[guardian-dev] Fwd: Re: Issue 2736 in cyanogenmod: support encrypted filesystem from boot

Nathan of Guardian nathan at guardianproject.info
Mon Jan 14 03:45:05 EST 2013


Interesting progress 


-------- Original Message --------
From: cyanogenmod at googlecode.com
Sent: Mon Jan 14 11:51:22 GMT+05:45 2013
To: nathanfreitas at gmail.com
Subject: Re: Issue 2736 in cyanogenmod: support encrypted filesystem from boot


Comment #20 on issue 2736 by Justin.M... at gmail.com: support encrypted  
filesystem from boot
http://code.google.com/p/cyanogenmod/issues/detail?id=2736

Please keep this issue current.  Though initially posted two years ago, on  
a recent, 2013, ROM update, Cyanogenmod 9.1 (ICS 4.0) to an HTC Sensation,  
encryption remains a sorely lacking feature.  For reference, Cyanogenmod 10  
(Jelly Bean) remains in beta for my device:   
http://www.cyanogenmod.org/devices/htc-sensation

Presently, encryption of /data with CM 9.1 requires a workaround (see  
comment 21):  http://code.google.com/p/cyanogenmod/issues/detail?id=5678

I have yet to see an application available for full partition encryption of  
the SD card.  I did look into the Guardian Project.  The binary available  
for download resulted in a segmentation fault on my device.  I am not  
presently at the point of taking the steps necessary to compile their  
source, nor should the majority of end users need to do so.

WhisperCore had been unavailable for me.

I approach Android encryption from a netbook computer running Fedora.  I've  
run with an AES encrypted /home partition for a number of years now.  In  
some regards, it's illuminating to compare the framework between the two  
systems.  The key to Android encryption does seem to be cryptsetup.  Not  
surprisingly, probably the same code base as Fedora's implementation of  
cryptsetup:

http://fedoraproject.org/wiki/Implementing_LUKS_Disk_Encryption
https://fedoraproject.org/wiki/Disk_Encryption_User_Guide

 From the above, you may glean examples of cryptsetup usage.  Again, the  
Guardian Project binary did not work for me.  However, I did come up with a  
viable solution:

LUKS Manager also supplies (a working) lm.cryptsetup.  From my  
understanding LUKS Manager renamed what would have been cryptsetup to  
lm.cryptsetup to avoid overwriting.  LUKS Manager however, focuses on  
encrypting a virtual folder, and as such, has a FAT32 file size imposed  
limitation of 4GB for the encrypted storage area.  Now that 64GB SD cards  
have become available, I find this solution less than ideal.  Again,  
lm.cryptsetup provided by LUKS Manager is required.   
https://play.google.com/store/apps/details?id=com.nemesis2.luksmanager&hl=en

I'd initially approached the idea from LUKS Manager's point of view -  
encrypting a .vol, and then accessing it via Linux.  What good would  
encryption do on portable media, if one can only access it thru the Android?

I then attempted the reverse - creating an encrypted partition under  
Fedora, and attempting to access it through the Android.  While I didn't  
stay with the stock FAT32 on my SD card, I did partition it in a way that  
doesn't seem too unfamiliar to those already working with custom ROMs.   
Clockwork Recovery offers partitioning an SD into 3 partitions, listed in  
order: FAT32, ext, swap.

For the sake of documentation & troubleshooting, I discovered I could mount  
the ext4 partition by an init script, 99sd-extinit, in /system/etc/init.d  
containing:

sync;
setprop lk.filesystem.ready 1;

remount rw
mkdir /mnt/sd-ext
mount -o rw,nosuid,nodev,noatime,nodiratime -t ext4 /dev/block/mmcblk1p2  
/mnt/sd-ext
ln -s /mnt/sd-ext /sd-ext
remount ro

Do note, your mmcblk device enumeration may differ.  Run "cat  
/sys/block/mmcblk${NUM}/device/type", where ${NUM} = 1 to 9.  Taken from  
simple2ext's script.


Having established how to mount an ext4 partition, I then, under Fedora,  
launched gnome-disks-utility aka palimpsest.  I deleted the ext partition,  
then recreated it, telling Fedora to encrypt it, and type as ext4.  For  
this example, we'll use, "ChangeMe" as the password supplied.

Referencing the unencrypted script, I discovered I could mount the encryted  
volume.  It's not pretty, to me, as it's lacking a way to prompt for user  
input, and a clean shutdown, but it works:

Again, /system/etc/init.d/ delete or change the previous script to  
99sd-extLUKSinit, and it contains the following:

#!/system/bin/sh

mount -o remount,rw rootfs /
mkdir /mnt/sd-ext
echo ChangeMe | lm.cryptsetup luksOpen /dev/block/mmcblk1p2 sd-ext
mount -o rw -t ext4 /dev/mapper/sd-ext /mnt/sd-ext/
ln -s /mnt/sd-ext /sd-ext
mount -o remount,ro rootfs /

As mentioned, it needs some work yet, but it does mount the encrypted  
second partition of the SD card to /mnt/sd-ext.

-- 
You received this message because you starred the issue.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

Reply to this email to add a comment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20130114/63b61e94/attachment.html>


More information about the Guardian-dev mailing list