Urgent, but simple to implement additions on encryption in SFOS

SFOS now has encrypted LUKS storage and supports pin-code / fingerprints to unlock.
But in some aspects it looks more like a security theater, than an OS designed with security in mind.
What has to be implemented:

  1. decouple LUKS storage pw (boot pw) from PIN - allow them to be different.
  2. double Power Button click should disable fingerprint scanner till after next PIN code unlock.

Reasons:

  1. decouple LUKS storage password (boot pw) from PIN - allow them to be different.
    Currently the PIN code acts as a password for LUKS volume, and PIN codes are short numeric codes.
    In a situation when you lose access to your encrypted SFOS phone for some time, opponent can boot it into recovery, dump the LUKS volume header (or the whole storage), and then bruteforce you numeric PIN on a videocard. So he will have you PIN to unlock the phone and storage in some ~30 minutes.
    You even don’t have to know that this happened, i.e. he can boot the phone into recovery, dump the LUKS header and return the phone, it will take 5 minutes tops.
    Then he can bruteforce the PIN offline and unlock the phone secretly next time he has access to it.
    And you wouldn’t even know it.

Solution: leave PIN code only for runtime unlocking, allow to set different full-keyboard alpha-numeric password for boot LUKS unlocking (when turning on).

  1. double Power Button click should disable fingerprint scanner till after next PIN code unlock.
    This is already implemented on iOS at least, because there are situations in some countries when you can be forced to apply your finger to fingerprint scanner.
    So in such situations ability to quickly “block” fingerprint unlocking is essential.
2 Likes

how would you dump in recovery wihout knowing pin code?

fastboot boot <kernel> [ <ramdisk> [ <second> ] ] Download and boot kernel.

I think this post about easily decrypting your home directory is a good overview (I never tried it, don’t know if it works):

If it’s true, then Jolla strongly needs to consider adding the ability for either a separate boot passphrases, or allowing passphrases in addition to PINs. Either should be a very simple implementation.

can you fastboot boot random image with locked bootloader?

Afaik, you cannot boot Sailfish with a locked bootloader, so it’s irrelevant if a locked bootloader prevents you from fastbooting random images… :wink: