Enable encryption as per design mock up

Bug #1464697 reported by Cris Dywan
160
This bug affects 47 people
Affects Status Importance Assigned to Milestone
Canonical System Image
Confirmed
Wishlist
Jamie Strandboge
ubuntu-system-settings (Ubuntu)
Confirmed
Wishlist
Unassigned

Bug Description

See the design mock up

https://wiki.ubuntu.com/SecurityAndPrivacySettings#Phone

There should be a way to enable encryption.

See also bug #1385406 and bug #1385013

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubuntu-system-settings (Ubuntu):
status: New → Confirmed
Marco (jermy-07)
summary: - Enable encryption as per design mock up
+ Enable full-device encryption as per design mock up
Revision history for this message
Jonas G. Drange (jonas-drange) wrote :

The fix for this bug is rather small for Ubuntu System Settings. Targeting canonical-devices-system-image since I am unsure in which component the majority of the work will take place.

summary: - Enable full-device encryption as per design mock up
+ Enable encryption as per design mock up
Revision history for this message
Sebastien Bacher (seb128) wrote :

right, as the previous comment suggested, most of the work is not to "enable" encryption, but to have an encryption solution implemented than we can enable/disable then

Changed in ubuntu-system-settings (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
Pat McGowan (pat-mcgowan) wrote :

this is not planned near term

Changed in canonical-devices-system-image:
importance: Undecided → Wishlist
status: New → Confirmed
Changed in canonical-devices-system-image:
milestone: none → backlog
description: updated
Revision history for this message
Randall Ross (randall) wrote :

Hi, any updates on a timeframe for implementing this?

until this lands, Is there a workaround to at least encrypt personally identifiable information (PII)?

Revision history for this message
Thiago Martins (martinx) wrote :

I am also very interested on this!

Currently, I have a brand new iPhone and I'll not move to Ubuntu Phone until it comes with encryption by default.

This is VERY important.

Revision history for this message
Pat McGowan (pat-mcgowan) wrote :

There is no workaround. This is on the feature wishlist but no firm date yet, thanks for the feedback on priority.

Changed in canonical-devices-system-image:
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Joe Liau (joe) wrote :

This is essential, especially if it has plans to be a convergence device.

Revision history for this message
wayne (wayne-n) wrote :

Not having this is so 1990. This is a GIGANTIC part of the ubuntu phone sales pitch. I wish I was able to help more than just supporting this but hopefully this comment helps. Please encrypt!

Revision history for this message
Thiago Martins (martinx) wrote : Re: [Bug 1464697] Re: Enable encryption as per design mock up

This is a MUST to have, should be a priority.

Nevertheless, is it possible to enable encrypted home dir on Ubuntu Phone?
I would be happy with it.

Like: "adduser --encrypt-home me"

I don't mind, for now, to encrypt the entire device.

On 20 February 2016 at 19:17, wayne <email address hidden> wrote:

> Not having this is so 1990. This is a GIGANTIC part of the ubuntu phone
> sales pitch. I wish I was able to help more than just supporting this
> but hopefully this comment helps. Please encrypt!
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1464697
>
> Title:
> Enable encryption as per design mock up
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/canonical-devices-system-image/+bug/1464697/+subscriptions
>

Revision history for this message
Matt Bruzek (mbruzek) wrote :

I too would like to see encryption on the tablet/phone. This is an important feature.

Revision history for this message
5a54a (5a54a) wrote :

Also like to upvote this request.

Was kind of shocked full device encryption is not available on BQ Aquaris M10 Ubuntu tablet (even not in the long run, see bug 1446893) as this is already years available in regular Ubuntu (and of course now also in iOS, Android, BlackBerry, etc.). Did not expect this not to be present. Renders the device currently quite useless as I'm not willing to put personal information (e-mail, photos, etc.) on an unencrypted device.

Revision history for this message
Will Atwood (skyflyer) wrote :

I agree. It is important to have mmcblk0p23 (/userdata) & mmcblk1 (sdcard) encryption as well as working OpenVPN capabilities for safety.

Revision history for this message
giovano iannotti (iannotti) wrote :

BQ M10 doesn't encrypt my data and isn't able to read my external HD (ext4, encrypted). I am considering returning it because of this BIG fail.

Revision history for this message
Robert (pv-ubuntuone) wrote :

I'm sure this has already been discussed, but perhaps if "most of the work is ... to have an encryption solution implemented than we can enable/disable" at will... then an appropriate solution would be to:

1. always encrypt the userdata partition
2. by default (or when the encryption option is disabled) the password is blank or well-known
3. when the option is enabled, we simply swap the insecure non-password for the user credentials ala cryptsetup luksAddKey and luksRemoveKey

This is similar to how new Nexus and iOS devices do it (though they do it with a hardware register), and has the benefit of clear-text bits "never hitting the platters" (so to speak).

The major downside (as I see it) is that you incur the cyrpto performance penalty even if the option is disabled, but this is partially offset by:

1. the fact that this setup *retroactively* protecting one's user data who *later* decides it needs to be protected,
2. using the fastest cipher these little ARMs can push (e.g. salsa20 if they don't have AES acceleration), and
3. being able to somewhat reliably guess (on inexpensively test) if the luks password is blank, like using [keyslot-7] if it's blank or using a low/fixed iteration-count (which could be tested against)

Great work thus far, guys!

Revision history for this message
Seth (seth-ciango) wrote :

Is anyone using an "unofficial" workaround at this time for the SD card?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.