DeviceEncryption » History » Version 1
Denis 'GNUtoo' Carikli, 11/09/2020 06:16 PM
Move from UsageNotes
| 1 | 1 | Denis 'GNUtoo' Carikli | h1. DeviceEncryption |
|---|---|---|---|
| 2 | |||
| 3 | h2. Device Encryption |
||
| 4 | |||
| 5 | Limitations: |
||
| 6 | * On Replicant 6.0, the encryption scheme is specific to Android. Because of that if the device is broken, even if you have the passphrase, it's more complicated to recover the data. |
||
| 7 | * Replicant doesn't have protections against "Evil maid attacks":https://en.wikipedia.org/wiki/Evil_maid_attack |
||
| 8 | |||
| 9 | h3. Full encryption |
||
| 10 | |||
| 11 | While that Android feature is called "Device encryption", it doesn't encrypt everything. |
||
| 12 | |||
| 13 | For instance, on a Galaxy SIII, enabling "Device encryption" only encrypts the USERDATA partition. |
||
| 14 | |||
| 15 | As the encrypted partitions have to be opened, and that the user need to type a password, code has to run to prompt user for the password and open the encrypted partition. That code cannot come from within the encrypted partition. |
||
| 16 | |||
| 17 | This is why "full disk encryption" or "device encryption" schemes often have parts that are unencrypted. |
||
| 18 | |||
| 19 | h3. Setting a device encryption password separate from the lockscreen password |
||
| 20 | |||
| 21 | By default on Android, the encryption password is the same as the lockscreen password. As users tend to use a simple PIN, password or pattern for the lockscreen, the encryption can be easily circumvented with a "brute-force attack":https://en.wikipedia.org/wiki/Brute-force_attack. |
||
| 22 | |||
| 23 | Replicant allows to set an encryption password that is not tied to the lockscreen: |
||
| 24 | # Encrypt your device (In the settings: *Security* -> *Encrypt phone*) |
||
| 25 | # After the phone has rebooted and the encryption is set up, select *Change encryption password* in the *Security* menu of the settings |
||
| 26 | # Choose a strong passphrase. You will only have to enter this passphrase once when the device boots. There is a section below that elaborates more on how to choose a strong passphrase. |
||
| 27 | # Reboot the device and verify that the encryption works properly by entering the previously chosen passphrase |
||
| 28 | |||
| 29 | If a separate encryption password is in place and a PIN or password is set for the lockscreen, another security measure is active: After five unsuccessful attempts to unlock the screen, the device is rebooted and the attacker is faced with the much stronger encryption passphrase. This makes brute-force attacks on the lockscreen much harder. |
||
| 30 | |||
| 31 | h3. Choosing a strong passphrase |
||
| 32 | |||
| 33 | As Android uses cryptsetup, most or all the "Cryptsetup FAQ":https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions also apply to Replicant as well. |
||
| 34 | |||
| 35 | That FAQ has a "Security Aspects":https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#5-security-aspects section where it details the cost of breaking a passphrase in a table like this one: |
||
| 36 | |||
| 37 | |_. Passphrase entropy |_. Cost to break | |
||
| 38 | | 50 bit | EUR/USD 600k | |
||
| 39 | | 55 bit | EUR/USD 20M | |
||
| 40 | | 70 bit | EUR/USD 600B | |
||
| 41 | | 75 bit | EUR/USD 20T | |
||
| 42 | |||
| 43 | Be sure to look at the FAQ for potentially more up to date figures and the details that goes with them. |
||
| 44 | |||
| 45 | As for calculating the passphrase entropy, tools like keepassxc (which is available in Parabola) have a password generator that is able to calculate the entropy. At the time of writing, in keepassxc, this can be found in @Tools->Password generator@. |
||
| 46 | |||
| 47 | h3. Real example of a bad password |
||
| 48 | |||
| 49 | For instance if we use @Replicant@ as a password is a very bad idea for several reasons: |
||
| 50 | * Casual attackers knowing that the device is running Replicant and can simply try various variations on Replicant by hand. They'll most probably find it. |
||
| 51 | * Attackers can easily copy the encrypted partition and try entries from dictionaries, it will probably find it very fast too. |
||
| 52 | * Slightly more sophisticated attackers probably have optimized dictionaries that try variations on common words with accurate statistical models. It will probably find it very fast too. |
||
| 53 | * Even with brute-force it's way too easy to find: It's too short and not enough random. Using Keepasxc to calculate the entropy gives us 15.32 bits of entropy. That's about 20452 tries in average (1/2 * 2^(bits of entropy in passphrase, according to the cryptsetup FAQ). So even with a slow computer that only does 1 try per second, we only spend 5h40 to find it. |
||
| 54 | |||
| 55 | h3. Other tips |
||
| 56 | |||
| 57 | * Do not set the default keyboard (LatinIME) as a non-system app if you use encryption: it will prevent you from entering the password to open the encrypted storage. |