• GeneralSolved
  • Automatic Closing of Profile Sessions for Data Security?

As according to the GrapheneOS documentation, any data stored in user profiles can be put to rest and encrypted, even when the device is still running, by simply ending that user profile's session.
However, I want it to be configured so that whenever I leave a user profile, whether to the lock screen or by switching to a different profile, it automatically & forcibly ends the previous user profile's session.
This would ensure that any sensitive data stored in that profile stays at rest and encrypted whenever possible, without relying on any further user input, since I may occasionally forget to end that profile's session myself.
Is this a possibility? Or is this already what happens when I toggle off "Allow running in background" in a user profile's settings?

  • [deleted]

It sounds as though what you're hoping for is already implemented according to the documentation that you read and quoted in your post.

    [deleted]
    Not really.
    Yes, user profile data can be encrypted, but the docs seem to imply that the session must be ended manually by the user for the data to be put back to rest.

    GrapheneOS enables support for ending secondary user profile sessions after logging into them. It adds an end session button to the lockscreen and in the global action menu accessed by holding the power button. This fully purges the encryption keys and puts the profiles back at rest.

    To clarify, what I'm looking for is for user profiles to be automatically ended whenever they're not unlocked and being actively used.
    Otherwise, if a user goes back to the owner profile and forgets to end that user profile session, then whatever important data in that user profile is going to continue sitting around unencrypted for some extended length of time, vulnerable if the phone is ever seized or stolen, and thus rendering any user profile encryption meaningless.

    • zzz replied to this.

      ironwindow

      I think the current best alternative and typical recommendation seen on this forum would be to set up auto-reboot under

      Settings -> Security -> Auto reboot

      Every time your phone reboots, all profiles will be put back at rest.

      Its not as convenient as other requested features might be, but it's real in the here & now, and should get the job done.

      Isn't the "allow running in background" toggle found in a profile's settings exactly what you're looking for?

        • [deleted]

        • Edited

        spring-onion Sounds like he wants it to be ended when it goes to the lock screen which that wouldn't do. That only ends it if you switch to another owner profile manually.

          [deleted] in my experience, by activating the "allow running in background" option all tasks and this profile are closed, no active services related to this profile are shown in the service monitor of the main profile.

          As mentioned by others above, user profiles now have a toggle for allowing or disallowing a profile to run in the background.

          When that is disabled (so, not allowed to run in the background), the moment you switch from your user profile to another one, the profile goes back to rest and all of its data is encrypted. It essentially functions as an always-on "End Session" option.

          Keep in mind that if you're in the Owner profile and disable the setting to allow a profile to run in the background, the moment you disable that setting, the user profile you did it for is also immediately put back to rest.

          End Session is still quite useful for profiles for which you don't want to always put back to rest, so you get that control, but if there are profiles for which you always want switching to a different one to mean it is encrypted at rest, that's the option for you.