One method to encrypt /home/phablet

Hi, I'm posting this here in case anyone else wants to encrypt their /home/phablet directory, I'd strongly suggest that only people who know their way around Linux via the command line do this…

This is easier to do if you have ssh access to the phone, to enable that use the UT Tweak Tool or do it using the command line, in this example $GITHUBUSERNAME is your GitHub username and it assumes your public SSH keys are available at this URL, you could also use adb to push your public keys to the phone:

android-gadget-service enable ssh
cd
mkdir .ssh
chmod 700 .ssh
cd .ssh
wget https://github.com/$GITHUBUSERNAME.keys -O authorized_keys
chmod 600 authorized_keys

You can then ssh to the phone as the phablet user.

Install cryptsetup, by remounting root read write (do not run apt-get upgrade — only install packages that are essential to you like this):

mount -o rw,remount /
apt-get update
apt-get install cryptsetup
mount -o ro,remount /

Create a 2G disk, encrypt it, format it, mount it, rsync data to it, unmount and remount it and restart the display manager:

sudo -i
cd /home
fallocate -l 2G phablet.img
cryptsetup luksFormat phablet.img
cryptsetup luksOpen phablet.img phablet
mkfs.ext4 /dev/mapper/phablet
mkdir /media/phablet
mount /dev/mapper/phablet /media/phablet
rsync -av /home/phablet/ /media/phablet/
umount /media/phablet/
mount /dev/mapper/phablet /home/phablet
cd /tmp
nohup /etc/init.d/lightdm force-reload

If everything is OK you might then want to delete the extra copy of the data at /home/phablet, or if you have done this on an initial install install of the phone you might want to leave that where it is since the phone will then appear to have no data on it when booted and your data will only appear after you have decrypted and mounted the disk:

sudo -i
cryptsetup luksOpen phablet.img phablet
e2fsck /dev/mapper/phablet 
mount /dev/mapper/phablet /home/phablet
cd /tmp
nohup /etc/init.d/lightdm force-reload

@trainailleur thanks for you help with this and I'm glad it has been of use, I have updated the top post with your method to restart the display manager.

As I said in the top post, "I'd strongly suggest that only people who know their way around Linux via the command line do this…"

I have also added a e2fsck /dev/mapper/phablet line — if your phone goes flat or has to be forcibly power cycled it can result in some disk inconsistency so best check before mounting.

I don't have a SIM card in my Ubuntu Touch OnePlus One (in fact I have the mobile phone network modem switched off via /usr/share/ofono/scripts/disable-modem /ril_0), I only use WiFi and also have an encrypted Debian Stretch chroot on the phone (which also runs a SSH server) that I use for most things and I run all my terminal sessions in screen so that when there is the occasional display manager crash I don't lose them. I also make a lot of use of git and mosh and ansible (via Debian backports) — I don't like carrying a laptop around all the time but I like to be able to do emergency sysadmin work from anywhere and the Ubuntu Touch phone enables this.

I have terrible battery life when WiFi is on, I generally only have it on when it is plugged in or when doing something in an emergency, I use my LineageOS OnePlus 3 (without Gapps) as a hotspot and connect via that. When the WiFi is off I have excellent battery life, the phone might only drop 1% overnight even with multiple mosh sessions running in screen in the Debian chroot with Prevent app suspension enabled for the Terminal app via the UT Tweak Tool.

I have some old notes on some other tricks on a wiki, but I haven't updated that for a couple of years so much of it might be outdated.

@contraire I have been using Luks encrypted partitions on Ubuntu Touch for a few years and there are some notes on this here, I've just got a OpenPlus One (I did have a 8GB Nexus 4) and now I have space to setup a encrypted Debian Stretch chroot so I'm having a play with that...

@malditobastardo run sudo -i to become root.

I think that the tick on that page is a mistake, it isn't supported by the UBports Installer 0.4.18-beta as the output I pasted above shows and there is no oneplus2.json file in the installer-configs directory.

I have lost my OnePlus One device :loudly_crying_face: but have a old OnePlus2 that isn't being used for anything, so I'm interested in getting Ubuntu Touch running on it, but it is not supported by the installer:

info: Welcome to the UBports Installer version 0.4.18-beta!
info: device detected: OnePlus2
warn: The device OnePlus2 is not supported!
warn: setting udev rules failed
info: Good bye!

Can anyone point to some instructions for manually installing on this device?

@trainailleur thanks for you help with this and I'm glad it has been of use, I have updated the top post with your method to restart the display manager.

As I said in the top post, "I'd strongly suggest that only people who know their way around Linux via the command line do this…"

I have also added a e2fsck /dev/mapper/phablet line — if your phone goes flat or has to be forcibly power cycled it can result in some disk inconsistency so best check before mounting.

I don't have a SIM card in my Ubuntu Touch OnePlus One (in fact I have the mobile phone network modem switched off via /usr/share/ofono/scripts/disable-modem /ril_0), I only use WiFi and also have an encrypted Debian Stretch chroot on the phone (which also runs a SSH server) that I use for most things and I run all my terminal sessions in screen so that when there is the occasional display manager crash I don't lose them. I also make a lot of use of git and mosh and ansible (via Debian backports) — I don't like carrying a laptop around all the time but I like to be able to do emergency sysadmin work from anywhere and the Ubuntu Touch phone enables this.

I have terrible battery life when WiFi is on, I generally only have it on when it is plugged in or when doing something in an emergency, I use my LineageOS OnePlus 3 (without Gapps) as a hotspot and connect via that. When the WiFi is off I have excellent battery life, the phone might only drop 1% overnight even with multiple mosh sessions running in screen in the Debian chroot with Prevent app suspension enabled for the Terminal app via the UT Tweak Tool.

I have some old notes on some other tricks on a wiki, but I haven't updated that for a couple of years so much of it might be outdated.

@trainailleur I only have a OnePlus One at the moment and sometimes it takes a while for the display to come back up after a /etc/init.d/lightdm restart and yes it is easier doing it via SSH.

@malditobastardo run sudo -i to become root.

@malditobastardo run apt-get update first, it is in Xenial.

@flohack said in 16.04 OTA-5 kernel missing aes-xts-plain64 crypto ciphers on mako?:

Please open a ticket on the ubuntu-touch tracker.

Thanks, I have opened a issue on GitHub.

I just upgraded my Nexus 4 mako to OTA-6 and the and the lack of ciphers is unchanged.

Hi

I have been using cryptsetup to encrypt disks on Ubuntu Touch for some years without a problem, after each update I simple need to run the following to install cryptsetup again:

sudo -i
mount -o rw,remount /
apt-get update
apt-get install cryptsetup
mount -o ro,remount /

I have upgraded a OnePlusOne to 16.04 OTA-5 and decrypted disks without issues, however on a mako, I can no longer decrypt disks:

cryptsetup luksOpen phablet.img phablet
Enter passphrase for phablet.img: 
device-mapper: reload ioctl on  failed: No such file or directory
Failed to setup dm-crypt key mapping for device phablet.img.
Check that kernel supports aes-xts-plain64 cipher (check syslog for more info).

Checking the kernel and ciphers (as suggested here) on the mako:

uname -a
 Linux ubuntu-phablet 3.4.0+ #4 SMP PREEMPT Wed Oct 10 19:51:07 UTC 2018 armv7l armv7l armv7l GNU/Linux
grep name.*aes /proc/crypto|cut -d : -f 2
 cbc(aes)
 aes

And on the OnePlusOne:

uname -a
 Linux ubuntu-phablet 3.4.0-Sultan-CAF #1 SMP PREEMPT Thu Oct 11 23:00:58 CEST 2018 armv7l armv7l armv7l GNU/Linux
grep name.*aes /proc/crypto|cut -d : -f 2
 __xts-aes-neonbs
 xts(aes)
 cbc(aes)
 rfc4309(ccm(aes))
 ccm(aes)
 authenc(hmac(sha1),cbc(aes))
 qcom-xts(aes)
 qcom-ctr(aes)
 qcom-cbc(aes)
 qcom-ecb(aes)
 aes
 xts(aes)
 ctr(aes)
 cbc(aes)
 __xts-aes-neonbs
 __ctr-aes-neonbs
 __cbc-aes-neonbs
 aes

So was a decision made to leave some crypto modules out of the mako kernel? Anyone know what happened here?

@flohack you might well be right, they do however seem to sell a lot of Debian gear, "Amount donated until today: 1,358.00 €".