• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
UBports Robot Logo UBports Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

One method to encrypt /home/phablet

Scheduled Pinned Locked Moved Support
39 Posts 15 Posters 12.9k Views 8 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      chrisc
      last edited by chrisc 2 Sept 2019, 11:30 2 Mar 2018, 14:01

      Hi, I'm posting this here in case anyone else wants to encrypt their /home/phablet directory, I'd strongly suggest that only people who know their way around Linux via the command line do this…

      This is easier to do if you have ssh access to the phone, to enable that use the UT Tweak Tool or do it using the command line, in this example $GITHUBUSERNAME is your GitHub username and it assumes your public SSH keys are available at this URL, you could also use adb to push your public keys to the phone:

      android-gadget-service enable ssh
      cd
      mkdir .ssh
      chmod 700 .ssh
      cd .ssh
      wget https://github.com/$GITHUBUSERNAME.keys -O authorized_keys
      chmod 600 authorized_keys
      

      You can then ssh to the phone as the phablet user.

      Install cryptsetup, by remounting root read write (do not run apt-get upgrade — only install packages that are essential to you like this):

      mount -o rw,remount /
      apt-get update
      apt-get install cryptsetup
      mount -o ro,remount /
      

      Create a 2G disk, encrypt it, format it, mount it, rsync data to it, unmount and remount it and restart the display manager:

      sudo -i
      cd /home
      fallocate -l 2G phablet.img
      cryptsetup luksFormat phablet.img
      cryptsetup luksOpen phablet.img phablet
      mkfs.ext4 /dev/mapper/phablet
      mkdir /media/phablet
      mount /dev/mapper/phablet /media/phablet
      rsync -av /home/phablet/ /media/phablet/
      umount /media/phablet/
      mount /dev/mapper/phablet /home/phablet
      cd /tmp
      nohup /etc/init.d/lightdm force-reload
      

      If everything is OK you might then want to delete the extra copy of the data at /home/phablet, or if you have done this on an initial install install of the phone you might want to leave that where it is since the phone will then appear to have no data on it when booted and your data will only appear after you have decrypted and mounted the disk:

      sudo -i
      cryptsetup luksOpen phablet.img phablet
      e2fsck /dev/mapper/phablet 
      mount /dev/mapper/phablet /home/phablet
      cd /tmp
      nohup /etc/init.d/lightdm force-reload
      
      T 1 Reply Last reply 4 Mar 2018, 02:24 Reply Quote 9
      • T Offline
        trainailleur @chrisc
        last edited by trainailleur 3 Apr 2018, 02:35 4 Mar 2018, 02:24

        @chrisc Thanks. I had been tinkering with this on one of my test devices, based on your old instructions ( https://ubuntu.webarch.uk/wiki/Encrypted_Home ). The restart of lightdm was the piece I was missing, so this post here is extremely helpful. I'll try this out when I get back home to my main test phone next week.

        Edit to add: I realize from looking at my earlier posts that I never thanked you for pointing me to your earlier instructions in a reply you wrote me about encryption here last autumn. My deepest apologies. I'd certainly not intended to be so rude, so all I can think is it slipped my mind. In any case, I was very grateful for that post, as I am for this post.

        C 1 Reply Last reply 18 Mar 2018, 15:49 Reply Quote 0
        • O Offline
          Osndok
          last edited by 8 Mar 2018, 22:42

          I've got several questions!

          Firstly, have you noticed much performance penalty for enabling encryption?

          And second... supposing that I did this, and later perform an OTA that wipes out the cryptsetup (and its dependencies)... is that going to make the phone unusable? if so, how could I fix it with a "real" computer, or safely test this situation?

          1 Reply Last reply Reply Quote 0
          • C Offline
            chrisc @trainailleur
            last edited by 18 Mar 2018, 15:49

            @trainailleur no worries, glad to have helped 🙂

            @Osndok I haven't used Ubuntu Touch without an encrypted partition so I don't have anything to compare with, sometime I do get rapid battery drain, the phone will go flat over night, but that is very rare, most the time it'll only lose 1% or 2% overnight when in airplane mode.

            I do find I have a rapid battery drain when using wifi, I don't know the reason for this. I have used the UT Tweak Tool to ensure that suspension is prevented for the Terminal App and I use mosh in screen in a Debian chroot for most things.

            The last OTA upgrade didn't remove cryptsetup, I'm not exactly sure why, in any case it is easy enough to reinstall it, in any case, if need be, just copy the file with the encrypted filesystem to a Linux machine and decrypt it there.

            1 Reply Last reply Reply Quote 0
            • H Offline
              haveaniceday
              last edited by 1 Oct 2018, 23:42

              Regarding speed
              Some time ago I tested this on a BQ Aquaris 4.5 (krillin) and got the following results:
              simple write 10 Mb/s, ecryptfs 7.5 Mb/s, luks 6.3 Mb/s
              IIRC it was with 500mb of random data in /home/phablet. The BQ 4.5 does not have hardware AES acceleration, which means slow and energy-consuming encryption.
              Note: you can check if your device has hw aes with grep aes /proc/cpuinfo - it should be listed under 'Features'.

              Regarding Usability / Stability
              For some month I used the folders ~/Pictures, ~/Videos, ~/Downloads and ~/Documents with ecryptfs. Let it put me this way: my phone didn't crash more than it did before. It wasn't really stable before ubports' OTA-1. But taking photos, downloading files etc. all worked out fine. Really annoying was that after each crash, I needed to enter the passphrase again.
              I did not observed change in energy consumption in standby, probably because then there is not much file access.

              Future
              A good option would be showing a dialog at boot time that asks for entering the passphrase. Like the first-time installer that asks you for the timezone etc.
              Going forward it would be reasonable to look into what TPM capabilities our supported phones have. A good direction would be composite keys between securely stored secrets in the phone and the user's notoriously low-entropy passphrase.

              I'd like to continue testing. My new M10 FHD seems to have aes cpu instructions, we'll see how that goes.

              1 Reply Last reply Reply Quote 3
              • D Offline
                dobey
                last edited by 2 Oct 2018, 17:59

                FWIW, ecryptfs is deprecated.

                D 1 Reply Last reply 2 Oct 2018, 18:01 Reply Quote 0
                • D Offline
                  doniks @dobey
                  last edited by 2 Oct 2018, 18:01

                  @dobey oh. Wasn't that the Ubuntu method to encrypt your home folder? what do they use now?

                  D 1 Reply Last reply 2 Oct 2018, 18:04 Reply Quote 0
                  • D Offline
                    dobey @doniks
                    last edited by 2 Oct 2018, 18:04

                    @doniks I'm not sure, but I think the 18.04 installer does not have home directory encryption, only full disk/partition encryption with luks.

                    1 Reply Last reply Reply Quote 1
                    • H Offline
                      haveaniceday
                      last edited by 2 Oct 2018, 19:29

                      Recommending full disk encryption is a good choice in my opinion. The default installer gives options, e.g. Ext4 encryption.

                      1 Reply Last reply Reply Quote 0
                      • E Offline
                        ernest
                        last edited by 2 Oct 2018, 22:07

                        FYI : https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/1756840

                        1 Reply Last reply Reply Quote 1
                        • T Offline
                          trainailleur
                          last edited by trainailleur 1 Aug 2019, 00:58 8 Jan 2019, 00:55

                          @chrisc As I recall I had this working last spring or summer. Returning to it on a Nexus 5 today (following upgrade to the RC for OTA-7), the lightdm restart is only working for me if called by a root shell over ssh from another machine, not from a sudo -i in the built in terminal, which kills lightdm and gives me a black screen without lightdm ever coming up again.

                          I tried ssh-ing to localhost and running the commands from sudo -i in that ssh session, but that too does not result in lightdm coming back. I also tried using "stop" followed by a sleep and a "start" thereafter, but again, lightdm does not return.

                          Have you encountered this on any of your devices? Any idea what could be causing it, or what to try as a workaround?

                          C 1 Reply Last reply 8 Feb 2019, 14:05 Reply Quote 0
                          • M Offline
                            malditobastardo
                            last edited by 4 Feb 2019, 18:13

                            Hi any news about this workaround? i would like to try it on my nexus 5

                            T 1 Reply Last reply 5 Feb 2019, 18:31 Reply Quote 0
                            • T Offline
                              trainailleur @malditobastardo
                              last edited by 5 Feb 2019, 18:31

                              @malditobastardo

                              I haven't had much time to diagnose the failures on my devices (hammerhead and bacon). When I next have time to look at it, I'll try collecting the lightdm logs over ssh after a failed attempt at restarting lightdm locally.

                              Have you given it a try on your Nexus? Worst case is you have to make a hard shutdown, so it's not especially invasive if it fails, and I'd be interested to know if it's only happening to me (in which case I could conclude I'm probably deviating from the instructions in some way).

                              T 1 Reply Last reply 5 Feb 2019, 20:05 Reply Quote 0
                              • T Offline
                                trainailleur @trainailleur
                                last edited by trainailleur 2 May 2019, 20:16 5 Feb 2019, 20:05

                                @trainailleur said in One method to encrypt /home/phablet:

                                I haven't had much time to diagnose the failures on my devices (hammerhead and bacon). When I next have time to look at it, I'll try collecting the lightdm logs over ssh after a failed attempt at restarting lightdm locally.

                                Decided to do some quick testing while I was thinking about it. Logs in /var/log/lightdm aren't telling me much.

                                What I did get to work was:

                                sudo -i
                                cd /tmp
                                nohup /etc/init.d/lightdm force-reload
                                

                                Without nohup, lightdm will die but not restart unless I'm logged in via ssh over wifi.

                                The purpose of cd-ing to /tmp is to get to a writable filesystem, else nohup will fail.

                                Restart did not prove as reliable as force-reload, and also I sometimes lost wifi when it did work.

                                Now that I have the lightdm restart piece cracked, I can take another stab at this. (Unfortunately blanked both test devices since the last time I tried encrypted home so have to redo the cryptsetup piece.)

                                T 1 Reply Last reply 5 Feb 2019, 20:55 Reply Quote 1
                                • T Offline
                                  trainailleur @trainailleur
                                  last edited by trainailleur 2 May 2019, 21:00 5 Feb 2019, 20:55

                                  @trainailleur said in One method to encrypt /home/phablet:

                                  Now that I have the lightdm restart piece cracked, I can take another stab at this. (Unfortunately blanked both test devices since the last time I tried encrypted home so have to redo the cryptsetup piece.)

                                  Got it working using @chrisc's instructions, with the exception that the apt sources do not need to be changed if you are on xenial.

                                  Many thanks to @chrisc for the instructions and guidance and to all the developers of Ubuntu Touch (both Canonical and UBPorts) for developing and maintaining commonality with a standard OS so we can relatively easily manipulate it for our needs in this fashion.

                                  Encryption of some sort was a prerequisite of my using UT for anything more than basic testing. I'm not under any illusions about the ultimate security of a four year old phone with closed source drivers and an unlocked bootloader, but I'm also not expecting any adversary stronger than the average phone thief. With LUKS-encrypted home, I'm now sufficiently comfortable that my personal data will be protected in the event of a device loss or theft that I can start to use Ubuntu Touch for real outside the house.

                                  M 1 Reply Last reply 8 Feb 2019, 12:50 Reply Quote 1
                                  • M Offline
                                    malditobastardo @trainailleur
                                    last edited by 8 Feb 2019, 12:50

                                    @trainailleur Hello sir, I am trying to to install cryptsetup after a clean install (devel) but I can't get to install cryptsetup using the xenial sources:

                                    phablet@ubuntu-phablet:~$ apt-get install cryptsetup
                                    Reading package lists... Done
                                    Building dependency tree
                                    Reading state information... Done
                                    Package cryptsetup is not available, but is referred to by another package.
                                    This may mean that the package is missing, has been obsoleted, or
                                    is only available from another source
                                    However the following packages replace it:
                                    bash-completion

                                    W: Not using locking for read only lock file /var/lib/dpkg/lock-frontend
                                    W: Not using locking for read only lock file /var/lib/dpkg/lock
                                    E: Package 'cryptsetup' has no installation candidate

                                    Any hint about why this is happening? Thank you in advance

                                    advocatuxA C 2 Replies Last reply 8 Feb 2019, 13:03 Reply Quote 0
                                    • advocatuxA Offline
                                      advocatux @malditobastardo
                                      last edited by 8 Feb 2019, 13:03

                                      @malditobastardo check that you have the correct entries in your sources.list and do an apt update before trying to install that package

                                      1 Reply Last reply Reply Quote 0
                                      • C Offline
                                        chrisc @malditobastardo
                                        last edited by 8 Feb 2019, 13:04

                                        @malditobastardo run apt-get update first, it is in Xenial.

                                        M 1 Reply Last reply 8 Feb 2019, 13:30 Reply Quote 0
                                        • M Offline
                                          malditobastardo @chrisc
                                          last edited by malditobastardo 2 Aug 2019, 13:37 8 Feb 2019, 13:30

                                          @chrisc Hello Sir, thank you for your answer.

                                          I just realized that I am getting tons of errors when trying to do apt-get update

                                          ( Could not open file /var/lib/apt/lists/partial/ports.ubuntu.com_ubuntu-ports_dists_xenial-updates_main_source_Sources.xz - open (13: Permission denied) [IP: 91.189.88.150 80])
                                          Similar lo this.

                                          Maybe is a ubports server issue?
                                          @advocatux

                                          and this:

                                          "phablet@ubuntu-phablet:~$ sudo mount -o rw,remount /
                                          [sudo] password for phablet:
                                          phablet@ubuntu-phablet:~$ apt-get update
                                          Reading package lists... Done
                                          W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (1: Operation not permitted)
                                          E: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)
                                          E: Unable to lock directory /var/lib/apt/lists/
                                          W: Problem unlinking the file /var/cache/apt/pkgcache.bin - RemoveCaches (13: Permission denied)
                                          W: Problem unlinking the file /var/cache/apt/srcpkgcache.bin - RemoveCaches (13: Permission denied)"

                                          Ok I needed "sudo", is that normal??? (installing cryptsetup)

                                          C jezekJ 2 Replies Last reply 8 Feb 2019, 14:01 Reply Quote 0
                                          • C Offline
                                            chrisc @malditobastardo
                                            last edited by 8 Feb 2019, 14:01

                                            @malditobastardo run sudo -i to become root.

                                            M 1 Reply Last reply 8 Feb 2019, 15:12 Reply Quote 1
                                            • First post
                                              Last post