How secure is secondary profiles really?

someone1223

In another post, I noticed that the official GrapheneOS commented this:

"Secondary users can be put back at rest. For both the main user and secondary
users, encryption keys aren't available to the OS after unlock but they are in
non-OS memory."

I have some concerns about this. What does non-OS memory means, is it a part of
regular RAM or something directly managed by Titan? If I am forced to unlock my
primary profiles, does the secondary profiles will get decrypted, or even the
keys fetched?

This was my initial assumption: "Upon unlocking owner profile, only that
profile's key is fetched from Titan. This is used to load that profile and some
basic system info to RAM. If you unlock a secondary profile, that is also loaded
in the exact same way. Upon using end session, all memory used by that secondary
profile including the keys from Titan M is purged"

How correct is this?

raccoondad

someone1223

If I had to take a guess by what GrapheneOS meant, as someone who has not really read much documentation on how Pixel devices handle its encryption, the quote is stating "after first unlock, the encryption key for that user is stored in a segment of memory not accessible by GOS."

Which suggests a separate process thats mapped differently in memory handles encryption/decryption. That doesn't sound right but also doesn't sound wrong...will let someone else clarify that one

"If I am forced to unlock my primary profiles, does the secondary profiles will get decrypted, or even the keys fetched?", no, those are stored in the Titan M chip until authentication is confirmed by it. This requires your set password of course

"Upon using end session, all memory used by that secondary profile including the keys from Titan M is purged", as far as I understand, yes, this is the case. The owner can also be cleared with a reboot (however, unlocking the device again will reload the key)

GrapheneOS

someone1223 You're misinterpreting our explanation. We were explaining that the OS never has access to the disk encryption keys on the Pixel 6 and later but rather it's handled via what's called wrapped keys.

I have some concerns about this. What does non-OS memory means, is it a part of
regular RAM or something directly managed by Titan? If I am forced to unlock my
primary profiles, does the secondary profiles will get decrypted, or even the
keys fetched?

This is not how encryption works. You should read https://grapheneos.org/faq#encryption.

This was my initial assumption: "Upon unlocking owner profile, only that
profile's key is fetched from Titan. This is used to load that profile and some
basic system info to RAM. If you unlock a secondary profile, that is also loaded
in the exact same way. Upon using end session, all memory used by that secondary
profile including the keys from Titan M is purged"

The secure element never has access to the encryption keys. Please read https://grapheneos.org/faq#encryption.

someone1223

raccoondad as far as I understand, yes, this is the case.

I hope so, otherwise user profiles is basically useless from a privacy standpoint if you are forced to unlock the primary profile.

It's way harder to deny remembering the password of the main profile than some "Test" profile which you can claim was some random test one...

someone1223

GrapheneOS I tried reading but didn't fully understand it. What I could understand is each file has it's own key, secure element stores a token and not actual key, the key is derived at the unlock time.

So what happens to a global or profile key once it is derived? Does GOS keeps it in memory to derive other per file keys? If a profile key is leaked from RAM, only that profile's files can be extracted right? Also does "end session" deletes all keys in this process?

Dumdum

someone1223 does "end session" deletes all keys in this process?

https://grapheneos.org/faq#encryption

GrapheneOS enables support for ending secondary user profile sessions after logging into them. It adds an end session button to the lockscreen and in the global action menu accessed by holding the power button. This fully purges the encryption keys and puts the profiles back at rest.

missing-root

I think too that some things are not explained

is the owner profiles key required to get the secondary profiles key? I assume so
are owner and secondary profile keys stored in the same location? What about multiple secondary profiles?
How can the OS use a key without having access to it? Is the derivation done on the secure element and also the decryption?

raccoondad

missing-root

"is the owner profiles key required to get the secondary profiles key? I assume so", no, but to start the device up it requires some encrypted information from the Owner profile.

"are owner and secondary profile keys stored in the same location? What about multiple secondary profiles?", IDK what you mean by this specifically but tokens are stored in the Titan M chip. Once the key is derived its in memory.

"How can the OS use a key without having access to it? Is the derivation done on the secure element and also the decryption?", someone else will have to answer this one

Hat

I'm not sure to understand in the FAQ, if the user password to unlock the profile is stored on the phone. And if it's saved, where it is saved ?