One method to encrypt /home/phablet

chrisc · 2 Mar 2018, 14:01

Hi, I'm posting this here in case anyone else wants to encrypt their /home/phablet directory, I'd strongly suggest that only people who know their way around Linux via the command line do this…

This is easier to do if you have ssh access to the phone, to enable that use the UT Tweak Tool or do it using the command line, in this example $GITHUBUSERNAME is your GitHub username and it assumes your public SSH keys are available at this URL, you could also use adb to push your public keys to the phone:

android-gadget-service enable ssh
cd
mkdir .ssh
chmod 700 .ssh
cd .ssh
wget https://github.com/$GITHUBUSERNAME.keys -O authorized_keys
chmod 600 authorized_keys

You can then ssh to the phone as the phablet user.

Install cryptsetup, by remounting root read write (do not run apt-get upgrade — only install packages that are essential to you like this):

mount -o rw,remount /
apt-get update
apt-get install cryptsetup
mount -o ro,remount /

Create a 2G disk, encrypt it, format it, mount it, rsync data to it, unmount and remount it and restart the display manager:

sudo -i
cd /home
fallocate -l 2G phablet.img
cryptsetup luksFormat phablet.img
cryptsetup luksOpen phablet.img phablet
mkfs.ext4 /dev/mapper/phablet
mkdir /media/phablet
mount /dev/mapper/phablet /media/phablet
rsync -av /home/phablet/ /media/phablet/
umount /media/phablet/
mount /dev/mapper/phablet /home/phablet
cd /tmp
nohup /etc/init.d/lightdm force-reload

If everything is OK you might then want to delete the extra copy of the data at /home/phablet, or if you have done this on an initial install install of the phone you might want to leave that where it is since the phone will then appear to have no data on it when booted and your data will only appear after you have decrypted and mounted the disk:

sudo -i
cryptsetup luksOpen phablet.img phablet
e2fsck /dev/mapper/phablet 
mount /dev/mapper/phablet /home/phablet
cd /tmp
nohup /etc/init.d/lightdm force-reload

trainailleur · 3 Apr 2018, 02:35

@chrisc Thanks. I had been tinkering with this on one of my test devices, based on your old instructions ( https://ubuntu.webarch.uk/wiki/Encrypted_Home ). The restart of lightdm was the piece I was missing, so this post here is extremely helpful. I'll try this out when I get back home to my main test phone next week.

Edit to add: I realize from looking at my earlier posts that I never thanked you for pointing me to your earlier instructions in a reply you wrote me about encryption here last autumn. My deepest apologies. I'd certainly not intended to be so rude, so all I can think is it slipped my mind. In any case, I was very grateful for that post, as I am for this post.

Osndok · 8 Mar 2018, 22:42

I've got several questions!

Firstly, have you noticed much performance penalty for enabling encryption?

And second... supposing that I did this, and later perform an OTA that wipes out the cryptsetup (and its dependencies)... is that going to make the phone unusable? if so, how could I fix it with a "real" computer, or safely test this situation?

chrisc · 18 Mar 2018, 15:49

@trainailleur no worries, glad to have helped

@Osndok I haven't used Ubuntu Touch without an encrypted partition so I don't have anything to compare with, sometime I do get rapid battery drain, the phone will go flat over night, but that is very rare, most the time it'll only lose 1% or 2% overnight when in airplane mode.

I do find I have a rapid battery drain when using wifi, I don't know the reason for this. I have used the UT Tweak Tool to ensure that suspension is prevented for the Terminal App and I use mosh in screen in a Debian chroot for most things.

The last OTA upgrade didn't remove cryptsetup, I'm not exactly sure why, in any case it is easy enough to reinstall it, in any case, if need be, just copy the file with the encrypted filesystem to a Linux machine and decrypt it there.

haveaniceday · 1 Oct 2018, 23:42

Regarding speed
Some time ago I tested this on a BQ Aquaris 4.5 (krillin) and got the following results:
simple write 10 Mb/s, ecryptfs 7.5 Mb/s, luks 6.3 Mb/s
IIRC it was with 500mb of random data in /home/phablet. The BQ 4.5 does not have hardware AES acceleration, which means slow and energy-consuming encryption.
Note: you can check if your device has hw aes with grep aes /proc/cpuinfo - it should be listed under 'Features'.

Regarding Usability / Stability
For some month I used the folders ~/Pictures, ~/Videos, ~/Downloads and ~/Documents with ecryptfs. Let it put me this way: my phone didn't crash more than it did before. It wasn't really stable before ubports' OTA-1. But taking photos, downloading files etc. all worked out fine. Really annoying was that after each crash, I needed to enter the passphrase again.
I did not observed change in energy consumption in standby, probably because then there is not much file access.

Future
A good option would be showing a dialog at boot time that asks for entering the passphrase. Like the first-time installer that asks you for the timezone etc.
Going forward it would be reasonable to look into what TPM capabilities our supported phones have. A good direction would be composite keys between securely stored secrets in the phone and the user's notoriously low-entropy passphrase.

I'd like to continue testing. My new M10 FHD seems to have aes cpu instructions, we'll see how that goes.

dobey · 2 Oct 2018, 17:59

FWIW, ecryptfs is deprecated.

doniks · 2 Oct 2018, 18:01

@dobey oh. Wasn't that the Ubuntu method to encrypt your home folder? what do they use now?

dobey · 2 Oct 2018, 18:04

@doniks I'm not sure, but I think the 18.04 installer does not have home directory encryption, only full disk/partition encryption with luks.

haveaniceday · 2 Oct 2018, 19:29

Recommending full disk encryption is a good choice in my opinion. The default installer gives options, e.g. Ext4 encryption.

ernest · 2 Oct 2018, 22:07

FYI : https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/1756840

trainailleur · 1 Aug 2019, 00:58

@chrisc As I recall I had this working last spring or summer. Returning to it on a Nexus 5 today (following upgrade to the RC for OTA-7), the lightdm restart is only working for me if called by a root shell over ssh from another machine, not from a sudo -i in the built in terminal, which kills lightdm and gives me a black screen without lightdm ever coming up again.

I tried ssh-ing to localhost and running the commands from sudo -i in that ssh session, but that too does not result in lightdm coming back. I also tried using "stop" followed by a sleep and a "start" thereafter, but again, lightdm does not return.

Have you encountered this on any of your devices? Any idea what could be causing it, or what to try as a workaround?

malditobastardo · 4 Feb 2019, 18:13

Hi any news about this workaround? i would like to try it on my nexus 5

trainailleur · 5 Feb 2019, 18:31

@malditobastardo

I haven't had much time to diagnose the failures on my devices (hammerhead and bacon). When I next have time to look at it, I'll try collecting the lightdm logs over ssh after a failed attempt at restarting lightdm locally.

Have you given it a try on your Nexus? Worst case is you have to make a hard shutdown, so it's not especially invasive if it fails, and I'd be interested to know if it's only happening to me (in which case I could conclude I'm probably deviating from the instructions in some way).

trainailleur · 2 May 2019, 20:16

@trainailleur said in One method to encrypt /home/phablet:

I haven't had much time to diagnose the failures on my devices (hammerhead and bacon). When I next have time to look at it, I'll try collecting the lightdm logs over ssh after a failed attempt at restarting lightdm locally.

Decided to do some quick testing while I was thinking about it. Logs in /var/log/lightdm aren't telling me much.

What I did get to work was:

sudo -i
cd /tmp
nohup /etc/init.d/lightdm force-reload

Without nohup, lightdm will die but not restart unless I'm logged in via ssh over wifi.

The purpose of cd-ing to /tmp is to get to a writable filesystem, else nohup will fail.

Restart did not prove as reliable as force-reload, and also I sometimes lost wifi when it did work.

Now that I have the lightdm restart piece cracked, I can take another stab at this. (Unfortunately blanked both test devices since the last time I tried encrypted home so have to redo the cryptsetup piece.)

trainailleur · 2 May 2019, 21:00

@trainailleur said in One method to encrypt /home/phablet:

Now that I have the lightdm restart piece cracked, I can take another stab at this. (Unfortunately blanked both test devices since the last time I tried encrypted home so have to redo the cryptsetup piece.)

Got it working using @chrisc's instructions, with the exception that the apt sources do not need to be changed if you are on xenial.

Many thanks to @chrisc for the instructions and guidance and to all the developers of Ubuntu Touch (both Canonical and UBPorts) for developing and maintaining commonality with a standard OS so we can relatively easily manipulate it for our needs in this fashion.

Encryption of some sort was a prerequisite of my using UT for anything more than basic testing. I'm not under any illusions about the ultimate security of a four year old phone with closed source drivers and an unlocked bootloader, but I'm also not expecting any adversary stronger than the average phone thief. With LUKS-encrypted home, I'm now sufficiently comfortable that my personal data will be protected in the event of a device loss or theft that I can start to use Ubuntu Touch for real outside the house.

malditobastardo · 8 Feb 2019, 12:50

@trainailleur Hello sir, I am trying to to install cryptsetup after a clean install (devel) but I can't get to install cryptsetup using the xenial sources:

phablet@ubuntu-phablet:~$ apt-get install cryptsetup
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package cryptsetup is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
bash-completion

W: Not using locking for read only lock file /var/lib/dpkg/lock-frontend
W: Not using locking for read only lock file /var/lib/dpkg/lock
E: Package 'cryptsetup' has no installation candidate

Any hint about why this is happening? Thank you in advance

advocatux · 8 Feb 2019, 13:03

@malditobastardo check that you have the correct entries in your sources.list and do an apt update before trying to install that package

chrisc · 8 Feb 2019, 13:04

@malditobastardo run apt-get update first, it is in Xenial.

malditobastardo · 2 Aug 2019, 13:37

@chrisc Hello Sir, thank you for your answer.

I just realized that I am getting tons of errors when trying to do apt-get update

( Could not open file /var/lib/apt/lists/partial/ports.ubuntu.com_ubuntu-ports_dists_xenial-updates_main_source_Sources.xz - open (13: Permission denied) [IP: 91.189.88.150 80])
Similar lo this.

Maybe is a ubports server issue?
@advocatux

and this:

"phablet@ubuntu-phablet:~$ sudo mount -o rw,remount /
[sudo] password for phablet:
phablet@ubuntu-phablet:~$ apt-get update
Reading package lists... Done
W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (1: Operation not permitted)
E: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)
E: Unable to lock directory /var/lib/apt/lists/
W: Problem unlinking the file /var/cache/apt/pkgcache.bin - RemoveCaches (13: Permission denied)
W: Problem unlinking the file /var/cache/apt/srcpkgcache.bin - RemoveCaches (13: Permission denied)"

Ok I needed "sudo", is that normal??? (installing cryptsetup)

chrisc · 8 Feb 2019, 14:01

@malditobastardo run sudo -i to become root.