Automatically mount *encrypted* sd-card

I would like to automatically mount an encrypted SD-card. I followed this guide: README.md · master · olf / _Guide_ Creating partitions on SD-card - optionally encrypted · GitLab
I can’t get it to work. I think there is a problem with:
cryptsetup luksFormat.
Because whatever I do, I’m asked for a known password. Never in the procedure the software asks me for a password. When I make Luks happen in another way, my phone says “Not allowed to unlock memory card”.

Thanks in advance.

Duplicate of Mount luks encrypted SD-Card automatically - #3 by carmenfdezb

Thank you kindly for the referral. If I understand correctly, support from Jolla is an absolute requirement. I hope you will get good cooperation soon.

No, only time & motivation is required from anyone willing to contribute.

I hope you will get good cooperation soon.

LOL! With whom?

Neither Jolla or anyone else seems to be willing to put any effort into this, so why should I?

I absolute agree with you that manual mounting is useless. Making regular backups to sd-card is very important. Backups are unencrypted. That doesn’t meet my expectations.
Keep on the good work, please!

1 Like

Hi

running on 4.4.0.72 - I could not make it work, worse, the system no longer recognized my SD card, I had to restore the luks headers. I must admit I learnt a bit around luks and cryptsetup these past days …

Could you indicate some path to follow to start and help ?
I imagine something around understanding

  • systemd
  • udev
  • policies

Regards
Dominique

@ddelamarre and @jolla4ever,

I am sorry for coming across so grumpy here, because you both were kind and did not demand anything. Specifically @ddelamarre offering his support (and assuming @carmenfdezb would be also willing to test) lets me consider to pick this up, again. Additionally this has become the main reason why I am using outdated SailfishOS releases on my production phones, as Jolla seems to have addressed many of the flaws of 3.4.0 and the early 4.x.y releases (a time where I had the impression that every new release was even buggier than its predecessor).

@ddelamarre, I remember to have the latest release of crypto-sdcard working nicely on SailfishOS 4.0.1, when plugging in an external USB-stick (or any other USB attached mass storage device) with LUKS volume(s) on it after SailfishOS has booted. Using an USB-attached storage device (can be almost any old USB-stick with a USB-C / µUSB to USB-A adapter (cable)) is the most convenient way to test, because observing the auto-mounting to succeed or fail is just a matter of re-plugging, in contrast to rebooting with an SD-card as DUT. And the current work-item of auto-mounting when booting can be tested with an USB-stick and a SD-card alike.

I am planning to pick this up again in the upcoming weeks where I stopped 1,5 years ago: With one of my testing phones on SFOS 4.0.1. When I have that working, I plan start to upgrade SFOS and check if crypto-sdcard is still working on every subsequent release (currently 4.1.0, 4.2.0, 4.3.0 and 4.4.0).

AFAIR remember, the remaining issue on 4.0.1 was that unlocking LUKS volumes happened “too early” in the boot process, thus failing. But it should happen as early as possible in order not to slow down the boot process and the timing was fine on SFOS < 4. Systemd allows for thorough analysis of the startup process (“bootchart”) and dependency chains (forward and reverse) of units. One has to find the culprit, i.e., the specific unit which has to run before the unlocking for it to succeed.

As a first step it would be helpful to know is SFOS 4.4.0 still behaves like SFOS 4.0.1 when using USB-attached storage.

And, please let us move this conversation to GitHub, because any further discussion is misplaced as FSO, as it solely deals with crypto-sdcard. You may continue in the old thread there, i.e., issue #115.

2 Likes

You probably need /etc/polkit-1/localauthority/50-local.d/69-cryptosd.pkla. Do you currently have crypto-sdcard installed?

Thank you so much! Of course, you can count on me for testing, I hope to be helpful :slight_smile:

1 Like

Hi

I uninstalled it for the moment and restored the luksHeader.
I will try again later today. and let you know.
It is also possible I missed something in the guidelines, redoing it will possibly show me what …
[ Attempts moved to https://github.com/Olf0/crypto-sdcard/issues/248 ]

Regards
Dominique

2 Likes
  1. You are using a completely outdated guide, see footer of that outdated guide or jolla4ever’s first message in this thread here.
  2. Please do continue to document your tries in a new issue at crypto-sdcard. You are flooding this thread with stuff which is not of interest for anybody else, hence please refrain from doing so here or in the corresponding issue report at GitHub.
  3. First do read the source files and corresponding issue report at GitHub, many things are documented there and might become obvious to you.
  4. You first need to understand how crypto-sdcard works conceptually. Yes, manually executing the actions it performs is a valid approach. It might be easier to start doing that with mount-sdcard on an unencrypted partition or volume.
  5. You need to look at and use the code for SFOS 4, which is in the SFOS 4 branch. (Oh, really. :roll_eyes:)
  6. Please go slow, try your things and ask specifically what you do not understand. Here you posed a single question " AM I on the right way ?": I cannot tell, this write-up is too convoluted to be understood quickly. My time is scarce and limited.
  7. Read thoroughly and try to understand what you read, before you start writing messages, otherwise your and the reader’s time is consumed senselessly.
  8. Do test with USB-attached mass storage, as I already told you. Do check first, if this is still working when “hot-plugging” (as it did under SFOS 4.0.1), as I already suggested!

Thanks!

Hi

thanks for your answer.
I will follow your advice.

Regards
Dominique

@jolla4ever & @ddelamarre,

your reports (the original one and the last one) have one common issue: The lack any specific information. To me they only state “it does not work”, that is why I initially answered “I know”.

Especially numbers are important: Exact SFOS version, crypto-sdcard version, specific steps in the setup guide etc., but also the exact and full commands tried, plus all command issued (i.e., the complete flow). Basically I have no idea what you both used or try to address.

This is why I can answer statements like this only with “I don’t know what you were doing, but obviously you did something wrong”:

@all (@jolla4ever, @ric9k, @carmenfdezb, @ddelamarre), concurrently to trying to resolve this once more personally, I think a proper feature request should be written, which asks Jolla to unlock any encrypted partition on SD-Card when SailfishOS boots as they do with the /home volume (using the same password). As the topic is complex and most of us are not native English speakers, plus a proper feature request has to be well phrased and technically precise, I strongly suggest to draft that feature request here, using the information in this thread and from “Mount luks encrypted SD-Card automatically - #4 by olf”, “Automount encrypted sdcard with key file - together.jolla.com” (from 2019, “tracked by Jolla”), “Locking/unlocking encrypted SD card - together.jolla.com” (from 2018, the oldest I found, because SFOS 3.3.0 introduced the encryption of /home), “Unlock encrypted device and sd card together - together.jolla.com” (basically asking what we should ask for, again), plus naming these references.

Then we can perform a mutual quality assurance until we deem it to be ready to be posted in a new thread.

Whoever wants to start, please do first copy Jolla’s bug report / feature request form here and start to copy existing text fragments from these references to it (especially the last one above, it is a good starting point). Additionally put a list of these references at the end of the report.

P.S.: Actually I would like to use this thread only for that and then conclude it.

I sidestepped udev completely and created a semi-flexible solution involving two systemd services:

To whom it may concern.

@ohnonot, please do not double-post (Mount luks encrypted SD-Card automatically - #11 by ohnonot), instead decide for either place and link from the other to it.