Skip to content
This repository has been archived by the owner on Jan 24, 2018. It is now read-only.
Yanhao Mo edited this page Sep 21, 2017 · 47 revisions

Warning

**At this time, this software should be treated as alpha software and used with a grain of paranoid salt. **

While the LUKS project itself has been put through the paces on Linux desktops and servers, we are still determining the right conditions for its secure use on Android. With the many combinations of closed hardware, proprietary basebands, multitudes of kernels, firmwares and other mods, it is fairly impossible to guarantee security for any user. That said, we feel this effort is a useful public step forward in providing an increased level of protection for file storage, and exploring the limits of what we can provide as after-market software developers building open-source tools.

You should also review the FAQ for CryptSetup, as it is both enlightening and empowering. ATTENTION: If you are going to read just one thing, make it the section on Backup and Data Recovery. By far the most questions on the cryptsetup mailing list are from people that just managed to somehow format or overwrite the start of their LUKS partitions. In most cases, there is nothing that can be done to help these poor souls recover their data. Make sure you understand the problem and limitations imposed by the LUKS security model BEFORE you face such a disaster!

What is this?

LUKS is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions, but also provides secure management of multiple user passwords. In contrast to existing solution, LUKS stores all necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly.

This project is the port of LUKS to Android. We have built upon work from the greater Android/XDA community, and updated the build process to provide a clean Makefile for use with the latest Android Native Development Kit.

We also have provided a compiled binary for non-developers, and are working on a user friendly app that will users to create and mount encrypted stores on their internal or external memory. The app project source can be found here: https://github.com/guardianproject/LUKS/tree/master/app/LUKSApp

Reference

Credit and a big thanks to the original community hackers on this effort

Feedback from the Community

3/16: Some notes from Moxie Marlinspike via Twitter. We will be looking into these and updating the instructions here as appropriate:

  • "You need to recompile the kernel with support for secure dm-crypt modes and specify those at cryptsetup time."
  • "The trouble you're most likely going to have is with MTD on the data partition, although an MMC might fuck up as well."
  • "I think you're at minimum going to need a kernel recompile here, and you probably don't want to use loopback on all devices"

Build Steps

  • we build on Ubuntu/Maverick 10.10 i386, it might not work on other platforms
  • set up the Android NDK on your computer
  • install required software: sudo apt-get install autoconf automake libtool autopoint git make patch
  • get the sources: git clone git://github.com/guardianproject/LUKS.git
  • cd LUKS/external
  • make NDK_BASE=/usr/local/android-ndk-r5 (or change the path to where you put the folder)
  • adb push sbin/cryptsetup.static /data/local/cryptsetup
  • For more info, read the README

Or you can download our binary: cryptsetup (right-click and download)

##Usage - Encrypted Mount

For any CyanogenMOD (http://cyanogenmod.com) CM6.x device... creating a 50 megabyte "secretagentman.mp3" file on the sdcard to store our encrypted file system. The commands below can be issues via adb shell or terminal and require root permission.

First Time Setup

The "count=" variable below should create a 50MB file, but you might want to play around with the value on your system to see.

  1. dd if=/dev/zero of=/mnt/sdcard/secretagentman.mp3 bs=1048576 count=50
  2. mknod /dev/loop0 b 7 0
  3. losetup /dev/loop0 /mnt/sdcard/secretagentman.mp3
  4. ./cryptsetup luksFormat -c aes-plain /dev/loop0
  5. ./cryptsetup luksOpen /dev/loop0 secretagentman
  6. ./cryptsetup status secretagentman
  7. mke2fs -O uninit_bg,resize_inode,extent,dir_index -L DroidCrypt0 -FF /dev/mapper/secretagentman
  8. mkdir /mnt/sdcard/secretagentman
  9. mount /dev/mapper/secretagentman /mnt/sdcard/secretagentman

Mount Existing

  1. mknod /dev/loop0 b 7 0
  2. losetup /dev/loop0 /mnt/sdcard/secretagentman.mp3
  3. ./cryptsetup luksOpen /dev/loop0 secretagentman
  4. mount /dev/mapper/secretagentman /mnt/sdcard/secretagentman

To Unmount and close

  1. umount /mnt/sdcard/secretagentman
  2. ./cryptsetup luksClose secretagentman

To delete secured image

  1. First umount and close (see above)
  2. rm /mnt/sdcard/secretagentman.mp3

To access from Desktop

  1. Mount your SDCard via USB on your desktop machine
  2. Use a desktop version of cryptsetup, and follow the "Mount Existing" instructions from above, with step 2 updated to point to the desktop mount location of the "secretagentman.mp3"

Ways to improve security of file and mount directory

  • Store the file and folder as hidden files: /mnt/sdcard/.temp.file and the mount point /mnt/sdcard/.temp
  • Other ideas?

Encrypted Internal UserData Partition

WARNING: This is an advanced usage of LUKS and should only be attempted by experience developers and admins.

Information taken from this thread: http://forum.xda-developers.com/showpost.php?p=11616180&postcount=12

init.rc and boot app available at: https://github.com/guardianproject/LUKS/tree/master/app/boot

/dev/block/mtdblock5 is the "userdata" partition. I formatted it and mount it to /encrypted-data during init:

mount yaffs2 mtd@userdata /encrypted-data nosuid nodev

The only file on this partition is "data.encrypted" file, which gets created in init.rc as a loopback device:

exec /system/bin/losetup /dev/block/loop0 /encrypted-data/data.encrypted

Create the "data.encrypted" file on my computer with cryptsetup and losetup, and copied all files from my old unencrypted userdata partition to it and then copied it back as a file to the formated userdata partition.

The sdcard "/dev/block/mmcblk0p2" partition is formated with "cryptsetup luksFormat", I did this also on my computer, saves some time. And then copy everything from the old unencrypted sdcard.

Probably should make a script run during shutdown to cleanly "luksClose" the encrypted partition and then umount them. Not doing this is probably very crazy

Clone this wiki locally