No encryption for system and data

Bug #1446893 reported by lgd on 2015-04-21
356
This bug affects 24 people
Affects Status Importance Assigned to Milestone
Canonical System Image
Undecided
Unassigned

Bug Description

There is still no possibility for any full encryption of data partition or system of the BQ device. It could be ecryptfs, LUKS oder someday the new direct ext4 encryption (PDF: http://kernsec.org/files/lss2014/Halcrow_EXT4_Encryption.pdf ). I tried ecryptfs by writable image but ran into many problems like:

phablet@ubuntu-phablet:~$ sudo adduser --encrypt-home -gecos "" -uid 1007 -gid 1007
Adding user `test' ...
Adding new user `test' (1007) with group `clickpkg' ...
Creating home directory `/home/test' ...
Setting up encryption ...

************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************

Done configuring.

Copying files from `/etc/skel' ...
passwd: Authentication token manipulation error
passwd: password unchanged
Try again? [y/N]

The version of the last test was a little while ago:

phablet@ubuntu-phablet:~$ system-image-cli -i
current build number: 88
device name: generic_x86
channel: ubuntu-touch/vivid-proposed
last update: 2015-01-31 03:18:12
version version: 88
version ubuntu: 20150131
version device: 20150129
version custom: 20150131
phablet@ubuntu-phablet:~$

Maybe you get some encryption to work for us early adopters. We need no gui at the moment nor a official write-protected image without apt-get for this! But what we need: It should work. But how?

That would be very fine if you can help us to fix ecryptfs (passwd error) or to get another encryption to work. Tipps from Canonical developers, the security team and readers are very welcome too. Let's make a real and more secure alternative to other mobile systems. Let's encrypt. The sooner the better.

Greetings from Germany, lgd

lgd (lgd) on 2015-04-21
information type: Private Security → Public Security
lgd (lgd) wrote :

The new ext4 encryption since kernel 4.1 is a option to implement it for the home partition. It is simple for folders. But it needs an automated decryption with the login screen with the PIN or password question. And it needs a option in the first welcome dialog.

It would be great for a milestone for this Ubuntu Touch with base of Ubuntu 16.04 LTS. Or maybe for the first convergence device but I think for this it is to late to implement this kernel. At the end of this page are some examples for "ext4-crypt create folder" and so on:

http://blog.quarkslab.com/a-glimpse-of-ext4-filesystem-level-encryption.html

It is still early stuff but maybe in kernel 4.2 and so on it's better integrated. Please verify one way to encrypt in a future release of one of the development channels when kernel 4.1 and higher is integrated. So you could test it early and make it more stable for the stable channels or give users of development channels a choice. Maybe it is saver to integrate ecryptfs from the Ubuntu desktop edition for now?

But many power users of your phone have a need for a security solution in the next 6-9 months or so. It is standard in Android 5, too.

lgd (lgd) wrote :

And please give a option to encrypt the sdcard, too. Because there are fotos of documents and so on and the internal space is very low.

Pat McGowan (pat-mcgowan) wrote :

This is on the long term roadmap but will not happen very soon

Changed in canonical-devices-system-image:
status: New → Confirmed
Changed in canonical-devices-system-image:
milestone: none → backlog
Pat McGowan (pat-mcgowan) wrote :

duping to consolidate

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers