Android 3+ has a nice feature -- device encryption. You can encrypt the contents of your device with a password, and after that this password must be entered during device boot, otherwise the data is permanently lost.
The bad thing is that this password is set to the screen lock PIN / password. So you either set a short password or PIN, that you can enter quickly each time you unlock your phone from sleep (but this provides weak encryption), or set a long password and have to type it 20-30 times during the day.
This stupid behavior may be fixed easily. Android provides command-line tool called 'vdc', an interface to Android Volume Manager. As written in "Notes on the implementation of encryption in Android 3.0" [1], it has a command 'cryptfs changepw', that allows changing encryption password. Of course this command must be executed as root.
vdc has some other commands related to encryption, one of them is 'cryptfs verifypw', that allows to validate the supplied password.
I'm currently writing an application that will assist user with changing encryption password. This is my first public application for Android. You can find a source code on GitHub [2]. It is very simple, but maybe android gurus here may find what to make better.
Comments and pull requests are welcome
Thanks!
[1] http source.android.com/tech/encryption/android_crypto_implementation.html
[2] https github.com/kibab/encpasschanger
Updated 30.06.2012: Added APK file!
Kibab said:
Android 3+ has a nice feature -- device encryption. You can encrypt the contents of your device with a password, and after that this password must be entered during device boot, otherwise the data is permanently lost.
The bad thing is that this password is set to the screen lock PIN / password. So you either set a short password or PIN, that you can enter quickly each time you unlock your phone from sleep (but this provides weak encryption), or set a long password and have to type it 20-30 times during the day.
This stupid behavior may be fixed easily. Android provides command-line tool called 'vdc', an interface to Android Volume Manager. As written in "Notes on the implementation of encryption in Android 3.0" [1], it has a command 'cryptfs changepw', that allows changing encryption password. Of course this command must be executed as root.
vdc has some other commands related to encryption, one of them is 'cryptfs verifypw', that allows to validate the supplied password.
I'm currently writing an application that will assist user with changing encryption password. This is my first public application for Android. You can find a source code on GitHub [2]. It is very simple, but maybe android gurus here may find what to make better.
Comments and pull requests are welcome
Thanks!
[1] http source.android.com/tech/encryption/android_crypto_implementation.html
[2] https github.com/kibab/encpasschanger
Click to expand...
Click to collapse
Sorry im noob
What will change visualy?
Or screenshot?
Sent from my LT26i using XDA Premium HD app
Thank you for this. I wanted a more simple password for the unlock, but a longer more complicated password for the decryption. You should put it on the market and charge $.99USD (or equivalent in your currency) as it's quite useful. I'd buy it
Thank you!
Actually I have registered myself as Google Play Developer, now I'm waiting for approval. As soon as my registration is approved, I will update this thread
Although I'm going to make a free and donate versions, because I believe that will help to make Android better, and people who want to say "Thank you" will buy Donate version anyway
uDroid said:
Sorry im noob
What will change visualy?
Or screenshot?
Sent from my LT26i using XDA Premium HD app
Click to expand...
Click to collapse
Nothing will change visually, hence no screenshot. What's important is that you may set strong password for decrypting the internal storage, but keep using simple password (or PIN) to unlock the screen.
P.S. I have verified that my app works on Jelly Bean too.
I have finally published an application on Google Play! Currently there is a free version, Donate version will come a bit later
The link is: https:// play.google.com/store/apps/details?id=com.kibab.android.EncPassChanger
Enjoy!
Thanks for that app, that is also what annoyed me
Thanks for this. I've been trying to work out why encryption wont work on any ROM on my HOX (dies with unable to get size of block device cryptfs), and you have given me a good lead to investigate with vdc. Information on encryption in android is sparse, and almost all threads here on XDA get no replies.
Thanks again.
I've been tempted to use device encryption recently, but there is a distinct lack of information about it, particularly on custom ROMs...
Might need to give it a go, just the lack of backup abilities might be an issue...
pulser_g2 said:
I've been tempted to use device encryption recently, but there is a distinct lack of information about it, particularly on custom ROMs...
Might need to give it a go, just the lack of backup abilities might be an issue...
Click to expand...
Click to collapse
I use CM10 on the Galaxy Nexus (maguro). Encrypted. Actually, only /data is encrypted. /system stays unencrypted. And this App works as described.
For Backup use TWRP. It asks for your password to decrypt storage.
You can then backup, restore, flash, install whole ROMs, wipe and what not.
>> I would like to see this app in Play Store <<
I should read before I post:
Kibab said:
I have finally published an application on Google Play! Currently there is a free version, Donate version will come a bit later
The link is: https://play.google.com/store/apps/details?id=com.kibab.android.EncPassChanger
Enjoy!
Click to expand...
Click to collapse
Thanks for that
btw. The encrypted /data partition lets you have two boot animations, one that is shown before code has been entered (the one in /system/media) and one after the correct code entry (the one in /data/local).
zurchpet said:
I use CM10 on the Galaxy Nexus (maguro). Encrypted. Actually, only /data is encrypted. /system stays unencrypted. And this App works as described.
For Backup use TWRP. It asks for your password to decrypt storage.
You can then backup, restore, flash, install whole ROMs, wipe and what not.
>> I would like to see this app in Play Store <<
btw. The encrypted /data partition lets you have two boot animations, one that is shown before code has been entered (the one in /system/media) and one after the correct code entry (the one in /data/local).
Click to expand...
Click to collapse
Hmm... I have i9100 (S2), so I would need to see about putting TWRP onto it...
Yeah, only data and SD are encrypted... Can TWRP cope with encrypted SD btw?
Great, it's easier than to change on command line
This should just be default android behavior
pulser_g2 said:
Hmm... I have i9100 (S2), so I would need to see about putting TWRP onto it...
Yeah, only data and SD are encrypted... Can TWRP cope with encrypted SD btw?
Click to expand...
Click to collapse
Yes, SD is encrypted too. And TWRP can only read from it after correct code entry. Don't know about the external SD though (since the Galaxy Nexus doesn0t have one).
zurchpet said:
Yes, SD is encrypted too. And TWRP can only read from it after correct code entry. Don't know about the external SD though (since the Galaxy Nexus doesn0t have one).
Click to expand...
Click to collapse
Wish I had a second phone, then I could just research this
Quite awesome. Now, can I use a strong password for encryption and then pattern lock for normal day to day use? That would be my ideal situation. I heart pattern lock!
Just trying to clarify how this works... so you keep your normal 'short' pin unlock code for unlocking the screen, but set a long code for decryption, and this code will only be requested once per boot, during bootup? Is this correct?
Thanks
How it works
Yes Sir. You are correct.
adrianblack said:
Quite awesome. Now, can I use a strong password for encryption and then pattern lock for normal day to day use? That would be my ideal situation. I heart pattern lock!
Click to expand...
Click to collapse
Unfortunately it's not possible to use pattern lock while using device encryption, Android forbids it. Patching Android framework will help, but this is completely another story and possible suggestion for ROM makers such as Cyanogenmod.
Is the 16 character Android limitation present, when using this tool? I currently use a 16 character device encryption/unlock pass phrase. I'd like to strengthen the device pass phrase some more.
I don't know if this is even possible during the device boot sequence, but being able to use a Yubikey with an OTG cable would be awesome!
RF
It is my first post here so hello. Can you help me?
I broke my phone. Fortunately it was insured. However I haven't been doing backup for a while. Main board remains untouched and so I had been trying to recover my data before sending it to service. Phone was encrypted. I had little time that weak and get little confused with fastboot/odin. Thus, I decided to send it and reconciled with data lost. Phone back to me form service with flashed android 5.0.
I have no experience with android.
I am trying to recover my data. My idea is simple. If disc encryption master key (specifically crypto footer) is untouched I should be able to decrypt data partition (I am thinking about low level decryption, bit by bit) and then use some software to recover files (because directory table was overwritten) that where no overwrite when phone was flashed. Since I was not deleting my files often, the most recent files should be placed at the end of data partition. Whats is more I should be able to decrypt my sdcard which Is also encrypted.
What I determinated for this moment:
1. According to: source.android.com/security/encryption/#storing_the_encrypted_key every android 5.0 is encrypted with default password at first boot. However mine was no. Encryption flags are not set and data are available form TWPR level without decrypting.
2. Here is more how encryption works: (p. 263-266) books.google.pl/books?id=y11NBQAAQBAJ&pg=PA262&lpg=PA262&dq=android+disk+encryption+master+key&source=bl&ots=nUYyBSuT2G&sig=w77YZ9EJValOVoGhGXxbRMgwtmY&hl=pl&sa=X&ved=0ahUKEwi9qMzlgd3MAhUE_ywKHV0sAdwQ6AEISzAF#v=onepage&q=android%20disk%20encryption%20master%20key&f=false
I haven't read everything for now...
It says that crypto footer is written on either end of user data partition, file or dedicated partition. There is a chance that crypto footer remains untouched after flash. Can somebody check what is the the case on s5? I cant do this on my of because If I encrypt phone I erase previous crypto footer.
3. cmds: vdc cryptfs chengepw | checkpw returning -1 and no more and any valuable informations. I did not search in logs, there is noting in dmesg also.
Does anyone have ideas how to do this procedure? Check if master key is still there or any clues?
Thank you in advice
I put some data in secure storage with password but cannot able to access that data give me solution please
Rrbairar said:
I put some data in secure storage with password but cannot able to access that data give me solution please
Click to expand...
Click to collapse
With inbuilt file manager you easily can get there. But what rom did u use etc?
I can access that but i found nothing there? What you taking about rom is i don't have any idea
Rrbairar said:
I can access that but i found nothing there? What you taking about rom is i don't have any idea
Click to expand...
Click to collapse
Are you on stock rom or cm? What rom you have actually installed?
How to reset the password in secure storage in zuk z1
Hi All,
I forgot the password, which i have mentioned in my secure storage in zuk z1.. How to reset the password in secure storage... Please help me on this....
In Settings > Security & Location > Encryption & Credentials it says, "Phone not encrypted".
I want to encrypt my phone to protect the data in case I lose the phone, but is it working? Any important things I should know?
My key concerns:
1. Will I still be able to do OTA updates of LineageOS microG after encrypting?
2. Will I be able to backup phone using TWRP?
3. Will I be able to restore backups with TWRP?
4. Can I decrypt backups using TWRP to get my data?
I found a bunch of old threads from 2014 and it sounded unstable to encrypt. I don't see newer threads though.
Thank you for any guidance you may be able to provide as I am a LineageOS noob (less than 1 month experience!) .
Before this official TWRP update it was not working.
I encrypted my phone before one month ago. when i downloaded and installed the OTA update, the decryption pattern did not recognized. I was damn sure about the correct pattern to unlock but it didn't worked. I need to reset my phone to make it working.
I am not sure if its working now after updates from both TWRP and Lineage os.
please reply if any one know about current situation.
[NOTE]: If you are noob and trying to encrypt your phone, then keep backup of your internal storage and all apps, Sms and Contacts etc. because, after encryption, you can not access files and appdata from internal storage.
[email protected] said:
I encrypted my phone before one month ago. when i downloaded and installed the OTA update, the decryption pattern did not recognized. I was damn sure about the correct pattern to unlock but it didn't worked. I need to reset my phone to make it working.
Click to expand...
Click to collapse
Thank you for this! Possibly saved me. I don't care about accessing my encrypted data through TWRP, but I do want to be able to do OTA. I also want my data protected if I lose my phone.
In the latest release of TWRP 3.4.0-0 there seem to have done lots of work on encryption
Encryption
ext4Crypt Wrapped Key Update - Peter Cai
Fix upgrading encryption key if export fails - Peter Cai
Fix wrapped key support for devices without metadata partition - mauronofrio
Don't skip decryption when using block map file in order to write to /data in ORS - CaptainThrowback
FDE - Decrypt master key first - AndroidableDroid
vold_decrypt - set Android version and patch level automatically - CaptainThrowback
Set wrapped decrypt support by twrp flag - Peter Cai
Don't try wrapped support unless needed - mauronofrio
restore ext4 policy on /data/cache - Bigbiff
multiuser decryption - Noah Jacobson
FDE retry - AndroidableDroid
Click to expand...
Click to collapse
So, tell me about encryption. posted on Reddit --> This thread from 2 years ago on reddit has some phones working with encryption and some not working.
So who else is running full disk encryption on their LineageOS install? I guess I have to try it and pray next week.