Are secondary unlock methods secured by the primary unlock?

DeletedUser225

I set a strong passphrase for my primary unlock and 2-factor fingerprint ( fingerprint + 6 character PIN ) on my OWNER profile.

Suppose the phone is rebooted and is in BFU state. If there is an exploit for the Titan chip that allows brute force, can my profile be accesed by bruteforcing the PIN from secondary unlock? Or is the fingerprint+pin encrypted with the primary unlock password and is inaccesible until the primary password is used at boot?

What about the security of the new private space feature? From what I understand it is basically a different profile so it has no connection to the main unlock password of the OWNER profile and there is no 2-factor fingerprint available. The scenario here will be different: If the phone is in a BFU state and the filesystem is extracted, can my fingerprint be converted to the required bits and used to decrypt data from the private space without the main unlock password?

In a nutshell, are the main and secondary unlock methods DISTINCT ways of accessing secrets in the secure element or is the secondary unlock encrypted with the main unlock?

Thanks

de0u

DeletedUser225 In a nutshell, are the main and secondary unlock methods DISTINCT ways of accessing secrets in the secure element or is the secondary unlock encrypted with the main unlock?

At present the only way to use the device to access a secondary profile is via the profile-switching UI, which isn't accessible until the owner profile is unlocked. But the encryption of each profile is independent, not chained through the owner profile's key material, so:

If an adversary extracts the encrypted data from the flash and brute-forces a secondary profile with a weak password, it will not be protected by the owner profile's password in any way, and
Google could change the boot process at some point so that any profile could unlock the device after boot.

So users wanting strong protection for a secondary profile must use a strong password for that profile.

de0u

DeletedUser225 Can a GrapheneOS developer chip in?

Personally I think it would be best if they could spend the time on development.

DeletedUser225 I set a strong passphrase for my primary unlock and 2-factor fingerprint ( fingerprint + 6 character PIN ) on my OWNER profile.

Suppose the phone is rebooted and is in BFU state. If there is an exploit for the Titan chip that allows brute force, can my profile be accesed by bruteforcing the PIN from secondary unlock? Or is the fingerprint+pin encrypted with the primary unlock password and is inaccesible until the primary password is used at boot?

User file data is not encrypted using screen-unlock credentials (source), so brute-forcing screen-unlock credentials would not enable decryption of user file data.

KleinesSinchen

To my knowledge secondary unlock methods (with or without 2FA) should never decrypt things and work only in BFU state: Unlock screen, but not decrypt data.

With auto-reboot on a low value there should be no method of cracking encryption when having a strong passphrase, even when fully cracking/bypassing the Titan chip (which hasn't happened on newer versions yet). The attacker must crack the passphrase, which is impossible (on technical level – not counting human weaknesses).

Private space is less isolated than a completely different profile. I don't think private space can be unlocked with fingerprint when data is at rest. Should be no different than other profiles. I'm not sure if private space data can be put at rest now without reboot. At least it is/was planned.

dc32f0cfe84def651e0e

https://discuss.grapheneos.org/d/12305-snooped-secondary-users-password-device-seized-when-turned-off/3

DeletedUser225

Thank you for your replies, but my main question regarding secondary unlock is left unanswered. Can a GrapheneOS developer chip in? Am I still dependent on the secure element if I use strong password + PIN/fingerprint? By only using a strong password I am safe from a secure element throttling bypass, but if my secondary unlock is just a PIN and/or fingerprint it would be trivial to crack my data even though I have a strong password...

GrapheneOS

DeletedUser225 The secondary unlock method is not relevant to the main disk encryption keys, only to secondary features like the hardware keystore which can be used to keep data at rest when the device is locked in the After First Unlock state which is rarely used by anything in practice.

DeletedUser225

GrapheneOS Thank you