt/sources.list (changing ports.ubuntu.com/ubuntu-ports to old-releases.ubuntu.com/ubuntu):

    mount -o rw,remount /
    vi /etc/apt/sources.list
    :1,$s;ports.ubuntu.com/ubuntu-ports;old-releases.ubuntu.com/ubuntu;
    apt-get update
    apt-get install cryptsetup
    mount -o ro,remount /
    

    Create a 2G disk, encrypt it, format it, mount it, rsync data to it, unmount and remount it and restart the display manager:

    sudo -i
    cd /home
    fallocate -l 2G phablet.img
    cryptsetup luksFormat phablet.img
    cryptsetup luksOpen phablet.img phablet
    mkfs.ext4 /dev/mapper/phablet
    mkdir /media/phablet
    mount /dev/mapper/phablet /media/phablet
    rsync -av /home/phablet/ /media/phablet/
    umount /media/phablet/
    mount /dev/mapper/phablet /home/phablet
    /etc/init.d/lightdm restart
    

    If everything is OK you might then want to delete the extra copy of the data at /home/phablet, or if you have done this on an initial install install of the phone you might want to leave that where it is since the phone will then appear to have no data on it when booted and your data will only appear after you have decrypted and mounted the disk:

    sudo -i
    cryptsetup luksOpen phablet.img phablet
    mount /dev/mapper/phablet /home/phablet
    /etc/init.d/lightdm restart
    


  • @chrisc Thanks. I had been tinkering with this on one of my test devices, based on your old instructions ( https://ubuntu.webarch.uk/wiki/Encrypted_Home ). The restart of lightdm was the piece I was missing, so this post here is extremely helpful. I'll try this out when I get back home to my main test phone next week.

    Edit to add: I realize from looking at my earlier posts that I never thanked you for pointing me to your earlier instructions in a reply you wrote me about encryption here last autumn. My deepest apologies. I'd certainly not intended to be so rude, so all I can think is it slipped my mind. In any case, I was very grateful for that post, as I am for this post.



  • I've got several questions!

    Firstly, have you noticed much performance penalty for enabling encryption?

    And second... supposing that I did this, and later perform an OTA that wipes out the cryptsetup (and its dependencies)... is that going to make the phone unusable? if so, how could I fix it with a "real" computer, or safely test this situation?



  • @trainailleur no worries, glad to have helped :-)

    @Osndok I haven't used Ubuntu Touch without an encrypted partition so I don't have anything to compare with, sometime I do get rapid battery drain, the phone will go flat over night, but that is very rare, most the time it'll only lose 1% or 2% overnight when in airplane mode.

    I do find I have a rapid battery drain when using wifi, I don't know the reason for this. I have used the UT Tweak Tool to ensure that suspension is prevented for the Terminal App and I use mosh in screen in a Debian chroot for most things.

    The last OTA upgrade didn't remove cryptsetup, I'm not exactly sure why, in any case it is easy enough to reinstall it, in any case, if need be, just copy the file with the encrypted filesystem to a Linux machine and decrypt it there.



  • Regarding speed
    Some time ago I tested this on a BQ Aquaris 4.5 (krillin) and got the following results:
    simple write 10 Mb/s, ecryptfs 7.5 Mb/s, luks 6.3 Mb/s
    IIRC it was with 500mb of random data in /home/phablet. The BQ 4.5 does not have hardware AES acceleration, which means slow and energy-consuming encryption.
    Note: you can check if your device has hw aes with grep aes /proc/cpuinfo - it should be listed under 'Features'.

    Regarding Usability / Stability
    For some month I used the folders ~/Pictures, ~/Videos, ~/Downloads and ~/Documents with ecryptfs. Let it put me this way: my phone didn't crash more than it did before. It wasn't really stable before ubports' OTA-1. But taking photos, downloading files etc. all worked out fine. Really annoying was that after each crash, I needed to enter the passphrase again.
    I did not observed change in energy consumption in standby, probably because then there is not much file access.

    Future
    A good option would be showing a dialog at boot time that asks for entering the passphrase. Like the first-time installer that asks you for the timezone etc.
    Going forward it would be reasonable to look into what TPM capabilities our supported phones have. A good direction would be composite keys between securely stored secrets in the phone and the user's notoriously low-entropy passphrase.

    I'd like to continue testing. My new M10 FHD seems to have aes cpu instructions, we'll see how that goes.



  • FWIW, ecryptfs is deprecated.



  • @dobey oh. Wasn't that the Ubuntu method to encrypt your home folder? what do they use now?



  • @doniks I'm not sure, but I think the 18.04 installer does not have home directory encryption, only full disk/partition encryption with luks.



  • Recommending full disk encryption is a good choice in my opinion. The default installer gives options, e.g. Ext4 encryption.




Log in to reply
 

Looks like your connection to UBports Forum was lost, please wait while we try to reconnect.