Share this page!

GrapheneOS Profile picture
Twitter logo
25 Dec, 6 tweets, 2 min read
There's a new section in the GrapheneOS FAQ covering disk encryption:

grapheneos.org/faq#encryption

Other than GrapheneOS allowing ending user sessions and raising the padding size, this also applies to AOSP on devices with a secure element offering Weaver like the Pixel 2 and later.
This covers the baseline disk encryption.

Apps can use the hardware keystore API to provide another layer of encryption with options like setting keys to be only available when unlocked. Can also be mixed with their own encryption.

See github.com/mollyim/mollyi… for an example.
Before the Titan M introduced with the Pixel 3, the Pixel 2 used an off-the-shelf NXP security chip to implement Weaver. The implementation is open source:

android.googlesource.com/platform/exter…

It would be easy for other devices to implement. However, it's not mandatory so they don't bother.
The NXP security chip on the Pixel 2 and the Titan M on later devices also use insider attack resistance:

android-developers.googleblog.com/2018/05/inside…

An attacker with the signing keys for the secure element firmware and the OS cannot update the firmware without authenticating as the owner profile.
Weaver is how a strong level of security is provided for the vast majority of users not using a strong passphrase as their lock method.

A random 6-digit PIN becomes quite hard to bypass when dealing with a secure element with insider attack resistance allowing 1 attempt per day.
User profiles are isolated workspaces with their own disk encryption keys. Consider using them!

Using a secondary user as your main profile is one of our recommendations for high risk users. That way, you can still boot up and use the device without decrypting your main profile.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with GrapheneOS

GrapheneOS Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @GrapheneOS

GrapheneOS Profile picture
25 Nov
GrapheneOS isn't going to be including Google services in the base OS: grapheneos.org/#never-google-….

This doesn't mean it won't be possible to use apps depending on Play services on GrapheneOS. It means it shouldn't be deeply integrated into the OS as a cross-user, privileged app.
We're going to support installing a Google compatibility layer within a user profile as a regular app. The OS will include minimal support for this in a way that does not compromise the security model. It won't have special privileges other than masquerading as Play services.
We plan to add support for using a GrapheneOS release of microG this way. In the longer term, we also plan to offer a more minimal compatibility layer implemented by pretending that Google services are offline. Both will be options you can choose to install in a specific profile.
Read 4 tweets
GrapheneOS Profile picture
3 Apr 19
@_copperj @grufwub @CopperheadOS No, this is the direct continuation of the original project by the original development team. The project was started before Copperhead was founded and long before it was incorporated. People can confirm this for themselves by looking at the code, dates and published documents.
@_copperj @grufwub @CopperheadOS You agreed to support this open source project by building a business around it while explicitly agreeing that it would remain as an independent entity from the business without Copperhead directly owning or controlling it. You went back on your word and betrayed the project.
@_copperj @grufwub @CopperheadOS You hijacked the infrastructure and prevented the previous incarnation of the project from ever being able to release a legitimate update again. You stole the donations sent to support the development team and siphoned off the revenue earned based on leeching off the project.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @GrapheneOS has new unrolls!

Check out other threads from @GrapheneOS!

Read all threads by @GrapheneOS