Encryption and vpn



  • first time trying out Ubuntu touch and sorry if the questions been asked before but 2 things.
    Can I and how do I do full disk encryption ?
    vpn , trying to install wireguard but cant get curl to install (winch are needed for the scriptinstall) since it says not enough space in var cache. tried ovpn instead but unsure how to set it up manually , got the .ovpn file but not sure how to use it. azirevpn
    thanks
    Oh and I have a hammerhead , nexus 5



  • @TempUsername On a slightly different note could you please change your user name. That name can obviously be construed in an offensive way. We like to keep a clean and open to all forum and that user name is not helpful. Thank You for your understanding.



    1. No, full disk encryption is not supported yet, and it's not as simple as one might think.

    2. Apt is not supported on the rootfs, which is read-only for a reason. Unfortunately, I think ovpn files are not yet supported, so the certificates need to be manually split out and loaded manually, along with other settings, into the VPN settings UI.



  • @TempUsername for vpn look here: https://ubports.com/de_DE/blog/ubports-blog-1/post/using-vpn-in-ubuntu-touch-132
    maybe this will help you.



  • @TempUsername following my previous post I have changed your username to something less controversial. Please feel free to change it again bearing in mind my comments. Thank you in advance.



  • There is a very manual process for running an encrypted home directory pioneered by @chrisc and detailed here:

    One method to encrypt /home/phablet

    This is not a user friendly process, is not supported by the UBPorts developers, and will likely break and need to be manually fixed after any major OTA update, so do not try this unless you know your way around cryptsetup and filesystem mounts very well.



  • Hi
    sorry about the username , it is the name of a superhero in the comic "the boys" recomend a read 🙂

    So encryption is on hold then. looked at the guide and a bit of my depth there. So basically what is the safeguards in place if say a thief would just copy the phone with adb commands, the rootpassword? just a bit confused when mixing Linux and android for the first time 🙂

    will have a look at the vpn solution again
    thanks for replies



  • @TempUsername No problem feel free to change it as I said.



  • So tried the vpn guide above , but when I download the ovpn file from azirevpn I don't get a private key. so I tried first with the options certs plus password , didn't work. then password only , didn't work. contacted azire support to see if they can help, will post again if I get it to work





  • thanks , but still get "no valid vpn secrets"



  • @TempUsername then probably only Azire can help you, we'll see what they have to tell you



  • @Church said in Encryption and vpn:

    So encryption is on hold then. looked at the guide and a bit of my depth there. So basically what is the safeguards in place if say a thief would just copy the phone with adb commands, the rootpassword?

    Really, there can be no safeguards, because currently we cannot re-lock the bootloader, and even if we had full disk encryption, the key has to be stored on the same flash as the encrypted data. Given that, one could simply copy all data off, and then brute force the wrapped passphrase for the encryption key, to eventually decrypt. Until we can re-lock the bootloader and have recovery without adb, and ideally store the encryption key in the SoC's internal secure key storage rather than on flash, what we can do in UT in terms of physical security is fairly limited.



  • @dobey said in Encryption and vpn:

    Really, there can be no safeguards, because currently we cannot re-lock the bootloader, and even if we had full disk encryption, the key has to be stored on the same flash as the encrypted data. Given that, one could simply copy all data off, and then brute force the wrapped passphrase for the encryption key, to eventually decrypt. Until we can re-lock the bootloader and have recovery without adb, and ideally store the encryption key in the SoC's internal secure key storage rather than on flash, what we can do in UT in terms of physical security is fairly limited.

    This probably isn't the best thread for an in-depth discussion of encryption, but your ideas are interesting, so I'll reply here anyway.

    You propose a very strong solution, beyond what's employed in most Linux distributions (pseudo FDE in which at least the bootloader - and more often the entire boot partition - is left unencrypted). The security hardware in modern smartphones is, as you indicate, very sophisticated (ironic, given their typical role as privacy destroying, data vacuuming spyware devices), and it would be great for the OS to be able to take advantage of that sophisticated hardware. Given the prerequisites of being able to lock the bootloader and rewriting the recovery however, that seems only possible in a distant future.

    In the meantime, assuming a device is switched off, is not a long passphrase for the key a decent start as a safeguard? Imperfect and limited, true, but it raises the bar quite a lot for the attacker, though all means remain vulnerable to XKCD's drug/wrench or San Francisco's lock-up-until-cough-up methods.

    Regarding devices which are turned on when attacked, there are apps for Android which will shut off and/or wipe a device after N number of bad unlock attempts. On a SuSE box, I could script something to do this, but I'm not familiar with Ubuntu or Debian logon and screen-unlock security. (Something on my already long list of things to learn someday.) A running device not subjected to logon attempts would still be vulnerable to cryogenic attacks on the RAM, but again, that's a much higher bar than nothing at all.

    Considering how Ubuntu Touch is installed, how updates are deployed, and the need of existing devices to piggyback on lower-level guts, FDE is a much tougher nut to crack than simply encrypting those filesystems which can be mounted or remounted after boot. (You know this, I know, - and much more too - but I mention it for those who haven't given the matter much thought.)

    For these reasons - and likely others of which I remain ignorant - I don't expect to see FDE in Ubuntu Touch anytime soon. A supported way to encrypt /home or /home/phablet would be nice, but given the more immediate issues facing the developers, I don't plan to open a feature request. I'm happy with chrisc's workaround for a first step.


Log in to reply