Librem 5 LUKS Status

Yes but why not just have a quick fix.
right now let dev people solve the “touchscreenkeyboardproblem” and just focus on encrypt the / partition on a librem 5 and use a USB C keyboard (since they got usb-c support).
Would not that be a quickfix or do i miss something ?
Can you use LUKS for the / (or do you have to erease it) ?

Common people lets make this work !

Because not being able to boot up your phone unless you are carrying an USB-C keyboard around with you is a no-go for most people? :slight_smile:
If you are willing to do that, you are probably also already able to manually encrypt and use / with LUKS (with a nice HOWTO), so that should always be possible.

Yes if I have to choose between not having encryption or do having encryption (but i have to have a usbkeyboard around when i boot) I would go for the encryption option.
Its a temporary fix I understand that…But when they solve the problem with touchscreenkeyboard its probaly a software fix and then I can leave my home without a usb-c keyboard. :smiley:

Ok where to find a howto for this ?

1 Like

https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system

It is not Debian specific, so that might also be valuable to check out, but the arch docs are mostly excellent.

Should be possible to modify this to better fit the L5 partitioning.

The size of the OpenPGP card on the Librem 5 is 2FF, which is the size of a miniSIM.
See: https://spin.atomicobject.com/2014/02/09/gnupg-openpgp-smartcard/

Hey!
Thanks for responding.

I agree with you that a mandatory keyboard and the like would not work but LUKS encryption on a linux mobile phone has been solved. I think postmarketOS did the heavy lifting here. I tested their solution and yah! It works.

Wiki/Docs: https://wiki.postmarketos.org/wiki/Osk-sdl
Blog post: https://postmarketos.org/blog/2017/09/03/100-days-of-postmarketos/#initramfs-is-full-of-new-features

It looks like they use a custom initramfs image that references resources on an unencrypted boot partition.

Thanks for all the great work you do for the community. :slight_smile:

4 Likes

Some progress on this topic:

2 Likes

Yes there has been some progress in this area.

As part of the work to get Full Disk Encryption Osk-sdl has already been packaged for the Librem 5:

https://source.puri.sm/Librem5-apps/osk-sdl

But this is only a small step, our ultimate goal is not to just provide a live image that the user installs and it has LUKS support.

But a OEM like experience with the OS, in which the user receives a device with the operating system installed already using Full Disk Encryption but no user created.
And all that the user has to do is to run the first setup, create the user and replace the LUKS passphrase via the GNOME Initial Setup dialogs and he is good to go.

Packaging Osk-sdl is one step in this direction, but to accomplish this second option, more work is required.

4 Likes

Isn’t this less secure?

All Users would have the same key or how it’s called. Just with different passphrase.
Or key could have been extracted during setup before delivery to the customer.

Shouldn’t be an issue. No problem with randomizing keys/forcing the user to change the passphrase.

The very next sentence after your quote says the user will have to replace the LUKS password.

My question is just about the key. Not the passphrase.

To my knowledge the key is needed to decrypt the partition. The passphrase is just used to encrypt the key. And so the passphrase can be easily changes, without adaption of the whole disc.

E.g. if you know the key you don’t need the current passphrase.

Yes, a challenging part (and a part we are working on now) is incorporating an encrypted image in such a way that each user has a unique key and not just a unique passphrase. There are a few different ways to do it, but it looks like the easiest way might be to just replace the master key and re-encrypt, which LUKS provides tools to accomplish. Another approach would be to script the process of creating a unique LUKS volume for each phone and copy files over instead of imaging and then modifying the default image.

Anyway, suffice to say it’s something we are aware of and are working on.

6 Likes

As Byzantium for Librem5 is coming closer:
Is there an update regarding LUKS with an individual key?

May be also with support for the Smartcard?

2 Likes

i think Byzantium will ship with luks by default at some point. Meanwhile I wrote this tutorial into how to manually enable and use luks encryption. its not an ideal method yet, but good enough to test. it also shows with confidence that sooner than later it will work natively

2 Likes

But there is still the issue left that its not using unique keys, correct?

And no smartcard support for decrypting instead of the password.

thats correct, hence the “not ideal” method.
at the bottom of the tutorial i hint at two possible methods to generate our own keys, like using the jumpdrive, would be great if someone takes it forward from there. otherwise hoping byzantium will bring native luks very soon!

I also wanted the smartcard feature and found a way to unlock Luks with a smartcard on the PinePhone with Mobian. Although this is not PureOS, both are Debian distros and in general it should work with the Librem 5 too. I’ve modified the script from Purism to automate the configuration. Fell free to have a look at https://github.com/sam-m7/smartcard-luks-osk.

As I’ve only tested it on the PinePhone (don’t have my Librem 5 yet) and you might need to add other kernel modules to the initramfs on a Librem 5 I wouldn’t recommend to just execute it, if you’re not feeling ok with reinstalling the OS and loosing all the data stored on the phone.

5 Likes

I just reencrypted my LUKS partition and posted the steps in the Tutorial post

3 Likes

I would assume that the following needs to be integrated in the initramfs for your smartcard-luks-osk script in one way or another:

Thats a part from here:

1 Like