Encryption of user data

Jolla Care -

 

 

CONTENTS:
1. Introduction to encryption in Sailfish OS
1.1. Security code
2. Encryption - an extension to Device lock
3. How to enable the encryption
   3.1. Preparations
   3.2. Activation from Settings
4. Can I choose not to use the encryption?
5. Status of encryption
6. Boot-up of an encrypted phone
Further reading



1. Introduction to encryption in Sailfish OS

This article describes how encryption [1] works on Sailfish 3.3.0 release and onwards.

  • The 1st revision of Sailfish encryption was released at the end of 2019 [Sailfish OS 3.2.0]. The 2nd revision will be released in the 1st quarter of 2020 [Sailfish OS 3.3.0].
  • Sailfish encryption is based on LUKS [2][3]. LUKS is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions but also provides secure management of multiple user passwords [3].
  • The data is encrypted with the 256-bit AES encryption algorithm.
  • Sailfish encryption (and this help article) cover the data in the home directory (i.e.,/home ). It contains all user data.
  • The encryption service is present in every Sailfish OS device by default (in the device models it was added to). It works in the background even when not explicitly activated.
  • Encryption of user data is available on all Xperia devices from Sailfish OS version 3.3.0 onwards.
  • NOTE: Encryption of memory cards (SD cards) is a separate feature. It is explained in this help article. There is a dedicated unlocking phrase for this feature.

 



1.1. Security code

The security code of Sailfish OS is used both for unlocking the Device lock and for unlocking the encryption of user data.

The security code can contain numeric characters {0, 1, 2, 3,... 9} only (Sailfish OS 3.3.0). The minimum length of the code is 5 digits but we recommend a considerably longer code. The maximum is 42.

 



2. Encryption - an extension to Device lock

Encryption of user data in Sailfish OS is to some extent bundled with the Device lock and Security code of Sailfish OS. One could think of encryption as an extension of the Device lock.

The user data is in the encrypted state when the device is off. It remains encrypted until the correct Security code is entered when starting up the device. The acceptance of the Security code unlocks the data for use. The unencrypted data is then available for the apps as long as the device is up and running.

Even if the encryption had not been activated, it works in the background using some default arrangements.

If you want to learn more about how the encryption works, please get familiar with LUKS [2][3].

 



3. How to enable the encryption

On Sailfish OS 3.2.1, encryption is made available for Xperia 10 devices. The only way to activate the encryption here is to reflash the Xperia 10 phone (i.e., install OS v. 3.2.1 to it).

On Sailfish OS 3.3.0, encryption is available for all Xperia models that Sailfish OS has been ported to.

 

NOTE: Once you have activated the encryption, you cannot deactivate it anymore.



3.1. Preparations

You can obtain this feature to your device in one of the following ways:

  1. Reflash Sailfish OS 3.3.0 to the device. Encryption is activated during the first startup.
  2. Update Sailfish OS 3.3.0 to the device over-the-air and turn encryption on in Settings > Encryption.

NOTE: Even in the 2nd case above, the data in the device storage will be wiped out [*]. Please be sure that you create a backup [**] to your memory card, or rather, copy your valuable data to a computer before starting the encryption.

[*] If the amount of data is low then the process may be able to return your data back to its original location after the encryption is complete. DO NOT trust on this being possible! Make a backup to a memory card or copy to a computer.
[**] Please read our help article on backing up data, in particular, pay attention to chapter 1.1 listing data items that are not backed up.

 



3.2. Activation from Settings

If you have reflashed OS release 3.3.0 (or later) to your device then the encryption of user data is in effect already. 

The six pictures below show how the process of encrypting a device goes if the feature was obtained by an OS update.  Running through the initial device startup between the 5th and 6th pictures is not shown, though.

We recommend keeping the device connected to a battery charger throughout the following steps!

This is how it goes:

  1. Open Settings > Encryption
  2. Read the disclaimer. If ok, tap Encrypt.
  3. Read the instructions carefully. If you have not copied the data in the device to external storage (memory card, computer, cloud service), stop here, and back it up now. Once done, start this process again from step #1.
  4. Tap Accept at the top right corner.
  5. Enter your existing Security code or create one for yourself.
  6. Initial startup ("startup wizard") starts with "Encrypting user data, please wait"
    NOTE: this step will take several minutes to complete.
  7. Further steps of the initial startup are traversed.
    NOTE: this may also take time, please wait patiently.

You will need to type your Security code during the process, or if not set previously, set it up now. It is crucial to make the code long.

NOTE:  Please make sure that you memorise the Security code. An encrypted and device-locked Sailfish phone cannot be unlocked without the correct Security code - the only remaining option would be to reflash the device (i.e., install Sailfish OS again to it), which deletes all data, applications and accounts.

 

Screenshot_20200124_002.png  Screenshot_20200124_003.png  Screenshot_20200124_004.png

Screenshot_20200124_005.png  Encrypting......2.jpg  Screenshot_20200124_007.png

 

The picture below shows how the Device lock menu page looks like after enabling the encryption via the Settings > Encryption menu. Note that it is not possible to disable the Device lock anymore as the item "Use security code" has been removed. Changing the code is still possible.

DevLockWhenEncryptionActive.png

 



4. Can I choose not to use the encryption?

The intention is to keep the data in the phones safe. Therefore the encryption gets pre-installed to all devices (*) when flashing Sailfish OS to them. It can be kept running in the background, though, by not setting the Security code (during the initial startup, or later in the Device lock menu). In this way, encryption stays invisible and should not bother any user.

(*) There is no plan to add encryption to the old devices like Jolla Phone, Jolla C or Jolla Tablet, though.

After taking a Sailfish OS update over-the-air, you can refrain from turning the encryption on in "Settings > Encryption" also in the case of having previously enabled the Device lock. In other words, you can keep using your device (and device lock) without the encryption.

Once the encryption has been activated, it cannot be removed.  The factory reset does not remove it (unless the reset reverts an old enough OS version to the device). A reflashed device will get it back in the initial startup of the device (unless you flashed an old enough OS version to the device).

 

 



5. Status of encryption

Menu page "Settings > Encryption" has brief information about the status of this feature in your phone, the encryption standard used and the size of data protected.

Encr-info-when-enabled.png   

 



6. Boot-up of an encrypted phone

A Sailfish phone with encrypted user data traverses the following steps while booting up.

Case A: SIM/PIN query/queries are enabled

If the phone has one or two SIM cards inserted and the SIM/PIN query of at least one card has been turned on in "Settings > PIN code", then the phone starts up via the following steps:

  1. Bootloader reminder appears
  2. Sony logo appears
  3. Security code dialogue for unlocking the encryption appears. The code must be typed - fingerprint recognition is not possible.
  4. Another security code dialogue appears. This is to unlock the touch screen (device lock). Fingerprint recognition can be used.
  5. SIM/PIN code dialog(s) appear.
  6. The device completes the boot-up to the Home screen and is ready to be used, i.e. the touch screen can be used.

Case B: SIM/PIN query/queries are disabled

If the phone has no SIM cards inserted or if the SIM/PIN query of all inserted cards has been turned off in "Settings > PIN code", then the phone starts up via the following steps:

  1. Bootloader reminder appears.
  2. Sony logo appears.
  3. Security code dialogue for unlocking the encryption appears. The code must be typed - fingerprint recognition is not possible.
  4. The device completes the boot-up to the Lock screen. The 2nd security code dialogue appears only when you try to use the phone. Fingerprint recognition works here.



Further reading

[1] Encryption is the process of encoding a message or information in such a way that only authorised parties can access it, and those who are not authorised, cannot. 
Source: https://en.wikipedia.org/wiki/Encryption

[2] Linux Unified Key Setup (LUKS)
Source: https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup

[3] LUKS: Disk Encryption
Source: https://guardianproject.info/fi/archive/luks/ 

 

 

 

Have more questions? Submit a request
Powered by Zendesk