12
Encryption while unattended: Lockdown Mode vs Off? (lemmy.nowsci.com)
submitted 3 weeks ago by fmstrat@lemmy.nowsci.com to c/askandroid
4 comments fedilink hide all child comments

So I have a debate in my head right now about how I should handle devices stored unattended in vehicles. The criteria:

  • Devices have new versions of Android
  • Pass phrases or many-digit pins are used
  • Biometric login is set up (but can't be used in Lockdown Mode)
  • Have Bitwarden installed with biometric auth for the vault
  • Has SSH keys on the device

I'm not worried about nation state attacks, but am considering the vector of a tech savy thief, and want to keep SSH keys and other device data secure. Assume they cannot be stored in a vault.

Is storing the phones on but in Lockdown mode enough, or should I turn them off completely? Off would be super annoying to wait for boot every time, but I'm not totally sure how KEK works for an encrypted device with biometrics set up but in Lockdown Mode where they are disabled.

you are viewing a single comment's thread
view the rest of the comments
[-] Natanael@slrpnk.net 9 points 3 weeks ago* (last edited 3 weeks ago)

Lockdown mode takes very expensive equipment to bypass

When you reboot, the user data encryption key is flushed from memory, and your unlock code is necessary to decrypt the KEK (key encryption key) held by the TPM / SE chip (which also applies rate limiting). All common attacks on unpowered devices are bruteforce with rate limit bypass.

In lockdown mode the KEK stays in memory so app state and user data is there, but the CPU is in a state which prevents access to it until unlocked with your code. There's a few more attacks possible, but most are completely blocked by the fact that USB data connectivity is also disabled in this state. You practically have to open up the device to pull data out.

Tldr no ordinary thief will even try.

The bigger risk is having it stolen while unlocked. Make sure you have revocation options ready for keys held on the device

[-] fmstrat@lemmy.nowsci.com 3 points 3 weeks ago

Thank you, this is what I expected, but wanted to be sure. I do have rotation plans in place, so covered there, too.

this post was submitted on 26 Dec 2024
12 points (92.9% liked)

Ask Android

2266 readers
1 users here now

A place to ask your questions and seek help related to your Android device and the Android ecosystem.

Whether you're looking for app recommendations, phone buying advice, or want to explore rooting and tutorials, this is the place for you!

Rules
  1. Be descriptive: Help us help you by providing as many details as you can.
  2. Be patient: You're getting free help from Internet strangers, so you may have to wait for an answer.
  3. Be helpful: If someone asks you for more information, tell us what you can. If someone asks you for a screenshot, please provide one!
  4. Be nice: Treat others with respect, even if you don't agree with their advice. Accordingly, you should expect others to be nice to you as well. Report intentionally rude answers.
  5. No piracy: Sharing or discussing pirated content is strictly prohibited. Do not ask others for a paid app or about how to acquire one.
  6. No affiliate/marketing links: Posting affiliate links is not allowed.
  7. No URL shorteners: These can hide the true location of the page and lead people to malicious places.
  8. No lockscreen bypasses: Please do not comment, link, or assist with bypassing lock screens or factory reset protection.
  9. No cross-posting: Please take the time to make a proper post instead of cross-posting.
Other Communities

founded 2 years ago
MODERATORS
ijeff
ladfrombrad