Device encryption, automatic decryption?

Andorid

Hi there, some years back with stock Android devices I can remember I had to give the PIN/password twice. First for decrypting the device and then again to unlock the lock screen.
Now with GOS the device starts automatically up to the lock screen, with the lockscreen PIN being the only protection. This means, the data partition gets devrypted automatically.

Is there any way in GOS to get the old Android behaviour to require PIN/password to decrypt the data partition?

GrapheneOS

Andorid There are per-user encryption keys and sensitive data is stored in the Owner user. Android doesn't currently provide the option of an early boot passphrase anymore but it would be entirely possible to implement. It would be difficult to maintain and potentially quite problematic if the encryption format or implementation ever changes significantly for existing devices, which is why we avoid implementing those kinds of features right now. We would need significantly more resources to be able to take those kinds of risks.

treequell

Android now uses an enhanced form of filesystem-based encryption:

The data partition stores all of the persistent state for the operating system. Full disk encryption is implemented via filesystem-based encryption with metadata encryption. All data, file names and other metadata is always stored encrypted. This is often referred to as file-based encryption but it makes more sense to call it filesystem-based encryption. It's implemented by the Linux kernel as part of the ext4 / f2fs implementation rather than running a block-based encryption layer. The advantage of filesystem-based encryption is the ability to use fine-grained keys rather than a single global key that's always in memory once the device is booted.

https://grapheneos.org/faq#encryption

Andorid

GrapheneOS
Right, I forgot, encryption changed from block to file based encryption. When I think about it, would a dedicated PIN/passphrase for decrypting user land after booting add additional security at all.... i think it´s hardly feasable in a smartphone to extract chips to mount "offline" brute force attacks...

GrapheneLover

GrapheneOS Would absolutely love for this to be added. I honestly think it's very crucial to this project to have it. How much do you think you would need to add it and maintain it?

raccoondad

Andorid With Pixel devices, extracting the chip is only one part. You also need to extract the Titan chip and get the key off of there. You can't brute force a key like a password, so you need the key stored on the Titan

raccoondad

GrapheneLover Why would it be crucial? It adds pretty much no security benefits compared to file system based encryption. Android doesn't have the feature anymore, it probably won't ever be added

GrapheneLover

raccoondad At least what I can remember about it is this: When it was the password on boot full disk encrypted as in where it needed the passphrase on boot it was impossible for exploits such as the lock screen bypass because it never got to the point of the lockscreen, now with the file based encryption it loads all the way to the lock screen and the lock screen has been bypassed before by exploits or coding laziness. This is at least what I can recall on the matter. Let me know if that's not correct?

raccoondad

GrapheneLover "lock screen bypass because it never got to the point of the lockscreen"

This also applys to the BFU state.

Imagine you are a WWII solider, I give you the battle plan in a note encrypted with the enigma machine. The note however i stored inside of a locked box.

The only way to read the battle plan is to use your key (for GOS/android that would be the random 256 bit AES key stored in the Titan) with the note. But in order to get the note you need to open the box with another key.

Now imagine that same scenario, but instead of the note being stored in a box, its just handed to you. You still can't read it without using the key in the engima machine, but its not locked in the box.

This is a loose analogy, it may be more accurate to say in full disk encryption that the note itself is in plaintext inside the locked box but I think that would have some concepts lost in translation. Regardless, the pin screen what 'unlocks' the data, its an input for the Titan chip. That Titan chip then releases the AES key based on if its correct or not (based on its own calculation in chip away from the CPU) to the operating system so it can actually decrypt the data.

If a pincode bypass was found and done on a device in BFU it would fail to start because the operating system doesn't have the AES key from the Titan chip.

This is why wiping takes less than a few seconds on Pixel devices. The data isn't destroyed, the key is. NIST considers this as secure as deleting the data itself.

GrapheneLover

raccoondad Thanks for the explanation. Would it not be better to have this type of setup though:

Boot passphrase like in the old Android days which is a different passphrase than the screen unlock passphrase, then after the Boot passphrase is successful it continues and goes to the new file based encryption method which is the screen unlock passphrase which would be different than the boot passphrase. Would this not be more secure than what is used now for the extreme high risk users or would it not add any benefit? As it needs two different encryption passphrases. Thanks for your knowledge in this matter.

r3tr0

GrapheneLover No, but it definitely increase the hassle to remember yet another unique password, which you can set to every single profile on your device. I think this would be a step backwards for most user and may lead to bad security habits(fatigue). I experienced this in the past with disk encryption passphrases in combination of user passwords with a high entropy. TPMs, secure elements and security keys were a Hugh benefit.

Additionally this will be complicate things with your automatic updates and automatic reboot which IMHO outway the this feature request. This will also put extra work to the team, whom already have to prioritize how they use there developer capacities.

raccoondad

r3tr0 I would also like to mention 256+256 bit AES encryption is about as good as 256 bit encryption with current methods of bruteforcing. Double layer encryption with no real change to the key processing method isn't more secure. The security was already established at the first layer