Git Product home page Git Product logo

crypto-sdcard's Introduction

crypto-sdcard (regular edition)

Configuration files for unlocking and mounting encrypted SD-cards, using udev, udisks2, polkit and systemd

Preface

Note that for devices, which need to load Qualcomm's qcrypto kernel module in order to support modern cryptographic schemes as e.g. XTS (plus it is faster and more energy efficient), a separate "qcrypto edition" is provided. Only SailfishOS on the Jolla 1 (sbj) is known to provide the qcrypto.ko, hence currently it is the only device supported by the "qcrypto edition".
Thus for all other devices (i.e., on those where find /lib/modules/ -name qcrypto.ko yields nothing), this regular edition shall be used.

Extensively tested with systemd 225 (which includes udev), udisks2 2.7.5 and polkit 0.104 (e.g., SailfishOS since version 2.2.0, which provides aforementioned software) and newer versions.
Built RPMs are available in the release section and for easy installation under SailfishOS at OpenRepos.

The necessary steps to prepare an SD-card (or any other removable storage) are described at GitLab (original version at Together.Jolla.com).
Note that the "key"-files reside unencrypted on fixed, internal mass storage, as mobile devices usually have only a single user, who unlocks the whole device.
Thus crypto-sdcard solely protects "data at rest" on SD-cards and other removable storage, i.e. specifically when the device is locked or switched off (and the SD-card may be taken out).

Features

  • These configuration files do not alter, replace or delete any extant files.
  • Support of encrypted partitions and whole devices.
  • Support for (µ)SD-cards and USB-attached storage (if supported by device hardware and Operating System).
  • Support for Cryptsetup LUKS and Cryptsetup "plain".
    • Note that SailfishOS just recently (with v3.0.3) switched to Cryptsetup 2, and so did most (desktop) Linux distributions. For interoperability with extant Linux installations and commonality with SailfishOS before v3.0.3, which provide Cryptsetup 1.x (therefore only support LUKSv1 headers), the "partitioning guide" (originally at TJC) aims at creating LUKSv1 headers.
    • As Cryptsetup LUKS reads the cryptography parameters from the LUKS header and Cryptsetup 2 supports both v1 and v2 headers, crypto-sdcard shall work fine with any LUKS header version and parameters, which are valid for the installed Cryptsetup version.
    • For Cryptsetup "plain" (only to be used, when "plausible deniability" is a must), crypto-sdcard has to provide the cryptography parameters and uses "-h sha1 -s 256 -c aes-xts-plain" by default. While these parameters are optimised for speed, low power consumption, interoperability and sufficiently strong security for the next decade (including the specific use of SHA1 for hashing a pass-file down to 160 bits), other parameters may be set for unlocking Cryptsetup "plain" in /etc/systemd/system/[email protected].
    • Since crypto-sdcard 1.3.4, the parsing of "key"-files in "plain" mode is enhanced.
      This change requires to convert extant "key"-files for "plain" mode.
      New "plain" "containers" shall be created slightly differently now, in order to take advantage of this enhancement.
  • Start mounting encrypted (partitions on) SD-card via udisks at the earliest sensible time: Right after udisks2.service has started.
  • Unmount before udisks2.service begins stopping, hence achieving a clean unmount.
  • Also do not use SailfishOS' udisksctl-user script for unmounting (because it cannot work at the time ExecStop is executed), which is installed and used by SailfishOS since its release 3.2.1, and was also used by crypto-sdcard versions 1.1-1 to 1.3.1-5; see details here.
  • Since v1.3.4, overhauled in v1.5.1: Use Systemd EnvironmentFiles, allowing administrators to easily set options.
  • Ensure, that AlienDalvik (specifically alien-service-manager.service) begins starting after mounting succeeded, to allow for android_storage on SD-card.
    Even more importantly (i.e., also relevant for devices without "android_storage on SD-card") this also ensures, that unmounting occurs only after AlienDalvik has completely stopped.
    Nevertheless, these configuration files are also applicable to devices without AlienDalvik installed.
  • Boot time is not significantly prolonged, as unlocking encrypted partitions per Cryptsetup occurs in parallel to starting udisks2.service; after both succeeded, all mount operations are also started concurrently.

Version history

This is a coarse changelog covering the most relevant changes for each minor release. The detailed changes of each point release are denoted on the releases page.

  • Planned for v2.0 and later
    The "key"-file path and names are ultimately settled on (please rename your "key"-files accordingly):
    • For Cryptsetup LUKS: /etc/amount-enc/<UUID>
    • For Cryptsetup "plain": /etc/amount-enc/<device-name>
    • A specific <UUID> can be obtained by executing blkid -c /dev/null -s UUID -o value /dev/<device-name> with e.g. mmcblk1p2 as <device-name>.
  • v1.7
    Completely re-wrote the Polkit rule file. Also document the awkward Polkit configuration file format situation in On-Poklkit.md.
    Introduce units for manual mounting (and implicit, automatic unlocking / opening of a "crypto container"), which work in "rescue" (Systemd's single user) target / mode: mnt-cryptosd-luks@<UUID>.service and mnt-cryptosd-plain@<device-name>.service
  • v1.6
    Refactor and vastly enhance the Udev rule file.
  • v1.5
    Re-establish support for SailfishOS 2.2.0 to 3.2.0 in order to bring recently introduced features to older SailfishOS releases.
    Change license from MIT to LGPL-2.1-only.
  • v1.4
    Reintegrated the "sbj edition"'s git repository into this one as branch qcrypto.
    Enhance the parsing of "key"-files in "plain" mode. This change requires to convert extant "key"-files for "plain" mode, see details. New "plain" partitions shall be created slightly differently now, in order to take advantage of this enhancement.
  • v1.3
    Mounting is now restricted to users, who belong to the Unix-group media_rw, which is the case for the user nemo since some SailfishOS release before v3.2.1 and after v2.2.1 (unable to assess which one), or the defaultuser on freshly installed devices (since SailfishOS 3.4.0).
    Significantly altered versioning scheme, git tags naming and archive file (tarball) names, again: This time to accommodate for multiple release variants per version in order to serve different SailfishOS releases from one repository easily. For details see the document "Release version format, RPM dependencies and Git workflow".
  • v1.2
    Significantly altered versioning scheme, git tags naming and archive file names. For details see the release information.
  • v1.1
    Following the changes in SFOS-next to allow any interactive user (i.e., not just nemo) to mount an SD-card. Hence v1.1 requires at least SailfishOS 3.2.1.
    Note that mounting is still restricted to users, who belong to the Unix-group system, in contrast to e.g., mount-sdcard.
  • v1.0
    Due to another round of significant spec-file changes (completely removed SalifishOS dependencies and all %post scriptlets), increasing the version number again.
  • v0.6
    A few small, but significant enhancements (since v0.5-5) are finally reflected in another version number increase.
    "Key"-file path and names are now:
    • For Cryptsetup LUKS: /etc/crypto-sdcard/crypto_luks_<UUID>.key (since v0.3)
    • For Cryptsetup "plain": /etc/crypto-sdcard/crypto_plain_<device-name>.key (since v0.5-7)
    • A specific <UUID> can be obtained by executing blkid -s UUID -o value /dev/<device-name> with e.g. mmcblk1p2 as <device-name>.
  • v0.5
    Although the installed configuration files are unaltered since v0.4-3, the spec-file ("RPM packaging") changes have been significant, so it ultimately earns an increased version number.
  • v0.4
    Optimise configuration file names.
    Provide RPM spec file.
  • v0.3
    Switch to a UUID-based "key"-file naming scheme for LUKS partitions to allow for swapping encrypted SD-cards easily and moved "key"-files into a directory. Missed to properly implement this change for "plain" partitions, as they have no UUID!
    Hence the "key"-file path and names have changed again (please rename your "key"-files accordingly):
    • For Cryptsetup LUKS: /etc/crypto-sdcard/crypto_luks_<UUID>.key
    • For Cryptsetup "plain": /etc/crypto-sdcard/crypto_plain_.key
  • v0.2
    Fix automatic mounting of DM-Crypt "plain" partitions.
    "Key"-file path and names are altered (please rename your "key"-files accordingly):
    • For Cryptsetup LUKS: /etc/crypto_luks_<device>.key, e.g. /etc/crypto_luks_mmcblk1p2.key
    • For Cryptsetup "plain": /etc/crypto_plain_<device>.key, e.g. /etc/crypto_plain_mmcblk1p2.key
  • v0.1
    Initial check-in of the last version at TJC.
    "Key"-file path and names are /etc/<device>.key, e.g. /etc/mmcblk1p2.key

crypto-sdcard's People

Contributors

olf0 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

00mjk

crypto-sdcard's Issues

not working anymore on Xperia X with SailfishOS 3.4

Now I'm stuck with:

systemd[1]: mount-cryptosd-luks@crypto_luks_<UUID>.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Mount LUKS encrypted SD-card (crypto_luks_<UUID>) with udisks.
udisksctl-user[1695]: Error mounting /dev/dm-2: GDBus.Error:org.freedesktop.UDisks2.Error.NotAuthorizedCanObtain: Not authorized to perform operation
udisksctl-user[1695]: Error creating textual authentication agent: Error opening current controlling terminal for the process (`/dev/tty'): No such device or address

EDIT: found solution for last problem:

  • As my nemo user wasn't in the group system (anymore?) I changed the line in polkit rule to

     Identity=unix-group:sailfish-system

It's working again now. I have no idea if this is a problem which is specific to my phone or a general problem, coz I found no report about it.

Crypto-sdcard does not work on 4.4.0.72 / Sony Xperia 10 II

Hi

here are my attempts, a bit in disorder so far - moved from https://forum.sailfishos.org/t/automatically-mount-encrypted-sd-card/12023/10

[EDIT]
check the file, it is same as the one install by the package.
I retry the instructions in case I missed something.

[EDIT 2] I have run

[root@Xperia10II-DualSIM etc]# systemctl enable cryptosd-luks@
The unit files have no installation config (WantedBy, RequiredBy, Also, Alias
settings in the [Install] section, and DefaultInstance for template units).
This means they are not meant to be enabled using systemctl.
Possible reasons for having this kind of units are:
1) A unit may be statically enabled by being symlinked from another unit's
   .wants/ or .requires/ directory.
2) A unit's purpose may be to act as a helper for some other unit which has
   a requirement dependency on it.
3) A unit may be started when needed via activation (socket, path, timer,
   D-Bus, udev, scripted systemctl call, ...).
4) In case of template units, the unit is meant to be enabled with some
   instance name specified.

continue looking at that until I am too tired and restore the luksHeader and mount it by hand 😀

[EDIT 3] I understand it is supposed to be activated by udevd (case 3) and is a template unit (case 4) looking at udev.
Progressing : generate escaped service name

/usr/bin/systemd-escape [email protected] %E{a203bea7-6722-431c-a423-f4f742052c6b}

When trying to start it

[root@Xperia10II-DualSIM system]# systemctl start cryptosd-luks@\x25E\x7ba203bea7\x2d6722\x2d431c\x2da423\x2df4f742052c6b\x7d.service 
A dependency job for cryptosd-luks@x25Ex7ba203bea7x2d6722x2d431cx2da423x2df4f742052c6bx7d.service failed. See 'journalctl -xe' for details.

Pertinent details - I hope -

févr. 02 21:49:22 Xperia10II-DualSIM systemd[1]: selinux: Unknown class service
févr. 02 21:49:22 Xperia10II-DualSIM systemd[1]: selinux: Unknown class service
févr. 02 21:49:22 Xperia10II-DualSIM systemd[1]: dev-disk-by\x2duuid-x25Ex7ba203bea7x2d6722x2d431cx2da423x2df4f742052c6bx7d.device is not active.
févr. 02 21:49:22 Xperia10II-DualSIM systemd[1]: Dependency failed for Open /dev/disk/by-uuid/x25Ex7ba203bea7x2d6722x2d431cx2da423x2df4f742052c6bx7d per cryptsetup.
-- Subject: L'unité (unit) cryptosd-luks@x25Ex7ba203bea7x2d6722x2d431cx2da423x2df4f742052c6bx7d.service a échoué
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- L'unité (unit) cryptosd-luks@x25Ex7ba203bea7x2d6722x2d431cx2da423x2df4f742052c6bx7d.service a échoué, avec le résultat RESULT.
févr. 02 21:49:22 Xperia10II-DualSIM systemd[1]: cryptosd-luks@x25Ex7ba203bea7x2d6722x2d431cx2da423x2df4f742052c6bx7d.service: Job cryptosd-luks@x25Ex7ba203bea7x2d6722x2d431cx2da423x2df4f742052c6bx7d.service/start failed with result 'dependency'.

I conclude from the fact I did not find any mention to crypto that it might have not fired.
I need to find what dependency issue that may be.

[EDIT 4]
Looking at dependencies that I can't find

  • cryptsetup-pre.target but I find a target named cryptsetup.target
  • dev-disk-by\x2duuid-%i.device - it seems the syntax has changed -
    Apparently related
sys-devices-platform-soc-4784000.sdhci-mmc_host-mmc1-mmc1:aaaa-block-mmcblk1-mmcblk1p1.device                            loaded active plugged /sys/devices/platform/soc/
sys-devices-platform-soc-4784000.sdhci-mmc_host-mmc1-mmc1:aaaa-block-mmcblk1.device                                      loaded active plugged /sys/devices/platform/soc/

Stopping for tonight.
I mount my SD by hand, I try at least.
I will continue tomorrow, @olf , AM I on the right way ?

[EDIT 5]
progressing in understanding ... but slowly.
I umounted m SD card and LuksClose the partition then retried starting the crypto-luks service

Feb 03 16:43:20 Xperia10II-DualSIM systemd[1]: dev-disk-by\x2duuid-a203bea7x2d6722x2d431cx2da423x2df4f742052c6b.device is not active.
Feb 03 16:43:20 Xperia10II-DualSIM systemd[1]: Dependency failed for Open /dev/disk/by-uuid/a203bea7x2d6722x2d431cx2da423x2df4f742052c6b per cryptsetup.
-- Subject: Unit cryptosd-luks@a203bea7x2d6722x2d431cx2da423x2df4f742052c6b.service has failed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit cryptosd-luks@a203bea7x2d6722x2d431cx2da423x2df4f742052c6b.service has failed.
-- 
-- The result is RESULT.
Feb 03 16:43:20 Xperia10II-DualSIM systemd[1]: cryptosd-luks@a203bea7x2d6722x2d431cx2da423x2df4f742052c6b.service: Job cryptosd-luks@a203bea7x2d6722x2d431cx2da423x2df4f742052c6

I try to understand why the device is said not active.

Now what I do not get well - still learning -

/usr/lib/udev/rules.d/60-persistent-storage.rules does not exist on my phone
a file with same name exists as /lib/udev/rules.d/60-persistent-storage.rules.

At the moment : I try and read to understand how the device is detected and fields filled-in.

fails on SailfishOS 4.0

In journalctl I find:

systemd[1]: dev-crypto_luks_cc05650dx2d0126x2d4bc8x2db8e5x2da1fe25606f6f.device: Job dev-crypto_luks_cc05650dx2d0126x2d4bc8x2db8e5x2da1fe25606f6f.device/start failed with result 'timeout'.
systemd[1]: cryptosd-luks@crypto_luks_cc05650dx2d0126x2d4bc8x2db8e5x2da1fe25606f6f.service: Job cryptosd-luks@crypto_luks_cc05650dx2d0126x2d4bc8x2db8e5x2da1fe25606f6f.service/start failed with result 'dependenc
systemd[1]: Dependency failed for Open DM-Crypt LUKS on SD-card crypto_luks_cc05650dx2d0126x2d4bc8x2db8e5x2da1fe25606f6f.
systemd[1]: Timed out waiting for device dev-crypto_luks_cc05650dx2d0126x2d4bc8x2db8e5x2da1fe25606f6f.device.
systemd[1]: dev-crypto_luks_cc05650dx2d0126x2d4bc8x2db8e5x2da1fe25606f6f.device: Job dev-crypto_luks_cc05650dx2d0126x2d4bc8x2db8e5x2da1fe25606f6f.device/start timed out.

also I found this:

# systemctl --all --full -t device |grep luks
dev-crypto_luks_cc05650d\x2d0126\x2d4bc8\x2db8e5\x2da1fe25606f6f.device                                                                               loaded active   plugged /dev/crypto_luks_cc05650d-0126-4bc8-b8e5-a1fe25606f6f                                                         
dev-crypto_luks_cc05650dx2d0126x2d4bc8x2db8e5x2da1fe25606f6f.device                                                                                   loaded inactive dead    dev-crypto_luks_cc05650dx2d0126x2d4bc8x2db8e5x2da1fe25606f6f.device                                           
dev-disk-by\x2did-dm\x2dname\x2dluks\x2d3f058b38\x2d3100\x2d4fe8\x2da88e\x2dc5d9a8d3bfc7.device                                                       loaded active   plugged /dev/disk/by-id/dm-name-luks-3f058b38-3100-4fe8-a88e-c5d9a8d3bfc7                                             
dev-disk-by\x2did-dm\x2duuid\x2dCRYPT\x2dLUKS1\x2d3f058b3831004fe8a88ec5d9a8d3bfc7\x2dluks\x2d3f058b38\x2d3100\x2d4fe8\x2da88e\x2dc5d9a8d3bfc7.device loaded active   plugged /dev/disk/by-id/dm-uuid-CRYPT-LUKS1-3f058b3831004fe8a88ec5d9a8d3bfc7-luks-3f058b38-3100-4fe8-a88e-c5d9a8d3bfc7
dev-mapper-luks\x2d3f058b38\x2d3100\x2d4fe8\x2da88e\x2dc5d9a8d3bfc7.device                                                                            loaded active   plugged /dev/mapper/luks-3f058b38-3100-4fe8-a88e-c5d9a8d3bfc7

my conclusion is, there is sth wrong in the udev-rule creating the [email protected]. Maybe the char escaping in newer systemd has changed.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.