this post was submitted on 31 May 2024
397 points (97.8% liked)
Technology
59087 readers
3244 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The main purpose of this is actually security. Because when the device is in BFU (before first unlock) state, it's much harder to gain access to the data (without the correct unlock credentials). During the reboot, the encryption keys are wiped from RAM, making it essentially impossible to access the device, since brute-force unlock attempts are prohibited by Weaver API, which is enforced by the Titan M2 hardware security module. You can read more about this at https://grapheneos.org/faq#encryption
I will give that a read. I have been unintentionally using this feature, anytime I expect I won't use the GOS pixel for a bit I restart it, I've also found it disables biometrics as a security measure. Cool stuff.
It doesn't intentionally disable biometrics. Disabling biometrics is just a logical consequence of wiping the encryption keys from RAM. Your data is encrypted with your password as the key (not exactly, it first goes through a key derivation function, but the PIN/password is the entry point for the KDF). Your biometric information can't decrypt your data, as your data is not encrypted with your biometric information as the key. When using biometrics, the encryption key is kept in RAM, and the biometric data is only validated by the OS. No actual decryption occurs here. The data on your phone is only being decrypted during the first unlock after a reboot. That's why security states are grouped into BFU (before first unlock) and AFU (after first unlock).
Thank you for your in depth explanation, hope your comments help many others on top of myself.