Mounting encrypted state files externally

[James Heather]

Is there any documentation on how to read (ideally live mount) the encrypted files that appear in the state partition? I'd like to be able to read (ideally write) these files from an external Linux box (not crostini).

Thanks for all the help.

James

[Mike Frysinger]

fundamentally, no, we specifically designed the system so you can't do that.  well, not "you" as in "the owner", but as in "malicious or state actor who wants to steal your data".

we cover this a bit here:

https://dev.chromium.org/chromium-os/chromiumos-design-docs/protecting-cached-user-data

the stateful partition in particular is encrypted with the system key in the TPM.  if you aren't in dev mode already, it's not possible to access that.

-mike

--
--
Chromium OS Developers mailing list: chromiu...@chromium.org
View archives, change email options, or unsubscribe:
https://groups.google.com/a/chromium.org/group/chromium-os-dev

[James Heather]

Hmm, thank you. Is it not possible to mimic what CrOS does to get the TPM to decrypt the key, though, if I know the Gaia and password of the user? It looks as though the private RSA key is stored in the TPM, and irretrievable, but it should be possible to get the TPM to do the decryption: this is what CrOS does, after all.

[Mike Frysinger]

you need the TPM, you need the inputs to the TPM (the user's creds), and you need the ability to run arbitrary code against the TPM.

you said you're on an external Linux box, so you don't have the TPM.  the user's creds won't help.

-mike

[James Heather]

Ah yeah, sorry, I meant external to Chrome, but on the same device, booting into Linux on the same machine. So the TPM will still be there.

[Mike Frysinger]

if you're in dev mode and can send arbitrary requests to the TPM and have the input creds, it's prob possible.

i don't think we have any documentation though (internal or external), so you're prob on your own atm to figure out the series of commands.

-mike