Filesystem encryption for Android


I have compiled a static version of cryptsetup for Android that can be used to create encrypted partitions/filesystems. I actually compiled it on my phone as that was easier than cross-compiling due to cryptsetup’s numerous dependencies. It seems to work fine on my rooted HTC G2 running CyanogenMod 7.0.0. Even though it’s a static binary it still has a few runtime libc dependencies so your mileage may vary.

You must have root and be comfortable using a command prompt to use this. You’re messing with the filesystem here so be careful and use at your own risk (keep backups).

This is mostly just an interim solution for my personal needs until Google gets their act together and adds system-wide encryption to Android. In these modern times I can’t believe anyone would even design a specification for devices like this without including encryption from the very beginning. But I digress…

Performance is adequate, I get about 8 MB/s when running the CPU at 1 Ghz and using my slow class 4 SD card (the card is slightly faster than what the CPU can do at that clock). I’m not sure how much that could be improved with this hardware but it could certainly use a boost.

Check /proc/crypto to see which algorithms your kernel supports. I tested aes-plain with the stock Cyanogen kernel.

I put cryptsetup in /system/xbin so it’s in the default path.

There is a lot of information out there on how to use cryptsetup, losetup, and the other commands I’m using here. Be sure you know what you’re doing before trying anything. To create an encrypted filesystem within a file (obviously modify the paths/filenames/size/etc for your needs):

dd if=/dev/zero of=container.dat seek=100000000 bs=1 count=1
losetup /dev/block/loop5 container.dat
cryptsetup --cipher=aes-plain luksFormat /dev/block/loop5
cryptsetup luksOpen /dev/block/loop5 dmc1
mkfs.ext2 /dev/mapper/dmc1

To mount that container later:

losetup /dev/block/loop5 container.dat
cryptsetup luksOpen /dev/block/loop5 dmc1
mount /dev/mapper/dmc1 /data/local/mnt/dmc1

To unmount the encrypted container:

umount /data/local/mnt/dmc1
cryptsetup remove dmc1
losetup -d /dev/block/loop5

There may be shortcuts for some of that if you’re using a more functional version of mount that understands LUKS volumes.

SHA256: b2f253a62fe0af064a53a40a636e7a07f9e462c79fd66c8cce5a1f22cdf0b2ee


3 responses to “Filesystem encryption for Android”

  1. I was never able to cross-compile it either. There is a link in the post above on how to cross-compile but it did not work for me. I found it was much easier to install Debian as a chroot environment on my phone and compile it from there. Unfortunately I don’t remember what instructions I followed for the chroot environment (try Google for “chroot debian arm phone”).

Leave a Reply

Your email address will not be published. Required fields are marked *