Minimal UI for LUKS encryption on the Wildfire

sigkill1337 · Dec 8, 2010

This is a basic gui I wrote to unlock my encrypted partitions during boot.
I'm running my /data and /sdcard partitions encrypted, and the "luksunlock" binary is launched from init.rc to read the password and unlock the encrypted partitions.

I have included my somewhat modified init.rc for those interested.
For more information about LUKS on Android see this blogpost, written by shawn (Seems I'm not allowed to have urls in the post, but Google for 'android luks' , first hit)

This works good on Wildfire, altough it should work fine on other phones as well. Just remember that you need to set up your partitions as in the luksunlock.c (or change the defines).

Dont forget to backup before you start playing around!
Good luck!

tusabe · Dec 13, 2010

Thanks! i'll give a try!

tusabe · Dec 15, 2010

Hi,

I tried to use your cryptsetup binary from your blog, but I have some issues that you'll sure have an answer:

I run ./cryptsetup luksFormat -c aes-plain /dev/block/loop2 and after i put the luks password it says 'Command failed', no logs, no other output, even using the -v flag...

Any clue?

Thanks in advance!

PS: the module dm-crypt is necessary for cryptsetup? could be this the error? I don't have it installed on the system because I can't find it for 2.6.35.9-cyanogenmod

Sympnotic · Dec 16, 2010

tusabe said:
Hi,

I tried to use your cryptsetup binary from your blog, but I have some issues that you'll sure have an answer:

I run ./cryptsetup luksFormat -c aes-plain /dev/block/loop2 and after i put the luks password it says 'Command failed', no logs, no other output, even using the -v flag...

Any clue?

Thanks in advance!

PS: the module dm-crypt is necessary for cryptsetup? could be this the error? I don't have it installed on the system because I can't find it for 2.6.35.9-cyanogenmod

CM6.1 for wildfire uses a 2.6.32 kernel (see HCDR.jacob's post about his custom kernel for more info)

sigkill1337 · Dec 17, 2010

tusabe said:
PS: the module dm-crypt is necessary for cryptsetup? could be this the error? I don't have it installed on the system because I can't find it for 2.6.35.9-cyanogenmod

Yeah you really need dm-crypt support, either compiled into the kernel or as a module. You also need the AES ciphers support.

tusabe · Dec 20, 2010

sigkill1337 said:
Yeah you really need dm-crypt support, either compiled into the kernel or as a module. You also need the AES ciphers support.

Hi! Yeah, that's what I was afraid of.... ok, but the problem is that i'm running CM6.1 with 2.6.35.9 which has no dm-crypt module neither compiled in kernel... where can i find some kernel with this modules included? Is for an HTC Desire (@Sympnotic

)

Thanks in advance!

NathanFreitas · Dec 29, 2010

Great work and thanks for sharing @Sigkill. Working on building it here for my NexusOne with CM6.1.

BTW, I’m the lead on a project working on general secure Android distro – we’ve ported Tor, have an OTR IM app, and have supported other projects along those lines. Would love to talk more about supporting anyone working on this specific capability.

needto · Dec 30, 2010

wow! awesome work!!! Very exciting news. Gonna give this a go on my MyTouch Slide

sigkill1337 · Jan 6, 2011

NathanFreitas said:
Great work and thanks for sharing @Sigkill. Working on building it here for my NexusOne with CM6.1.

BTW, I’m the lead on a project working on general secure Android distro – we’ve ported Tor, have an OTR IM app, and have supported other projects along those lines. Would love to talk more about supporting anyone working on this specific capability.

Seems really nice. I like the secure phone concept.

NathanFreitas · Feb 3, 2011

New Makefile and wiki info up

_hc from the @guardianproject has a new build process up for Crypsetup/LUKS which includes a Makefile compatible with Android NDK r5.

We have new instructions up on our wiki, as well.

I cannot post links under this account, but you can find the info on github if you search "LUKS" or just under our guardianproject account.

Calavera1 · Feb 10, 2011

How did you create the encrypted partitions? Could you give some pointers for that. I am familiar with using dmcrypt/cryptsetup on desktop linux, I guess this works similar. What are the relevant device names? Did you run into any problems?

sigkill1337 · Feb 24, 2011

Calavera1 said:
How did you create the encrypted partitions? Could you give some pointers for that. I am familiar with using dmcrypt/cryptsetup on desktop linux, I guess this works similar. What are the relevant device names? Did you run into any problems?

Hi, sorry for the late answer,

/dev/block/mtdblock5 is the "userdata" partition. I formatted it and mount it to /encrypted-data during init:
mount yaffs2 mtd@userdata /encrypted-data nosuid nodev

The only file on this partition is "data.encrypted" file, which gets created in init.rc as a loopback device:
exec /system/bin/losetup /dev/block/loop0 /encrypted-data/data.encrypted

I created the "data.encrypted" file on my computer with cryptsetup and losetup, and copied all files from my old unencrypted userdata partition to it and then copied it back as a file to the formated userdata partition.

The sdcard "/dev/block/mmcblk0p2" partition is formated with "cryptsetup luksFormat", I did this also on my computer, saves some time. And then copy everything from the old unencrypted sdcard.

I did run in to one problem recently, my phone hung during boot, about 4 months after I started encrypting my phone.

Had to copy my data.encrypted file to my computer, mount it as a loopback device and do a fsck, and then copy it back to my phone.
I suspect this has to do with the filesystem not being umounted properly. (I have had this on my to do list for a while hehe)

Probably should make a script run during shutdown to cleanly "luksClose" the encrypted partition and then umount them. Not doing this is probably very crazy

I also want to fix it so my "/dev/block/mmcblk0p2" partition gets presented to my computer when i attach my usb cable (as it should do), so i can unlock it in ubuntu and copy images and files. Right now i have to take my memorycard out and put it into the computer.

I hope this post makes sense, it was written in haste =) Good luck!

Calavera1 · Feb 28, 2011

sigkill1337 said:
Hi, sorry for the late answer,

/dev/block/mtdblock5 is the "userdata" partition. I formatted it and mount it to /encrypted-data during init:
mount yaffs2 mtd@userdata /encrypted-data nosuid nodev

The only file on this partition is "data.encrypted" file, which gets created in init.rc as a loopback device:
exec /system/bin/losetup /dev/block/loop0 /encrypted-data/data.encrypted

I created the "data.encrypted" file on my computer with cryptsetup and losetup, and copied all files from my old unencrypted userdata partition to it and then copied it back as a file to the formated userdata partition.

The sdcard "/dev/block/mmcblk0p2" partition is formated with "cryptsetup luksFormat", I did this also on my computer, saves some time. And then copy everything from the old unencrypted sdcard.

I did run in to one problem recently, my phone hung during boot, about 4 months after I started encrypting my phone.

Had to copy my data.encrypted file to my computer, mount it as a loopback device and do a fsck, and then copy it back to my phone.
I suspect this has to do with the filesystem not being umounted properly. (I have had this on my to do list for a while hehe)

Probably should make a script run during shutdown to cleanly "luksClose" the encrypted partition and then umount them. Not doing this is probably very crazy

I also want to fix it so my "/dev/block/mmcblk0p2" partition gets presented to my computer when i attach my usb cable (as it should do), so i can unlock it in ubuntu and copy images and files. Right now i have to take my memorycard out and put it into the computer.

I hope this post makes sense, it was written in haste =) Good luck!

I figured most of that out without your post and tried it on my desire (I created the luks partitions with adb on the phone though, worked anyway

). Then I couldn't figure out where my regular init.rc is stored (I could only find the one used by Clockwork Recovery), and then I figured I already spent enough time, tried a reboot (which of course didn't work). Then I couldn't even get into recovery (probably because its init.rc tries to mount /data which doesn't work? I didn't investigate any further). Flashed my backup with fastboot and was stuck again with my un-encrypted pre-experiment state

Oddly enough, it was no problem to unlock my encrypted SD-card from my computer (running ubuntu) while in recovery (clockword has an option to present the sd card to a computer connected via usb). Maybe the booted system handles this differently than recovery though? I didn't get a chance to try, as I couldn't boot after my encryption attempt.

I will try again after my algorithm and data structure exam this friday and report back

krothold · May 6, 2011

Is anybody using the UI on another device than the Wildfire? Does it work?
How much is the performance drain when using an encrypted /data partition?

BryanYum · May 8, 2011

Amazing work!

lioks · May 31, 2011

Did anyone manage to make sigkill1337's luksunlock build from source ?

I would like to change the path of the data/sdcard partitions to match my device but I tried many ways using the NDK and I can't get it to compile properly.
Is there any way to do this ?
I have been trying for days, I am getting literaly insane !

@sigkill1337 : could you give me some pointers ? I would appreciate a lot.

krothold · May 31, 2011

mount manpage said:
The bind mounts.
Since Linux 2.4.0 it is possible to remount part of the file hierarchy somewhere else. The call is
mount --bind olddir newdir
or shortoption
mount -B olddir newdir
or fstab entry is:
/olddir /newdir none bind

After this call the same contents is accessible in two places. One can also remount a single file (on a single file).

This call attaches only (part of) a single filesystem, not possible submounts. The entire file hierarchy including submounts is attached a second place using
mount --rbind olddir newdir
or shortoption
mount -R olddir newdir

Note that the filesystem mount options will remain the same as those on the original mount point, and cannot be changed by passing the -o option along with --bind/--rbind. The mount options can be changed by a separate remount command, for example:

mount --bind olddir newdir
mount -o remount,ro newdir

If nothing helps, you should always be able to bindmount it

lioks · May 31, 2011

I'd rather get sigkill1337's UI to compile...

Lots of nice security tweaks and settings could be done with a pre-boot GUI

Anyway, concerning encryption, I'll use the bind option for now, thanks for the tip.
But if anyone here could give me some pointers about compiling this stuff it would be great.

I managed to compile it by integrating luksunlock in Android source externals and main.mk but when I push it to my phone and modify init.rc to call it, it just does not work...

Other modifications are working (mount, mkdir, etc.) but the GUI won't show up

sigkill1337 · Jun 19, 2011

Sorry for the late reply.. But you could try running it from a shell when the phone is booted, just to verify that the binary starts (thats how I tested it without having to reboot my phone all the time)
My environment for building the source was setup using one of the tutorials online, nothing out of the ordinary

Im still running this on my phone, for almost 8 months now, I havent noticed that much in performance problems, the Wildfire was slow before i started using luks.
When i get a new phone (maybe SE Arc) i will be easier to see if performance is affected

krothold · Aug 18, 2011

There is an Issue for getting CM support for encrypted filesystems during boot:
Issue 2736: support encrypted filesystem from boot

If you want to get that feature, just "star" it, so it may get more attention.

Minimal UI for LUKS encryption on the Wildfire

Member

Attachments

New member

New member

Senior Member

Member

New member

New member

Member

Member

New member

New member

Member

New member

Member

Member

Member

Member

Member

Member

Member

Similar threads

Top Liked Posts