• General
  • Privacy & Security of Graphene vs LInux?

I'm a two device person. My phone has runs Graphene OS and my laptop runs Ferdora Linux with LUKS full disk encryption.

I'm curious which device you would put more faith in from a security and privacy perspective. Ignore the fact that my phone has a SIM card from a tracking perspective, I'm purely interested in which device is safest.

As an example if both of my devices were seized would it be better to have a critical document on one as opposed to the other? Or what if I had deleted the document from both devices, is it more likely to be recoverable from one device over the other?

I'm asking both so I can make the most prudent decisions on what I store where and also because maybe it will be worth considering replacing my laptop with the new Pixel tablet down the road if Graphene is made available for it.

Any thoughts greatly appreciated.

    OldMan

    If both devices are turned off (I am not sure if it is enough for GOS to be in standby) when seized, both of them are safe. The used encryption is really strong and if your passphrases are strong too, there is no chance to break it.
    I know several cases where the authorities were not able to unlock linux devices because they were encrypted with the on board tool luks.
    And GOS makes it even better: After several failed attempts to unlock the device, there will be a delay. Take a look here:

    https://grapheneos.org/faq#encryption

    Standard delays for encryption key derivation enforced by the secure element:

    0 to 4 failed attempts: no delay
    5 failed attempts: 30 second delay
    6 to 9 failed attempts: no delay
    10 to 29 failed attempts: 30 second delay
    30 to 139 failed attempts: 30 × 2⌊(n - 30) ÷ 10⌋ where n is the number of failed attempts. This means the delay doubles after every 10 attempts. There's a 30 second delay after 30 failed attempts, 60s after 40, 120s after 50, 240s after 60, 480s after 70, 960s after 80, 1920s after 90, 3840s after 100, 7680s after 110, 15360s after 120 and 30720s after 130
    140 or more failed attempts: 86400 second delay (1 day)

    So, brute force attack is really not a good option for the attackers.

    But always remember:

    https://xkcd.com/538/

    malatoi

      Phead
      Thanks Phead, that's an interesting read it does make me lean towards Graphene without further info. I guess if I did end up replacing my laptop with the Pixel tablet then it would reduce the attack surface also.

      malatoi

      Referring to your xkcd link, in such a scenario let's say I had a document on one device that had recently been deleted. I'm forced to give up my keys to both devices. Is there more of a chance of recovery on one device over the other?

      When you're worried about someone recovering your deleted data, there's a lot that goes into it. For example Wear Leveling etc. One of the best ways to make sure your data is at least way harder to recover if not impossible is to use something called the "TRIM" command. On an Android phone, this happens automatically every night when your phone is idle, or when you restart your phone if it hasn't happened in 3 days.

      If you're using a Linux computer, you need to check if this TRIM command is turned on and how often it's set to run.

      In Graphene OS, you can keep important documents in a separate profile. When you delete that profile, all the documents in it get deleted too and can't be recovered.

      OldMan GrapheneOS is "dummy secure". Means it protects you from YOURSELF.

      Desktop Linux security depends on how its used and the competence of the user. Be a dummy and you'll have china and russia invading it in no time and using it as VPN endpoint and part of cryptocurrency botnets. Be smart though, and there's nothing to worry about.

        csis01 That is not correct. Aside from the fact that the approach of "just don't get infected!" doesn't work, has never worked, and will never work, GrapheneOS' security model isn't about "protecting you from yourself".

        GrapheneOS builds on AOSP's already strong security model and hardens security in many ways beyond that to make exploitation that much harder to occur.

        An example of the approach is detailed here, though that's not the full picture:

        https://grapheneos.org/features#exploit-protection

        It's fine if people want to use desktop Linux distributions (I use one, too), but I think it's irresponsible to misrepresent it as secure and tell people that they have nothing to worry about if they're "smart".

          I think @Vogelhaus adequately answered what OP was really asking about, which was about secure file deletion and disk encryption. Namely, GrapheneOS does it by default, and it can be setup on Linux.

          Of course, if you get your device seized while it's unlocked, there's not much disk encryption will do for you there...

          matchboxbananasynergy

          It's fine if people want to use desktop Linux distributions (I use one, too), but I think it's irresponsible to misrepresent it as secure and tell people that they have nothing to worry about if they're "smart".

          I share @csis01 's opinion on the importance of OPSEC—that is, the importance of making thoughtful decisions when operating a computer. GrapheneOS's strong exploit mitigations are not an excuse to make bad decisions. I would agree with you when you push back against misrepresenting Linux as secure, but @csis01 never said Linux was secure. @csis01 is saying that the only thing which impacts whether a user is exploited is the user's own decisions, which is an argument for every computer in the world, regardless of the operating system.

          This is observably false, because zero-click exploits exist. The user does not even have the opportunity to make a decision before their operating system have been exploited by an invisible calendar invitation. Nonetheless, I think @csis01 makes a good point about focusing on OPSEC even while trusting your operating system has your back.

            Equal2024 I agree with that, but you need to start with an essential baseline and go from there. Dekstop operating systems with no access control, sandboxing, or any other modern security features feel antiquated in today's world.

            Can you use, say, Fedora Linux and never get infected or compromised? Probably. But that would because the person using it is being extremely careful, or because no one tried, because compared to other systems, you'd be leaving yourself more or less wide open.

            Nothing is bulletproof, and that of course includes GrapheneOS. The project never claimed that it is. All it is is a secure baseline (AOSP) with significant hardening and security/privacy improvements that can significantly increase the effort/money required to compromise it. That still requires the person using it to remain vigilant.

              matchboxbananasynergy It's fine if people want to use desktop Linux distributions (I use one, too), but I think it's irresponsible to misrepresent it as secure and tell people that they have nothing to worry about if they're "smart".

              Translation: You aren't willing to accept that there are security minded and intelligent users. EVERYBODY in your opinion, is a moron who needs to be protected from themselves.

                Equal2024 zero-click exploits exist

                As an example, a "zero-click exploit" cannot exist in a system that is entirely disconnected from all networks and other devices and external data sources. Even DOS is secure, if you never connect a network or insert a potentially infected-with-something disk.

                csis01 That is not at all what I'm saying, but I'm not going to engage you further. I'd like to ask you to please at least try to assume good faith in others. It leads to much more productive conversations and less pointless arguments.

                OldMan
                On linux once an executable runs it has access to "everything", unless SE- linux policies exist, which for average joe is not the case. On G-OS this is not the case. This is relevant if we are talking about being hacked while device is on.

                As far as i know trim commands are never run on linux automatically, which is another one of my gripes against linux. You'd have to set a scheduler to run it (cron job). In windows a trim command is sent everytime any file is deleted.

                  User2288

                  On linux once an executable runs it has access to "everything", unless SE- linux policies exist, which for average joe is not the case. On G-OS this is not the case.

                  Could you expand a bit more on why Fedora's default SELinux policies are not adequate? And maybe about why SELinux is superior to AppArmor, which is used by default on Ubuntu.

                    User2288

                    As far as i know trim commands are never run on linux automatically, which is another one of my gripes against linux. You'd have to set a scheduler to run it (cron job). In windows a trim command is sent everytime any file is deleted.

                    You can setup Continuous TRIM in Linux, too, quite easily: https://wiki.archlinux.org/title/Trim#Continuous_TRIM

                    The note explains some of the disadvantages of Continuous TRIM and why this is not the default.

                      Equal2024 Could you expand a bit more on why Fedora's default SELinux policies are not adequate?

                      Well to be honest when I said the above I wasn't thinking of Fedora! I was thinking of the majority of other "popular" distros which have SE-linux and app armor disabled by default (Mint, pop OS, Manjaro, Zorin, etc). Also I don't know if you are asking this question sarcastically (to prove me wrong) or if you are really curiously asking, hah. Regardless, I can tell you that my education on the subject is very minimal at best. You might know more on the subject than me, which I'd be very happy to hear what you might have to say. I'm a new comer to linux and my attempts at improving linux security and educating myself on it have been heavily stonewalled either by a lack of good source of information (too many pages with no good answers) or heavily technical documents and having to do everything in command line (ridiculous IMO), which are beyond reasonable expectation for the average person to delve into. FYI, I know some programming and scripting (programming student), and generally am computer savy. Yet even for me its like... forget it. I can't be bothered to read a multi-day long book just to be able to use SE-linux or app-armor in command line.

                      What's SE-linux on fedora like? I dont know! And that's the problem. There is like no easy to find explanation that one can read to learn about the exact implications of its presence. What does it do? How does it help? How good is it out of the box? Does it need anything else to be done? What? all.. beats me. With something like Android, its clear; Long winded, but clear. And its easy to find and read on. Implemented perfectly out of the box with nothing else to do. Just learn to use.

                      Equal2024 ...And [expand more] maybe about why SELinux is superior to AppArmor, which is used by default on Ubuntu.

                      Isn't App armor disabled in Ubuntu by default? I thought it was.

                      About their difference I can only quote one line that I heard while watching this youtube video called "SE Linux for mere mortals" (which by the way I gave up on half way through), and that is:

                      App-armor is path based, where as SE-linux is more capable and versatile.

                      But I'm not opposed to app-armor in any way. I'm happy to learn either and implement them on a system. The problem is its a nightmare even to get started!

                      Now if you know anything about SE-linux on fedora I'm more than all ears to hear it.

                        Equal2024 You can setup Continuous TRIM in Linux, too, quite easily: https://wiki.archlinux.org/title/Trim#Continuous_TRIM

                        The note explains some of the disadvantages of Continuous TRIM and why this is not the default.

                        A good post, thanks for this. But this is typical linux. The fact that one has to worry about such low level details and have to do it themselves is just the linux story.

                        A more interesting question for me is, does having trim actually eliminate the possibility of data recovery from deleted sectors? On paper the answer seems a yes. But is that an answer one can trust? We know data recovery companies do recover data from SSDs, but can they do it on deleted sectors too? I'd like to know the answer to that.

                          r2288"#p28813

                          Well to be honest when I said the above I wasn't thinking of Fedora! I was thinking of the majority of other "popular" distros which have SE-linux and app armor disabled by default (Mint, pop OS, Manjaro, Zorin, etc).

                          There are only really two "popular" types of distributions:

                          • Ubuntu-based (excluding Debian, but that's more of a server release)
                          • RPM-based (Fedora, RHEL, OpenSUSE, technically Qubes I guess)

                          Manjaro is an Arch-based distribution. I really wouldn't recommend using an Arch-based distribution like Manjaro or Garuda; only use mainline Arch Linux. EndeavourOS might be okay, but I don't see much reason to use it given Arch has an install script now. Manjaro in particular does not have a great security track record, but Garuda does some wacky stuff like build binaries for every PKGBUILD in the AUR and offers users an easy way to install those binaries with a graphical installer. Just use Arch if you want to use Arch.

                          OpenSUSE does enable SELinux by default, but does not include any policies.

                          Ubuntu has enabled AppArmor by default since 2007 and ships with more profiles in every release, according to the infamously outdated Ubuntu Wiki:

                          AppArmor support was first introduced in Ubuntu 7.04, and is turned on by default in Ubuntu 7.10 and later. AppArmor confinement in Ubuntu is application specific with profiles available for specific binaries. With each release, more and more profiles are shipped by default, with more planned.

                          Linux Mint is the only really popular Ubuntu-based distribution, and it also apparently enables AppArmor by default.

                          Whether profiles are included or not, I don't know.

                          Oh, and I think Manjaro implements AppArmor, but I still wouldn't recommend Manjaro...

                          Also I don't know if you are asking this question sarcastically (to prove me wrong) or if you are really curiously asking, hah.

                          I'm an Arch user, and I have no idea about Fedora or SELinux. I've been considering switching to Fedora because it allows you to easily enable FDE, sets up SELinux, and generally does a bunch of security stuff that is annoying to do on another distribution out of the box. It's a rolling release like Arch which ships most packages without changes and doesn't have quite so many updates, so you're still getting regular patches. It doesn't have as many official packages, though. I'm not sold on Flatpaks yet but I'm sure they'll continue to improve. So long as NVIDIA implements a real free software driver and the last H.264 patent finally expires in 2028, the small usability issues will also be gone. Well, assuming AAC patents are gone by then, too...

                          So I think Fedora is a great experience for novice and advanced users alike with very sane defaults. I've tried it out on an old computer and it seems fine, but I found out it ships an older version of cURL which wasn't new enough to build my RSS feed reader. I dread to imagine what version of cURL is shipped with Ubuntu.

                          You might know more on the subject than me, which I'd be very happy to hear what you might have to say. I'm a new comer to linux and my attempts at improving linux security and educating myself on it have been heavily stonewalled either by a lack of good source of information (too many pages with no good answers) or heavily technical documents and having to do everything in command line (ridiculous IMO), which are beyond reasonable expectation for the average person to delve into. FYI, I know some programming and scripting (programming student), and generally am computer savy. Yet even for me its like... forget it. I can't be bothered to read a multi-day long book just to be able to use SE-linux or app-armor in command line.

                          This generally reflects my experience, although I will say I prefer doing most things in the terminal, and I do some system administration work on the side. I mostly couldn't be bothered with it and didn't bother implementing AppArmor or SELinux on my Arch installs. I also didn't bother with FDE for similar reasons. I would like to one day read a multi-day long book on the subject of SELinux...sometime, far into the future, on a lazy weekend.

                          AppArmor seems easy enough to get your head around to start with, from the little I did with it.

                          What's SE-linux on fedora like? I dont know! And that's the problem. There is like no easy to find explanation that one can read to learn about the exact implications of its presence. What does it do? How does it help? How good is it out of the box? Does it need anything else to be done? What? all.. beats me. With something like Android, its clear; Long winded, but clear. And its easy to find and read on. Implemented perfectly out of the box with nothing else to do. Just learn to use.

                          I believe the Fedora implementation is meant to be similar to Android, in that it's meant to be perfect out of the box with nothing else to do. I'm afraid I can't help you there, since I still don't use Fedora as a daily driver. Maybe next year.

                          About their difference I can only quote one line that I heard while watching this youtube video called "SE Linux for mere mortals" (which by the way I gave up on half way through)

                          Oh, hey, that's the same video I watched 5 minutes of a long time ago. Maybe one day. Probably right after I switch to Fedora...

                          A good post, thanks for this. But this is typical linux. The fact that one has to worry about such low level details and have to do it themselves is just the linux story.

                          These disadvantages are actually to do with the TRIM standard and SATA itself. I don't imagine other operating systems have it any easier. From the Wikipedia page:

                          Faulty drive firmware that misreports support for queued TRIM or has critical bugs in its implementation has been linked to serious data corruption and/or serious bugs like frequent freezes in several devices, most notably Micron and Crucial's M500[75] and Samsung's 840 and 850 series.[76] The data corruption has been confirmed on the Linux operating system (the only OS with queued trim support as of 1 July 2015).

                          If your drive uses SATA 3.1+, you shouldn't need to worry about any of this. I assume most drive manufacturers have figured out how to make non-dodgy firmware by now...

                          I have no idea how Windows handles this.

                          We know data recovery companies do recover data from SSDs, but can they do it on deleted sectors too? I'd like to know the answer to that.

                          Ditto.