@dobey said in Encrypting data at rest?:
Encryption is still an iffy topic for things like Ubuntu Touch, for several reasons, some of which are solvable, and some which aren't:
ecryptfs is deprecated upstream
We don't have access to hardware backed key storage
We don't have usable OSK in recovery
We can't re-lock the bootloader
I agree with points 2, 3, and 4. Re. point 1, that is true, but fortunately crytpsetup and LUKS are not deprecated, and that's what a few of us I know who run encrypted home are using. It's an imperfect solution and probably not an effective barrier to a skilled attacker, but I feel reasonably comfortable it would stop most people who find or steal a phone from viewing the contents.
Re. 3, PMOS has an OSK they can build into their initramfs, but I'm not sure it supports anything other than ASCII so without further development might not be a solution for many users even if it could be ported to UT and placed somewhere in both the boot process and recovery.
