Original plan for TEE or SE backed encryption for key storage didn’t work out. Namely, when decrypting there is always a check for some data properties at the end of decryption operation. So, I cannot use nested decryption for rate limitation of the brute force attack.
However, it is possible to use approach based on Android disk encryption pipeline. Namely, process the user-provided password using scrypt an salt and then, instead of using it encrypt/decrypt, just sign it with some hardware backed key. Interestingly, there is a key property MIN_SECONDS_BETWEEN_OPS which can be used for limiting number of tries per second. As a result, whole scheme is way easier and no nested encryption is needed:
- scrypt user provided password with salt → result K1 32 bytes
- sign K1 with RSA key, hardware backed → result K2 256 bytes
- scrypt K2 with salt to get 32 bytes → result K3, 32 bytes
- use K3 as LUKS password
I composed an Android tool based on available AOSP tools and libraries used for encryption (regular and disk). Project at GitHub - rinigus/hwcrypt: Encryption using hardware backed keys .
Now will have to write integration with SFOS.