Is it safe to use phone with Graphene OS for administrating servers?

whiteman808

I have a Graphene OS phone with installed both free software from Android and proprietary stuff that I trust less from Google Play. Some proprietary applications are just for convenience, some because life without them would be noticeably more difficult (apps for things like banking, paying invoices etc.) I assign only minimum necessary for application to work from permissions when I install new software.

My current workflow is Debian with only free software from main repo + non-free firmware and more pragmatic setup on my Google Pixel. I treat my Pixel as a second computer whose main purpose is to allow most important things quickly, so that all job needing more predictable and secure setup is done on computer with Debian

Is it a good idea to install from F-Droid and configure app like ConnectBot to manage my servers through SSH from my phone with Graphene OS? The reason I consider doing this is I don't always bring my laptop when I travel to places far away from where is my home. For SSH authentication I always use keys, not passwords and SSH server is behind WireGuard. I consider doing this SSH setup with separate key for phone of course

Regarding to threat model, I'm regular Linux enthusiast and person that is interested in free software, system administration, not high value target, activist etc.

Johnnyloans

whiteman808

The creator of GrapheneOS probably SSHed into machines using termux.

2020 march 18th:

I use Termux and also work on Android OS security ...

Source: https://github.com/termux/termux-app/issues/1072#issuecomment-473962352

You should be able to use a bluetooth or wired keyboard if available.

Chipper

I think it would be superior to your laptop, aside from the reduced screen size and absence of physical keyboard.
I've not used connectbot so can't speak to that.
I was set on this same use case using the built in terminal app a while back, I had issues with not being able to use the terminal app with the VPN kill switch enabled (its a VM on a separate subnet) though my understanding was I could have worked around that by running my own wireguard server.
I ultimately didn't go down that road as I decided I wanted to keep the server predominately air gapped as I have a compilation environment I spin up to compile certain apks I can't get securely without play store.

whiteman808

Do you think it's okay to use phone to manage my vps and raspberry pi 5 server for experimenting through account that is allowed to execute commands as root by sudo or is it better to restrict to forced commands on phone? How situation changes if I someday work and manage real not hobbyistic serious production stuff? Is doing it through phone with Graphene OS and account allowed to execute commands as root through sudo still a good practice?

Chipper

whiteman808 Graphene generally is more secure than a desktop operating system, of course no real critique can be given with such limited information.
If the account you are sshing into is root or has root via sudo etc, obviously that is less ideal than sshing into an account that doesnt..

whiteman808 Is doing it through phone with Graphene OS and account allowed to execute commands as root through sudo still a good practice?

This was never "good practise" of course you stand to loose nothing if your just messing around and learning and the convenience of being able to quickly edit config files change file permissions etc might easily outweigh "good practise" with zero stakes.
but you ideally want to structure it in away that this is not the normal every day user.

Johnnyloans

whiteman808

Find a trustworthy ssh app on the phone and you're good dude. Your phone is more secure than a desktop or laptop. Sudo users are fine to use.

If the production systems are owned by an employer then follow their rules concerning personal devices and access.

whiteman808

Graphene generally is more secure than a desktop operating system

So can I do safely most things I do usually on desktop? Is it safe to share password manager's database file encrypted with the same GnuPG key or master password between phone with Graphene OS and desktop system? Is it safe to use the same GnuPG keys both on desktop system and on phone with Graphene for encrypting and signing stuff?

Chipper

whiteman808 So can I do safely most things I do usually on desktop?

Most properly yes... I don't know how you run your phone, I don't know how you setup your desktops, I don't know your use cases or behaviour.. For most people the phone is properly more secure than the desktop.

whiteman808 Is it safe to share password manager's database file encrypted with the same GnuPG key or master password between phone with Graphene OS

I personally use unique keys for many activities but given my threat model I'm aware that is overkill, but I find it simple enough to implement and i like the idea of containing a breech via compartmentalization....