Is second user profile encrypted also by first user?

OldMan

I have a passphrase for the main user profile.

I am thinking of setting up a second user that I mainly use day to day that I will encrypt with a pin.

My question is if my phone is taken when turned off can the second user be decrypted with only the pin I set up for it? Or does the passphrase of the main user have to be cracked first?

If it can be decrypted with only the pin then obviously this sort of set up isn't going to make sense against a sophisticated adversary.

[deleted]

OldMan I am also interested in the answer to this, I posted the same question a few days ago and got no response

matchboxbananasynergy

@[deleted] Sorry if we missed a thread.

Hi @OldMan. If you reboot your phone, you will notice that you cannot switch to another secondary profile until you first unlock the owner profile using your credentials first. No attempt to unlock your other profiles can be made without owner being unlocked (meaning with the phone is in BFU or Before First Unlock state).

DeletedUser115

matchboxbananasynergy Thanks, this makes sense. I suppose what is interesting to know which of the following statements is true:
1) Titan M2 won't release encryption key for secondary profiles until the owner profile is unlocked, or/and
2) The encryption key for secondary user profiles is derived from both the profile PIN/passphrase AND the PIN/passphrase of the owner profile.

The practical significance of this is should one who decides not to trust Titan M create strong passphrases for all profiles or just the Owner.

[deleted]

matchboxbananasynergy Totally understand didn't mean anything by it.

DeletedUser115 Exactly what I'm wanting to know as well.

OldMan

matchboxbananasynergy

Thanks, I understand that is the case when using the phone.

What I was trying to ask was if a state actor had the phone and used whatever magical devices they have is the second user's profile stored within the owner the profile (and therefore always protected by the owner's passphrase) or would they potentially be able to access the second user without the owner's passphrase?

I just need to make sure I don't misunderstand anything here.

spiral

OldMan

Great question, I'm also interested to know this

[deleted]

Anyone have any information about this?

matchboxbananasynergy

Hey everyone. Circling back to this after having a chat with the team to be able to provide a correct response.

Separate profiles should be treated separately when it comes to their lock method. If you want to protect a profile, you should use an unlock method for it that is according to your threat model.

While it is true that currently Owner has to be unlocked before attempts on secondary user profiles can be made, it isn't out of the question for AOSP to change that behavior in the future if they regard it as a limitation, which they likely do (from a UX standpoint and considering the fact that multiple users are meant to be used by individual people, having to have the owner present before you can unlock your own profile after a reboot isn't great).

I hope that helps!

mhall

matchboxbananasynergy

It's great to hear they may considering changing this, because I got 99% of the way to have a limited "child" user, and now I realized that the admin user needs to login every time the device restarts which defeats that entire usecase of the other user having the ability to use their phone

Do you know if there is a feature request to change this or any workarounds?

My only worry is that even if I could login as the child user on boot, I doubt SMS will work without the admin also being logged in in the background

John_1984_666

So for now, using strong passphrase on owner and also main profile adds a good layer of security