Encryption - LUKS / EDS / Cryptonite

[spdqbr]

I recently upgraded from my S2, to the S4. I'm enjoying the snappiness, and as are we all, a bit disappointed by the locked down nature of it. One of the things I liked about my old phone was the ability to have an encrypted container for sensitive files. In particular, I was using LUKS Manager to mount encrypted folders and it worked perfectly. However the stock kernel on the S4 appears to lack the dm-crypt module, and I am therefore unable to use it on the new phone.

I've tried a few other things as well, including Cryptonite and EDS Lite (as well as the paid version), but ran into similar problems. With EDS paid version there is source available for the required kernel module, but it hasn't been built for the S4 yet, it seems.

I'm willing to get into some of the nitty gritty details, but I was wondering if anyone else had any success building dm-crypt or the eds module for the s4 yet. Or if anyone would have some resources that might be a good starting point so I could build them on my own.

Thanks!

(MJ7, rooted)

Edit:
After a bit more digging I found the LUKS Guardian project, which looks promising. (I can't post links yet, but google "android cryptsetup luksopen" and it should be the first result). Their binary is throwing a segfault when i try it, but I'll pull it down and play with it tonight at home to see if I can get anywhere.

I think our kernel may in fact have DM-CRYPT available, but for some reason it's simply not working. In LUKS when I attempt to mount a file, it thinks it successfully mounts (and creates a folder) but it when I unmount, anything I copied over is still there. I find it telling though that it will only "mount" a file with the correct password. So the encryption may be working, while the mounting is not. I'm very comfortable in linux so I'll poke around and see if there's anything I can glean from the terminal.

 

[spdqbr]

One step closer, but not quite there yet. I SSH'd in and started playing with the LUKS Manager app and have come to the conclusion that it's really the mounting that is causing problems.

LUKS Manager creates a shell script over in /system/bin/luks. I pulled this off and looked over it a bit, and managed to run the pieces one by one until I came to failure. Essentially what is happening is it's using busybox to do the following:

mknod
losetup
/system/bin/lm.cryptsetup luksOpen #Yay, I don't need to compile LUKS Guardian!
mkdir ${mount_path}
chmod 777 ${mount_path} # THIS FAILS
mount the mapper to the mount path
chmod 777 ${mount_path} # THIS FAILS
chmod 777 -R ${mount_path} # THIS FAILS

So what you're left with is an encrypted volume which mounts just fine, but is only readable by root. Permissions on ${mount_path} are 700 and neither busybox chmod nor standard chmod will change them. I've also tried mounting the mapper with the busybox mount as well as the builtin. Same result. Further, it looks like I'm unable to (as root) chmod pretty much anything.;

Frustrating, because I can clearly see that the data is there when I'm in a root terminal, but none of the apps can access it.

Anyone have any ideas on why I can't chmod? Or how to get mount to grant 777 in the first place?

 

[k1mu]

One step closer, but not quite there yet. I SSH'd in and started playing with the LUKS Manager app and have come to the conclusion that it's really the mounting that is causing problems.

LUKS Manager creates a shell script over in /system/bin/luks. I pulled this off and looked over it a bit, and managed to run the pieces one by one until I came to failure. Essentially what is happening is it's using busybox to do the following:

mknod
losetup
/system/bin/lm.cryptsetup luksOpen #Yay, I don't need to compile LUKS Guardian!
mkdir ${mount_path}
chmod 777 ${mount_path} # THIS FAILS
mount the mapper to the mount path
chmod 777 ${mount_path} # THIS FAILS
chmod 777 -R ${mount_path} # THIS FAILS

So what you're left with is an encrypted volume which mounts just fine, but is only readable by root. Permissions on ${mount_path} are 700 and neither busybox chmod nor standard chmod will change them. I've also tried mounting the mapper with the busybox mount as well as the builtin. Same result. Further, it looks like I'm unable to (as root) chmod pretty much anything.;

Frustrating, because I can clearly see that the data is there when I'm in a root terminal, but none of the apps can access it.

Anyone have any ideas on why I can't chmod? Or how to get mount to grant 777 in the first place?

Since you're on MJ7, it's probably SELinux doing that to you.
You might try using chmod 555 (read + execute) to see if that's allowed.
What is the mount point that you're trying to use? Perhaps that's also being blocked by SELinux.

 

[spdqbr]

Thanks for the suggestions. I've poked around a bit at selinux, but with no hope of disabling it I'm not sure if I'll make it through the last hurdle. I've tried a few different mount points and a few different chmod permissions to no avail. I *did* however have one breakthrough, but now I'm just flat out puzzled.

I mounted it via the luks script I mentioned earlier, and then do a busybox umount on it (leaving the mapper in place). I then checked the mount options for my external sd card, since both it and the LUKS volume are vfat. I remounted the mapper using

busybox mount /dev/mapper/test /storage/extSdCard/test -o rw,dirsync,nosuid,nodev,noexec,noatime,nodiratime,uid=1000,gid=1023,fmask=0002,dmask=0002,allow_utime=0020,iocharset=iso8859-1,shortname=mixed,utf8

This mounts the drive with user, group, and permissions all set exactly like other file in the external SD card. However es file explorer and all other apps show the mount point as simply empty. If I'm not on command line, I can't see anything in it, which is utterly baffling to me.

From the terminal I can copy files out to another location (this is a luks volume I created on the old phone, so it already had data in it) and access them just fine via esfile explorer and various text editors.

The data is there, it's decrypted, it's accessible through command line, but all my apps simply refuse to acknowledge it.

Edit:
I'm not the only one experiencing this mounting phenomena... https://groups.google.com/forum/#!topic/android-kernel/JeY_u-pHcxQ

Edit:
According to this, android 4.2 made is so that application-created mount points are not globally accessible. They suggest a few workarounds which I have not yet had a chance to try. This certainly explains the problem though!