Decryption of /home is implemented using systemd units and scripts that request password(s) via systemd-ask-password
Passwords can be entered through dedicated UI which is started during a boot. For that, keyboard is available (English chars, numbers, symbols).
Proof of concept has been reached with the full text password, either plain or piped through Android hardware bound key for signing, used to decrypt /home partition.
Solution should work for ports based on official devices approach (such as Sony Tama devices) and regular unofficial ports. Latter could just use loopback file for encrypting /home.
EDIT: in the original, it looks like the default is to build all the variants (Argon2i, Argon2d, and Argon2id are parametrized by:…) use Argon2d instead of Argon2i callargon2d_hash_rawinstead ofargon2i_hash_raw`
It is calling with -id option that should combine d and i after each other. As far as I understood, this is a recommended way of key derivation by argon2
Cool. I’m going to have to try this, but it probably makes more sense to get version 4.1 running on my second volla phone, or?. I also have an fp2 with 3.4 that might do.
Sadly, I still haven’t been able to flash 4.1 on the volla.
I am writing now startup wizard and settings app. It has started with support library which would be responsible for the actions. It would make sense to wait with trials until those are sorted. Then testing by myself, testing by you, and I hope someone can take time and review the code. After that, roll out
So, in this respect - you have few days to sort out Volla situation
We have just reached the state where all the initially planned functionality is ready. All packages involved in providing encryption solution as discussed above are tagged with their first release tags. I am planning to roll out this solution on Sony Tama port and I hope other devices will follow.
On the released version (4.2 SFOS, Tama port and I presume some others as well), LUKS2 is used with argon2 based keygen. However, this is insufficient. Don’t forget that our phone CPUs are way weaker than your PC CPU. So, number of iterations done by argon2 is smaller than would be needed to protect against attack on PC/server. Hence, in the community encryption, hardware backed key is used as a part of the key generation procedure. This essentially limits the attack to be performed on phone itself - it is just too time consuming to start guessing the key otherwise. As hardware key access can be limited, it makes brute force attack rather unattractive option - something we, as users, would prefer to have.
No, not yet. Official ports have LUKS password the same as your PIN. So, you cannot really do much with such setup. When asked on the community meeting regarding their LUKS alphanumeric passwords, Jolla developers replied that they don’t plan to use open-sourced solution, as it was developed here, and, instead, cruft something themself.
Now, I expect that they will have to drop this “brilliant” idea of having coupled LUKS password and PIN in that case. Which should allow to replace Jolla’s solution with this one if someone will want it. Hence, “not yet”. Let’s see whether such decoupling will happen with 4.4.
I’m still confused why I have two passcodes and I don’t know how to change either. I’d certainly like SF to stop asking for one. I’d guess the other linked to the encryption key is virtually impossible to change.
