GrapheneOS improvements to protection against data extraction since 2024

BBob545 · 2025-02-28T21:30:13+00:00

Should I still use a regular password for protection in addition to fingerprint with second factor PIN?

N1b · 2025-02-28T21:48:43+00:00

Thanks for your amazing contribution to security and privacy worldwide! I'm so happy and grateful you guys exist!

Ddhhdjbd · 2025-02-28T22:30:41+00:00

Thank you very much for your hard work
i feel personally safer and thank you for protecting journalist and activists world wide

GrapheneOS For example, we plan to add a toggle for essentially toggling off Device Encrypted data.

could someone please explain what this means? I mean as in toggle off that my data is getting decrypted automaticaly?

locked · 2025-02-28T23:01:26+00:00

Again the team always doing things others can't or just simply are not willing to.

blackrose · 2025-03-01T07:52:41+00:00

This project is amazing. The security and privacy community we are is so lucky to have this.

To all : please consider donation, even a few bucks, for supporting this essential and valuable work !

GrapheneOS · 2025-03-01T23:56:42+00:00

dhhdjbd

could someone please explain what this means? I mean as in toggle off that my data is getting decrypted automaticaly?

Data blocks and filenames for data in users is encrypted with per-user keys based on their primary lock method, which is the Credential Encrypted (CE) data. A small subset of data is stored globally outside of users including global device settings, installed packages and Wi-Fi networks. This allows the device to partially function after reboot in the Before First Unlock state. Apps can go out of the way to implement special Direct Boot support for a subset of their functionality and specifically store data in Device Encrypted (DE) storage to support this mode. For example, the GrapheneOS System Updater supports this to download/install OS updates in Before First Unlock state.

We plan to add a toggle for requesting the Owner PIN/password in early boot and using it for Device Encrypted data, largely making it the same as Owner Credential Encrypted data. The overall metadata blocks where the encrypted filenames are stored are also Device Encrypted, with the filesystem structure including file sizes.

Ggrayway2 · 2025-03-02T08:12:35+00:00

dhhdjbd useful link : https://blog.quarkslab.com/android-data-encryption-in-depth.html

Nn2gwtl · 2025-03-02T09:58:13+00:00

GrapheneOS For ARMv9 devices, we greatly improved our hardware memory tagging implementation in hardened_malloc, deployed it for the Linux kernel allocators and greatly expanded the use of PAC and BTI across the OS.

Would this be something you could port to Armv8 for the pixel 8 line?

NetRunner88 · 2025-03-02T10:07:22+00:00

n2gwtl

It is hardware dependant

fid02 · 2025-03-02T11:11:15+00:00

n2gwtl Would this be something you could port to Armv8 for the pixel 8 line?

Pixel 8 and Pixel 9 series of devices all support memory tagging.

GrapheneOS · 2025-03-02T20:37:25+00:00

n2gwtl 8th/9th generation Pixels are ARMv9 devices and have the optional hardware memory tagging feature (MTE). GrapheneOS began using hardware memory tagging on 8th generation Pixels shortly after they were released. It's still not deployed by other general purpose operating systems in production, let alone with a comparable implementation to ours.