One method to encrypt /home/phablet

Hi, I'm posting this here in case anyone else wants to encrypt their /home/phablet directory, I'd strongly suggest that only people who know their way around Linux via the command line do this…

This is easier to do if you have ssh access to the phone, to enable that use the UT Tweak Tool or do it using the command line, in this example $GITHUBUSERNAME is your GitHub username and it assumes your public SSH keys are available at this URL, you could also use adb to push your public keys to the phone:

android-gadget-service enable ssh
cd
mkdir .ssh
chmod 700 .ssh
cd .ssh
wget https://github.com/$GITHUBUSERNAME.keys -O authorized_keys
chmod 600 authorized_keys

You can then ssh to the phone as the phablet user.

Install cryptsetup, by remounting root read write (do not run apt-get upgrade — only install packages that are essential to you like this):

mount -o rw,remount /
apt-get update
apt-get install cryptsetup
mount -o ro,remount /

Create a 2G disk, encrypt it, format it, mount it, rsync data to it, unmount and remount it and restart the display manager:

sudo -i
cd /home
fallocate -l 2G phablet.img
cryptsetup luksFormat phablet.img
cryptsetup luksOpen phablet.img phablet
mkfs.ext4 /dev/mapper/phablet
mkdir /media/phablet
mount /dev/mapper/phablet /media/phablet
rsync -av /home/phablet/ /media/phablet/
umount /media/phablet/
mount /dev/mapper/phablet /home/phablet
cd /tmp
nohup /etc/init.d/lightdm force-reload

If everything is OK you might then want to delete the extra copy of the data at /home/phablet, or if you have done this on an initial install install of the phone you might want to leave that where it is since the phone will then appear to have no data on it when booted and your data will only appear after you have decrypted and mounted the disk:

sudo -i
cryptsetup luksOpen phablet.img phablet
e2fsck /dev/mapper/phablet 
mount /dev/mapper/phablet /home/phablet
cd /tmp
nohup /etc/init.d/lightdm force-reload

@trainailleur thanks for you help with this and I'm glad it has been of use, I have updated the top post with your method to restart the display manager.

As I said in the top post, "I'd strongly suggest that only people who know their way around Linux via the command line do this…"

I have also added a e2fsck /dev/mapper/phablet line — if your phone goes flat or has to be forcibly power cycled it can result in some disk inconsistency so best check before mounting.

I don't have a SIM card in my Ubuntu Touch OnePlus One (in fact I have the mobile phone network modem switched off via /usr/share/ofono/scripts/disable-modem /ril_0), I only use WiFi and also have an encrypted Debian Stretch chroot on the phone (which also runs a SSH server) that I use for most things and I run all my terminal sessions in screen so that when there is the occasional display manager crash I don't lose them. I also make a lot of use of git and mosh and ansible (via Debian backports) — I don't like carrying a laptop around all the time but I like to be able to do emergency sysadmin work from anywhere and the Ubuntu Touch phone enables this.

I have terrible battery life when WiFi is on, I generally only have it on when it is plugged in or when doing something in an emergency, I use my LineageOS OnePlus 3 (without Gapps) as a hotspot and connect via that. When the WiFi is off I have excellent battery life, the phone might only drop 1% overnight even with multiple mosh sessions running in screen in the Debian chroot with Prevent app suspension enabled for the Terminal app via the UT Tweak Tool.

I have some old notes on some other tricks on a wiki, but I haven't updated that for a couple of years so much of it might be outdated.

@contraire I have been using Luks encrypted partitions on Ubuntu Touch for a few years and there are some notes on this here, I've just got a OpenPlus One (I did have a 8GB Nexus 4) and now I have space to setup a encrypted Debian Stretch chroot so I'm having a play with that...

@malditobastardo run sudo -i to become root.