Encrypting data at rest?



  • In my opinion, encryption at rest is a minimal requirement for a phone. I know that the developers don't have a lot of time and a big wish list.

    I found this guide here:
    https://forums.ubports.com/topic/1012/one-method-to-encrypt-home-phablet/1

    The thread is very old. Have there been any new developments?



  • That thread still accurately represents the current state of affairs.



  • Encryption is still an iffy topic for things like Ubuntu Touch, for several reasons, some of which are solvable, and some which aren't:

    1. ecryptfs is deprecated upstream
    2. We don't have access to hardware backed key storage
    3. We don't have usable OSK in recovery
    4. We can't re-lock the bootloader


  • @dobey said in Encrypting data at rest?:

    Encryption is still an iffy topic for things like Ubuntu Touch, for several reasons, some of which are solvable, and some which aren't:

    1. ecryptfs is deprecated upstream
    2. We don't have access to hardware backed key storage
    3. We don't have usable OSK in recovery
    4. We can't re-lock the bootloader

    I agree with points 2, 3, and 4. Re. point 1, that is true, but fortunately crytpsetup and LUKS are not deprecated, and that's what a few of us I know who run encrypted home are using. It's an imperfect solution and probably not an effective barrier to a skilled attacker, but I feel reasonably comfortable it would stop most people who find or steal a phone from viewing the contents.

    Re. 3, PMOS has an OSK they can build into their initramfs, but I'm not sure it supports anything other than ASCII so without further development might not be a solution for many users even if it could be ported to UT and placed somewhere in both the boot process and recovery.


Log in to reply