-
Notifications
You must be signed in to change notification settings - Fork 2
Device Encryption
AXP.OS will force-encrypt every device automatically on first boot. If you are about to port a new device to AXP.OS you should always try to get the latest supported encryption method available for your hardware.
These are the encryption methods and their state:
-
Full Disk Encryption (FDE):
not supported(weither by AXP.OS nor Android) -
File Based Encryption v1 (FBEv1):
supported, always check if you can upgrade to FBEv2 though -
File Based Encryption v2 (FBEv2):
supported, if possible: get it!
references:
- FBE encryption
- FBE metadata encryption
- FBE adoptable storage
- FBE hardware wrapped keys
- legacy FDE encryption
AXP.OS will not support FDE and so you have to move to FBE v1 or v2 first.
Every setting here must be compatible and match each others sub section. That means kernel, fstab and device.mk depend on each other and conflicting configuration will break things.
AXP.OS prefers setting encryption parameters explicitly, i.e. even though fileencryption=::v1 is (atm) identical to fileencryption=aes-256-xts:aes-256-cts:v1 AXP.OS prefers the latter. Not that it is perfectly clear what is in use but defaults change in Android (like it will with the upcoming aes-256-hctr2 default for filenames_encryption_mode).
reference commit: TBD
choose the mount option which is best matching your hardware, listed from low to high:
... /data ... fileencryption=aes-256-xts:aes-256-cts:v1
... /data ... fileencryption=aes-256-xts:aes-256-cts:v1+inlinecrypt_optimized
rare on FBEv1 - if any:
... /data ...,inlinecrypt ...,fileencryption=aes-256-xts:aes-256-cts:v1+inlinecrypt_optimized+wrappedkey_v0
... /data ...,inlinecrypt ...,fileencryption=aes-256-xts:aes-256-cts:v1+emmc_optimized+wrappedkey_v0
reference commit: hotdog
choose the mount option which is best matching your hardware, listed from low to high:
... /data ... fileencryption=aes-256-xts:aes-256-cts:v2
... /data ... fileencryption=aes-256-xts:aes-256-cts:v2+inlinecrypt_optimized
... /data ... fileencryption=aes-256-xts:aes-256-cts:v2+emmc_optimized
... /data ...,inlinecrypt ...,fileencryption=aes-256-xts:aes-256-cts:v2+inlinecrypt_optimized+wrappedkey_v0
... /data ...,inlinecrypt ...,fileencryption=aes-256-xts:aes-256-cts:v2+emmc_optimized+wrappedkey_v0
A14 (+ your kernel must have AES-HCTR2 implemented):
... /data ...,inlinecrypt ...,fileencryption=aes-256-xts:aes-256-hctr2:v2
reference commit: hotdog
full example:
# FBEv2 (forces FBE v2 regardless of PRODUCT_SHIPPING_API_LEVEL)
PRODUCT_PROPERTY_OVERRIDES += \
ro.crypto.volume.filenames_mode=aes-256-cts \
ro.crypto.volume.metadata.method=dm-default-key \
ro.crypto.dm_default_key.options_format.version=2
# adoptable storage
# remove inlinecrypt_optimized when not using inline encryption hardware
PRODUCT_PROPERTY_OVERRIDES += \
ro.crypto.volume.options=aes-256-xts:aes-256-cts:v2+inlinecrypt_optimized \
ro.crypto.volume.contents_mode=aes-256-xts \
ro.crypto.volume.filenames_mode=aes-256-cts
CONFIG_CRYPTO_AES_ARM64_CE_BLK=y
CONFIG_CRYPTO_SHA2_ARM64_CE=y
If your device uses UFS-based storage:
CONFIG_SCSI_UFS_CRYPTO=y
OR if your device uses eMMC-based storage instead:
CONFIG_MMC_CRYPTO=y
If you will not be using inline encryption hardware set also:
CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK=y
CONFIG_EXT4_ENCRYPTION=y
CONFIG_F2FS_FS_ENCRYPTION=y
For Metadata encryption
CONFIG_DM_CRYPT=y
CONFIG_EXT4_ENCRYPTION=y
CONFIG_F2FS_FS_ENCRYPTION=y
CONFIG_BLK_INLINE_ENCRYPTION=y
CONFIG_FS_ENCRYPTION=y
CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y
For Metadata encryption
CONFIG_DM_DEFAULT_KEY=y
#CONFIG_DM_CRYPT is not set
#CONFIG_EXT4_ENCRYPTION is not set
#CONFIG_F2FS_FS_ENCRYPTION is not set
CONFIG_BLK_INLINE_ENCRYPTION=y
CONFIG_FS_ENCRYPTION=y
CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y
For Metadata encryption
CONFIG_DM_DEFAULT_KEY=y
#CONFIG_DM_CRYPT is not set