Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content

encrypt sdcard so that it can be decrypted with appropriate keys on a PC?

Summary

using the sdcard as adoptable storage make it impossible to be read on another device, which is really problematic, I use sdcard for storing data that MUST be accessible from a PC (in case of phone crash... explosion.... fall from the 10th floor....)

Description

I want to be able to encrypt the sdcard and mount it in a way I can control the encryption keys (backup, password...) using standard linux ways : encryptfs, luks, veracrypt (I like the later since it allow me to access it on windows as well, and perform partial encryption, leaving for example a "contact-me.txt" file with contact information in case the sdcard is lost (dreaming that there are honnest people, but guess what, there are some... i got back my wallet with everything in it on a trip ;) )

Who will use this new feature?

everyone that want to keep the sdcard content private from people getting access to it, but find the android policy "it's me or nothing" stupid and think that a sdcard is a way to be able to get back the data when the phone is no more usable... imagine you break your phone, and it's not recoverable, but the sdcard is working, you can plug it on a computer, decrypt the content and get back all the precious files backuped on it, photos, video.... but the android adoptable storage way is not standard, the keys can't be backuped, not sure it's a format even readable by a linux computer... so I would like to have the phone prompt for a password at startup, mount a regular encrypted sdcard created on linux at a specific location or /e/os have some app like eds that allow to mount a veracrypt file volume using fuse.... or maybe just embed veracrypt on /e/os and create a gui to access it???

Why these users would like to use this feature?

because loosing data is the worst case in digital world.... people rely on cloud backup to get back data, but cloud is problematic, takes ages to retrieve, is highly environmental unfriendly (for a access you'll do 1 time in 10 years, a supercomputer has to run h24 7/7 365/365) you can break the phone, you can buy a new one, but the data on it is.... lost... and keeping the sdcard unencrypted is not an option, someone can steal the phone, and retrieve the precious backup....

Examples

  1. retrieve data after a phone break
  2. transfer file using the sdcard and use it in regular way
  3. keep safe from spying

Reflection

Mockups

1- embed veracrypt and create a gui that have privilege to mount this is the best case, the user can mount when he wants access, can even have encrypted file in encrypted file for the most sensitive information, can use file keys to make a password attack impossible.... this don't require a password at boot prompt, the user is not restricted to linux pc for recovery.... everything is perfect, should be the easiest integration (veracrypt is opensource, run on linux with dmmapper and fuse... both are already available on android...)

2- use standard linux encrypted file system at boot/sdcard/usb insert event, if the device is detected as a linux encrypted drive (encryptfs, luks....) prompt the user for a password and mount the device in /storage/* where * is label at first choice, uuid at second choice

Diagrams

Validation

1.1. using adb, check that veracrypt can be run at command line and can mount a veracrypt encrypted file storage (password only protection or with additional key files)

1.2 using adb, check that veracrypt can be run at command line and can mount a veracrypt encrypted storage (password only protection or with additional key files)

1.3 using the gui, check that user can provide a password and optionaly one or more keyfiles and that the gui can run the veracrypt binary and mount the encrypted storage (both file storage and device whole encryption)

2.1. plug a traditional linux encrypted device on the powered off device, boot, see if a prompt is displayed, enter the pass, check with file manager that a storage is available and test if it can be written

2.2. with phone powered, plug a sdcard or a usbkey encrypted using a linux traditional encryption, see if the pass is prompted, enter the pass, check if the storage is accessible

both for 1 and 2 : -unplug the storage, check if the data can be accessed on a pc with the right decryption information -redo the process 1- or 2- according to the choice taken, with wrong credentials, see that the data can't be accessed...