Project

General

Profile

Actions

Issue #2004

open

Investigate and document if it's possible to open encrypted USERDATA with luks on a desktop computer

Added by Denis 'GNUtoo' Carikli about 4 years ago. Updated about 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Website and wiki content
Target version:
Start date:
02/20/2020
Due date:
% Done:

0%

Estimated time:
Resolution:
Device:
Grant:
Type of work:
Actions #1

Updated by Denis 'GNUtoo' Carikli about 4 years ago

The idea is to understand if the encryption is done under the user control, or if it depends on nonfree software and keys that are tied to the device.

If the encryption is under user control (better), then:
  • we need to make sure that users pick strong passphrases
  • users can still backup their encrypted partition and access the content on their laptop/desktop computers, even if the device broke
If not:
  • We need to warn users about the encryption fragility, and the fact that if they break their device, their data is lost.
  • The encryption might be less trustworthy, (though a bit more resistant to bruteforce).
Actions #2

Updated by Denis 'GNUtoo' Carikli about 4 years ago

After using the "encrypt device" feature and patching the recovery to get adb with AddingADBRootToAnImage, I did that:

$ adb pull /dev/block/platform/dw_mmc/by-name/USERDATA ./
/dev/block/platform/dw_mmc/by-name/USERDATA: 1 file pulled. 4.1 MB/s (12381585408 bytes in 2873.736s)
$ file USERDATA 
USERDATA: data
$ cryptsetup luksDump USERDATA
Device USERDATA is not a valid LUKS device.

So it doesn't look very standard.

Actions #3

Updated by Denis 'GNUtoo' Carikli about 4 years ago

Once booted we have:

root@i9300:/ # cat /proc/mounts                                                                                                                              
rootfs / rootfs ro,seclabel,relatime 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
/sys/kernel/debug /sys/kernel/debug debugfs rw,seclabel,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
none /sys/fs/cgroup tmpfs rw,seclabel,relatime,mode=750,gid=1000 0 0
none /sys/fs/cgroup/memory cgroup rw,relatime,memory 0 0
tmpfs /mnt tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
none /dev/memcg cgroup rw,relatime,memory 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/mmcblk0p3 /efs ext4 rw,seclabel,nosuid,nodev,noatime,user_xattr,barrier=1,journal_async_commit,data=ordered 0 0
/dev/block/mmcblk0p9 /system ext4 ro,seclabel,noatime,user_xattr,barrier=1,data=ordered 0 0
/dev/block/mmcblk0p8 /cache ext4 rw,seclabel,nosuid,nodev,noatime,errors=panic,user_xattr,barrier=1,journal_async_commit,data=ordered 0 0
/dev/block/mmcblk0p10 /preload ext4 rw,seclabel,nosuid,nodev,noatime,user_xattr,barrier=1,journal_async_commit,data=ordered 0 0
tmpfs /storage tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
/dev/block/dm-0 /data ext4 rw,seclabel,nosuid,nodev,noatime,errors=panic,user_xattr,barrier=1,journal_async_commit,data=ordered,noauto_da_alloc 0 0
/dev/fuse /mnt/runtime/default/emulated fuse rw,nosuid,nodev,noexec,noatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/fuse /storage/emulated fuse rw,nosuid,nodev,noexec,noatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/fuse /mnt/runtime/read/emulated fuse rw,nosuid,nodev,noexec,noatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/fuse /mnt/runtime/write/emulated fuse rw,nosuid,nodev,noexec,noatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0

Actions #4

Updated by Denis 'GNUtoo' Carikli about 4 years ago

<@GNUtoo> let's say a user starts using encryption, how hard is it to access the data with the password on another device?
<@GNUtoo> You need a Replicant compatible device? or a laptop running GNU/Linux is fine?
< dllud> Easy. Some recoveries, like TWRP, allow you to open it.
<@GNUtoo> ok
< dllud> I guess there should be some CLI tool to do the same.
Actions #5

Updated by Kurtis Hanna about 3 years ago

So if someone wants to open encrypted USERDATA on a desktop the only way currently to do that would be to emulate Replicant or AOSP or run Android-x86 and run TWRP using that?

Actions

Also available in: Atom PDF