Actions
Issue #2004
openInvestigate and document if it's possible to open encrypted USERDATA with luks on a desktop computer
Start date:
02/20/2020
Due date:
% Done:
0%
Estimated time:
Resolution:
Device:
Grant:
Type of work:
Updated by Denis 'GNUtoo' Carikli over 4 years ago
The idea is to understand if the encryption is done under the user control, or if it depends on nonfree software and keys that are tied to the device.
If the encryption is under user control (better), then:- we need to make sure that users pick strong passphrases
- users can still backup their encrypted partition and access the content on their laptop/desktop computers, even if the device broke
- We need to warn users about the encryption fragility, and the fact that if they break their device, their data is lost.
- The encryption might be less trustworthy, (though a bit more resistant to bruteforce).
Updated by Denis 'GNUtoo' Carikli over 4 years ago
After using the "encrypt device" feature and patching the recovery to get adb with AddingADBRootToAnImage, I did that:
$ adb pull /dev/block/platform/dw_mmc/by-name/USERDATA ./ /dev/block/platform/dw_mmc/by-name/USERDATA: 1 file pulled. 4.1 MB/s (12381585408 bytes in 2873.736s) $ file USERDATA USERDATA: data $ cryptsetup luksDump USERDATA Device USERDATA is not a valid LUKS device.
So it doesn't look very standard.
Updated by Denis 'GNUtoo' Carikli over 4 years ago
Once booted we have:
root@i9300:/ # cat /proc/mounts rootfs / rootfs ro,seclabel,relatime 0 0 tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,mode=755 0 0 devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0 proc /proc proc rw,relatime 0 0 sysfs /sys sysfs rw,seclabel,relatime 0 0 selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0 /sys/kernel/debug /sys/kernel/debug debugfs rw,seclabel,relatime 0 0 none /acct cgroup rw,relatime,cpuacct 0 0 none /sys/fs/cgroup tmpfs rw,seclabel,relatime,mode=750,gid=1000 0 0 none /sys/fs/cgroup/memory cgroup rw,relatime,memory 0 0 tmpfs /mnt tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0 none /dev/memcg cgroup rw,relatime,memory 0 0 none /dev/cpuctl cgroup rw,relatime,cpu 0 0 /dev/block/mmcblk0p3 /efs ext4 rw,seclabel,nosuid,nodev,noatime,user_xattr,barrier=1,journal_async_commit,data=ordered 0 0 /dev/block/mmcblk0p9 /system ext4 ro,seclabel,noatime,user_xattr,barrier=1,data=ordered 0 0 /dev/block/mmcblk0p8 /cache ext4 rw,seclabel,nosuid,nodev,noatime,errors=panic,user_xattr,barrier=1,journal_async_commit,data=ordered 0 0 /dev/block/mmcblk0p10 /preload ext4 rw,seclabel,nosuid,nodev,noatime,user_xattr,barrier=1,journal_async_commit,data=ordered 0 0 tmpfs /storage tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0 /dev/block/dm-0 /data ext4 rw,seclabel,nosuid,nodev,noatime,errors=panic,user_xattr,barrier=1,journal_async_commit,data=ordered,noauto_da_alloc 0 0 /dev/fuse /mnt/runtime/default/emulated fuse rw,nosuid,nodev,noexec,noatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0 /dev/fuse /storage/emulated fuse rw,nosuid,nodev,noexec,noatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0 /dev/fuse /mnt/runtime/read/emulated fuse rw,nosuid,nodev,noexec,noatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0 /dev/fuse /mnt/runtime/write/emulated fuse rw,nosuid,nodev,noexec,noatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
Updated by Denis 'GNUtoo' Carikli over 4 years ago
<@GNUtoo> let's say a user starts using encryption, how hard is it to access the data with the password on another device? <@GNUtoo> You need a Replicant compatible device? or a laptop running GNU/Linux is fine? < dllud> Easy. Some recoveries, like TWRP, allow you to open it. <@GNUtoo> ok < dllud> I guess there should be some CLI tool to do the same.
Updated by Kurtis Hanna over 3 years ago
So if someone wants to open encrypted USERDATA on a desktop the only way currently to do that would be to emulate Replicant or AOSP or run Android-x86 and run TWRP using that?
Actions