Skip to content
This repository has been archived by the owner on Jan 24, 2018. It is now read-only.
nathanfreitas edited this page Mar 16, 2011 · 47 revisions

##What is this?

LUKS is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions, but also provides secure management of multiple user passwords. In contrast to existing solution, LUKS stores all setup necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly.

This project is the port of LUKS to Android. We have built upon work from the greater Android/XDA community, and updated the build process to provide a clean Makefile for use with the latest Android Native Development Kit. We also have provided a compiled binary for non-developers, and are working on a user friendly app that will users to create and mount encrypted stores on their internal or external memory.

##Reference

Credit and a big thanks to the original community hackers on this effort

Build Steps

  • set up the Android NDK on your computer
  • install required software: sudo apt-get install autoconf automake libtool autopoint git make patch
  • get the sources: git clone git://github.com/guardianproject/LUKS.git
  • cd LUKS/external
  • make NDK_ROOT=/usr/local/android-ndk-r5 (or change the path to where you put the folder)
  • adb push sbin/cryptsetup.static /data/local/cryptsetup
  • For more info, read the README

Or you can download our binary: cryptsetup (right-click and download)

##Usage - Encrypted Mount

For any CyanogenMOD (http://cyanogenmod.com) CM6.x device... creating a 50 megabyte "secretagentman.mp3" file on the sdcard to store our encrypted file system. The commands below can be issues via adb shell or terminal and require root permission. We are working on a GUI.

First Time Setup

The "count=" variable below should create a 50MB file, but you might want to play around with the value on your system to see.

  1. dd if=/dev/zero of=/mnt/sdcard/secretagentman.mp3 bs=1M count=500000
  2. mknod /dev/loop0 b 7 0
  3. losetup /dev/loop0 /mnt/sdcard/secretagentman.mp3
  4. ./cryptsetup luksFormat -c aes-plain /dev/loop0
  5. ./cryptsetup luksOpen /dev/loop0 secretagentman
  6. ./cryptsetup status secretagentman
  7. mke2fs -O uninit_bg,resize_inode,extent,dir_index -L DroidCrypt0 -FF /dev/mapper/secretagentman
  8. mkdir /mnt/sdcard/secretagentman
  9. mount /dev/mapper/secretagentman /mnt/sdcard/secretagentman

Mount Existing

  1. mknod /dev/loop0 b 7 0
  2. losetup /dev/loop0 /mnt/sdcard/secretagentman.mp3
  3. ./cryptsetup luksOpen /dev/loop0 secretagentman
  4. mount /dev/mapper/secretagentman /mnt/sdcard/secretagentman

To Unmount and close

  1. umount /mnt/sdcard/secretagentman
  2. ./cryptsetup luksClose secretagentman

To delete secured image

  1. First umount and close (see above)
  2. rm /mnt/sdcard/secretagentman.mp3

To access from Desktop

  1. Mount your SDCard via USB on your desktop machine
  2. Use a desktop version of cryptsetup, and follow the "Mount Existing" instructions from above, with step 2 updated to point to the desktop mount location of the "secretagentman.mp3"

Ways to improve security of file and mount directory

  • Store the file and folder as hidden files: /mnt/sdcard/.temp.file and the mount point /mnt/sdcard/.temp
  • Other ideas?

Encrypted Device

Information taken from this thread: http://forum.xda-developers.com/showpost.php?p=11616180&postcount=12

/dev/block/mtdblock5 is the "userdata" partition. I formatted it and mount it to /encrypted-data during init:

mount yaffs2 mtd@userdata /encrypted-data nosuid nodev

The only file on this partition is "data.encrypted" file, which gets created in init.rc as a loopback device:

exec /system/bin/losetup /dev/block/loop0 /encrypted-data/data.encrypted

Create the "data.encrypted" file on my computer with cryptsetup and losetup, and copied all files from my old unencrypted userdata partition to it and then copied it back as a file to the formated userdata partition.

The sdcard "/dev/block/mmcblk0p2" partition is formated with "cryptsetup luksFormat", I did this also on my computer, saves some time. And then copy everything from the old unencrypted sdcard.

Probably should make a script run during shutdown to cleanly "luksClose" the encrypted partition and then umount them. Not doing this is probably very crazy

Clone this wiki locally