For example, you might be selling the phone or handing it down and just want a simple way of not giving away any data along with the phone.
No matter the reason, you do want to ensure that wiping the phone does not occur accidentally!!
If you are concerned about a duress scenario then it’s not as if you will want the phone to prompt for confirmation: Do you really want to wipe all data on the phone?
Also, for instance one way would be to have PIN/PW plus one additional number, 0-9. Each number could be assigned an additional function. One could login with SW locks on all sensors on, another could send location to mum (provided HW lock is not on), third could open system without decrypting certain folders or drives, fourth could start voice recording and fifth could start video streaming or take a pic to your photographic random Twitter-feed. And so on.
Do you have a reason for wanting to do that surreptitiously? Otherwise all of that could be achieved by having 10 buttons on your main screen (the screen that is displayed after you unlock).
Where does surreptitiousness sit on the scale between negative and positive?
That was only one example of the implementation possibilities. With some of those actions it may be a benefit, with some it doesn’t matter that much. In some cases I’d imagine different user situations might alter that equation. Some actions may need to be executed before GUI and system initializes, so that actions could not be prevented from happening (say, delete and overwrite x100 drive decryption keys). I don’t think we should set the limits how a user wants to set that up - just make it possible to use more alternatives (such as some that I previously described with “Malform”).
I’m not personally a fan of duress codes that wipe data as a security measure for that threat. In some jurisdictions that would be considered evidence tampering and may cause you more grief. In the “rubber hose” threat model it would just cause you a different type of grief.
So I personally won’t be pushing for that kind of spycraft for the L5, but of course you are free to develop it yourself if you want it. Instead, I favor what I’ve described as “user personas” in this article as well as in a few places here in the forum whenever travel spycraft on the Librem 5 comes up.
To summarize, I think the safest approach is one that allows you fully comply with customs/border agents or other officials, and not one that requires you to lie (you are not as good a liar as they are lie detectors), conceal, or smuggle something. So with user personas, before you travel you backup your home persona, and replace it with your “travel persona” or “border persona” that only has the data, accounts, and information you need while traveling. Then if someone compels you to turn over your phone, you can comply without putting anything at risk. Then when you get home (or get through a border checkpoint, or whatever the situation is) you can potentially (depending on your threat) restore a different persona from local or remote storage.
Just to add to this, we don’t have an automated way to swap user personas today, but due to the simplicity of Linux users and the fact that sensitive data and settings tends to live under your home directory, it would be easy to do this manually:
Use the GUI Backup app to backup your home directory somewhere (microSD card, network storage, etc)
Erase the contents of /home/purism completely and reboot.
Start with no personal settings and set up your new travel persona with saved accounts/passwords/files/app settings you need.
Back that up as your travel persona, erase /home/purism again, and restore your original /home/purism persona.
To swap between personas, just erase/restore /home/purism.
If no one beats me to it, this seems like a relatively simple GUI project to script up with yad using deja dup behind the scenes, if I find some time.
Yes. You’d erase all the files (including hidden files that start with ‘.’) underneath /home/purism but leave /home/purism intact. I double-checked with others on the team and because all of the settings you set at first boot ultimately get stored there, it should just reset you back to your first boot state (at least in terms of user settings, any system-level apps or packages you installed previously would still be there).
[Edited to add] I should note that this is essentially what I’ve documented in my backup and restore article and perform each time I’ve migrated my settings and files from one Librem 5 phone to another. The main difference is I backup and restore a few additional things from like my openvpn configs from /etc and my user crontab, as well as restore any uninstalled apps (as I assume I’m starting from a blank, new image).
It looks as if shred is installed by default on the Librem 5. Tick. However there isn’t really any foolproof way of erasing content on a solid state device.
With switchable personae, what do you do about, for instance, email/call/chat connectivity and history, and contacts, which are things that would be of definite interest if your phone is being targeted at international borders? (And things you wouldn’t want to be without while traveling.)
All of that would be erased if you switched to a different persona. So you would set up the travel persona only with the contacts you need while traveling (perhaps hotels/restaurants/etc and people you are traveling with, credit card contact numbers and perhaps an emergency contact if you need it).
It really all depends on your threat. You’d travel with what you were willing to lose. We have a lot of folks that show up in our forum who have given themselves a threat model of an international spy, so those people should be well-acquainted with the idea of compartmentalizing identities and already have all of that set up ahead of time.
For everyone else, the prevalence of free online accounts these days means it’s relatively simple to create travel persona accounts on the various websites you’d need to access. So to take this all the way, you’d set up a travel webmail account somewhere trustworthy and use it for your travel arrangements. That’s a good practice in general anyway as if you start getting spammed on that account you can tear it down and start again.
It’s similar to telling people who want to contact you while traveling the new local # you will get with your prepaid SIM you buy on arrival (if you do that).
Other people may just be concerned with border crossings in their threat model, and not with losing their data once they are traveling within a region. In that case I suppose they could restore a persona from the Internet once they cross the border, then perform the same swap when they cross back.
You adapt the general principles in play to your particular threats.
Maybe one of the codes after the pin code could cause a direct short circuit of the Lithium ION battery. So BOOM! the phone catches on fire. After they put the fire out, all that’s left of your L5 is melted plastic, oozing toxic chemicals, and third degree burns on the guy who tried to get to your data. So the data isn’t the only thing that’s gone. The whole phone is gone. Then you tell the authorities “Wow, you just can’t trust those Samsung phones. I thought they solved those battery problems years ago”.
For the international spies among us … would another option be to mount something on the uSD card as /home/purism and that way persona equates to uSD card? You swap personas by swapping uSD cards.
So as you leave your house at the start of the mission, you take the specific required passport and the matching uSD card is inserted into the phone.
Downsides that I can see are:
a) if uSD card is borked then phone may become unusable, and
b) it is readily obvious that you have set it up this way (but I tend to think, as a hypothetical, that if “they” are taking that level of interest in you then you are probably stuffed already)
You mean another modem from Purism as part of the purchase? i.e. accessorizing?
Yes most definitely.
Modems are on the Purism shop already.
Each of three variants of the BM818 is US$49. I would suppose that you can buy as many of them as you want - if you have the spare cash!!
That however is a can of worms. If you mean change the IMEI by changing out the modem for another one, I would suppose that you can do that, as often as you want, using any modem that you have.
Don’t forget though that
a) the IMSI won’t change as you do that
b) the modem antenna may not be rated for doing this an unusually high number of times.