I regularly partake in outdoor activities in extrended trips overseas, so I always bring a 2nd phone in case my primary is damaged or lost (both are identical p9pros) . The problem is, it's a huge hassle to set up all my accounts and apps again on a new phone and I invariably end up losing messages and content that's trapped by the hardware-backed KeyStore.

I would like to clone my entire phone's state to a local backup on my laptop (which has remote encrypted backups), so that I can clone the entire phone's state to another device with the push of a button.

I realize I'll need to do a custom build of GrapheneOS. Has anyone already done this or can give me suggestions on what needs to be patched? I'm guessing the main thing is a software bypass for the Keystore. And of course making it a userdebug build, which I already do.

    12 days later

    What do you plan to do about the "hardware backed keystore"?

    • aw22 replied to this.

      secrec

      I want to replace it with Android's legacy software KeyStore.

        aw22 just to mention, attempting to bypass hardware security features is inherently insecure...obviously

            raccoondad
            Yes, I would sacrifice some security, but I'm willing to make that trade-off to get full backups.

              raccoondad That isn't necessarily "obvious". In theory it may make some sense, but in reality, hardware vulnerabilities are harder to address than software.

              There is also the flip side of security, which is the ability to control your own data, rather than dumping it into a black box and hoping for the best. Is it secure to make it impossible to recover data that you own?

                  secrec

                  "hardware vulnerabilities are harder to address than software."

                  Yes, but the Pixel security chip is better suited for securing encryption keys/signature checks than anything we have software wise right now. Its harder to address if some horrific exploit were to be revealed, but it is also harder to exploit in the first place. Even if one is found, all pixel series have a set time of software updates, while the security chips have very few security weaknesses.

                  "Is it secure to make it impossible to recover data that you own?"

                  Its not, since secure authentication would mean you are able to authenticate when correct conditions are given, however, it is possible to recover your data. You can simply unlock the phone and copy the files, the data isn't hard locked, its just only readable by the proper OS and is encrypted using the token from the security chip.

                  "There is also the flip side of security, which is the ability to control your own data"

                  This is more about usability, no? Wouldn't this imply its more secure in some way to not use encryption at all so if need be you could take out the flash and copy the data from there?

                  IDK much about what's public about the Titan M chip, but I don't think its a 'blackbox'...GOS seems to know how to use its API and its internal workings fairly well

                    There's an app I can't remember the name now (more apps exists probably) that allows backing up every single app you have. I've read reviews and people mentioned they used it even when changing ROMs. That should help although it's not full backup you're looking for. I'm about to use it as well and will let you guys know which one is it once I'll find it again.

                      Cdc any such app would require deep system level integration and/or root access. Any other app other than Seedvault won't be provided/supported and rooting is not recommended for it breaks security model and any rooting will wipe device anyway.

                      • Cdc replied to this.
                      • Cdc likes this.
                          6 days later

                          There's an app I can't remember the name now (more apps exists probably) that allows backing up every single app you have.

                          That's not going to work for any app that uses the KeyStore for protecting its data. Try backing up Signal. All of your message history will be lost because they're encrypted by the KeyStore, so the backup is useless if your phone is lost or destroyed.

                          • Cdc likes this.