-
-
Notifications
You must be signed in to change notification settings - Fork 39
Home
##What is this?
LUKS is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions, but also provides secure management of multiple user passwords. In contrast to existing solution, LUKS stores all setup necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly.
This project is the port of LUKS to Android.
##Reference
- Linux Unified Key Setup: http://code.google.com/p/cryptsetup/
Credit and a big thanks to the original hackers on this effort
- AndroidVoid: https://androidvoid.wordpress.com/2009/09/30/android-encryption-using-cryptsetup-and-luks/
- sigkill1337: http://forum.xda-developers.com/showthread.php?t=866131
- set up the Android NDK on your computer
- install required software:
sudo apt-get install autoconf automake libtool autopoint git make patch - get the sources:
git clone git://github.com/guardianproject/LUKS.git cd LUKS/external-
make NDK_ROOT=/usr/local/android-ndk-r5(or change the path to where you put the folder) adb push sbin/cryptsetup.static /data/local/cryptsetup- For more info, read the README
Or you can download our binary: cryptsetup (right-click and download)
##Usage - Encrypted Mount
NexusOne/CM6.1 as root... creating a 50 megabyte "secretagentman.mp3" file on the sdcard to store our encrypted file system. The commands below can be issues via adb shell or terminal and require root permission. We are working on a GUI.
Comments from a reader below: /* nice instructions on the wiki, two things tho: “dd if=/dev/zero of=/mnt/sdcard/secretagentman.mp3 bs=1M count=50000000″ this creates a 50 TB file on the sdcard. you can see where this would be problematic and: “Change the permissions to root read only on the hidden file /mnt/sdcard/.temp.file” nice idea, sadly the sdcard is fat32, which doesn’t support unix-style permissions… */
- dd if=/dev/zero of=/mnt/sdcard/secretagentman.mp3 bs=1M count=50000000
- mknod /dev/loop0 b 7 0
- losetup /dev/loop0 /mnt/sdcard/secretagentman.mp3
- ./cryptsetup luksFormat -c aes-plain /dev/loop0
- ./cryptsetup luksOpen /dev/loop0 secretagentman
- ./cryptsetup status secretagentman
- mke2fs -O uninit_bg,resize_inode,extent,dir_index -L DroidCrypt0 -FF /dev/mapper/secretagentman
- mkdir /mnt/sdcard/secretagentman
- mount /dev/mapper/secretagentman /mnt/sdcard/secretagentman
- mknod /dev/loop0 b 7 0
- losetup /dev/loop0 /mnt/sdcard/secretagentman.mp3
- ./cryptsetup luksOpen /dev/loop0 secretagentman
- mount /dev/mapper/secretagentman /mnt/sdcard/secretagentman
- umount /mnt/sdcard/secretagentman
- ./cryptsetup luksClose secretagentman
- First umount and close (see above)
- rm /mnt/sdcard/secretagentman.mp3
- Store the file and folder as hidden files: /mnt/sdcard/.temp.file and the mount point /mnt/sdcard/.temp
- Change the permissions to root read only on the hidden file /mnt/sdcard/.temp.file
Information taken from this thread: http://forum.xda-developers.com/showpost.php?p=11616180&postcount=12
/dev/block/mtdblock5 is the "userdata" partition. I formatted it and mount it to /encrypted-data during init:
mount yaffs2 mtd@userdata /encrypted-data nosuid nodev
The only file on this partition is "data.encrypted" file, which gets created in init.rc as a loopback device:
exec /system/bin/losetup /dev/block/loop0 /encrypted-data/data.encrypted
Create the "data.encrypted" file on my computer with cryptsetup and losetup, and copied all files from my old unencrypted userdata partition to it and then copied it back as a file to the formated userdata partition.
The sdcard "/dev/block/mmcblk0p2" partition is formated with "cryptsetup luksFormat", I did this also on my computer, saves some time. And then copy everything from the old unencrypted sdcard.
Probably should make a script run during shutdown to cleanly "luksClose" the encrypted partition and then umount them. Not doing this is probably very crazy