Questions about encryption of an unlocked OP3 - OnePlus 3 Questions & Answers
Hey Guys,
When I got my OP3 I unlocked the bootloader right away and installed FreedomOS to get rid of the bloatware. As this is my first device, which comes with a locked bootloader and decryption, I have some questions about this topic. I was wondering that the encryption does not make any sense when you unlock your bootloader, because if somebody steals your phone, he can just enter twrp and access all your data. Then I flashed CM and after that TWRP was asking me to set a pin or pattern to lock my phone. Now I've to unlock my phone every time I want to enter the recovery or boot the system with a pattern, which is great, because now the encryption is not worthless anymore. Now I'm asking myself if this feature is somehow integrated into CM or was it just random that I found this feature? Is there any way to get this also with OOS installed? What things do I have to note to not accidentally make my phone unencryptable with the pattern? Is this even possible, maybe by flashing a new recovery or so?
Thanks in advance
Gerrit507 said:
Hey Guys,
When I got my OP3 I unlocked the bootloader right away and installed FreedomOS to get rid of the bloatware. As this is my first device, which comes with a locked bootloader and decryption, I have some questions about this topic. I was wondering that the encryption does not make any sense when you unlock your bootloader, because if somebody steals your phone, he can just enter twrp and access all your data. Then I flashed CM and after that TWRP was asking me to set a pin or pattern to lock my phone. Now I've to unlock my phone every time I want to enter the recovery or boot the system with a pattern, which is great, because now the encryption is not worthless anymore. Now I'm asking myself if this feature is somehow integrated into CM or was it just random that I found this feature? Is there any way to get this also with OOS installed? What things do I have to note to not accidentally make my phone unencryptable with the pattern? Is this even possible, maybe by flashing a new recovery or so?
Thanks in advance
Click to expand...
Click to collapse
If your phone is encrypted, TWRP has to prompt you to decrypt the /data partition before it can be mounted. This isn't a CM feature, it should act like this with any ROM if phone encryption is enabled. I've flashed most every rom and version of twrp in this forum and they all seem to work fine with the encryption enabled. I have not flashed multiboot yet as that requires your phone to be completely unencrypted. Not sure if that answers your question.
If security is your concern though, I would recommend switching to a passphrase instead of pattern for encryption unless your pattern is very long and complex. I recommend a passphrase of at least 16 characters.
kennonk said:
If your phone is encrypted, TWRP has to prompt you to decrypt the /data partition before it can be mounted. This isn't a CM feature, it should act like this with any ROM if phone encryption is enabled. I've flashed most every rom and version of twrp in this forum and they all seem to work fine with the encryption enabled. I have not flashed multiboot yet as that requires your phone to be completely unencrypted. Not sure if that answers your question.
If security is your concern though, I would recommend switching to a passphrase instead of pattern for encryption unless your pattern is very long and complex. I recommend a passphrase of at least 16 characters.
Click to expand...
Click to collapse
Ok I see, than I was getting something wrong there, thank you. The thing is FreedomOS stated that the phone is encrypted but I was never asked for the pattern by TWRP...
Gerrit507 said:
Ok I see, than I was getting something wrong there, thank you. The thing is FreedomOS stated that the phone is encrypted but I was never asked for the pattern by TWRP...
Click to expand...
Click to collapse
When you first booted up your stock phone and went through setup it asks if you want to secure the phone using pin/pattern/passphrase. I think that is where it is created then that key is written somewhere, not on the data or system partitions because is persists between wipes, and that is where TWRP and all future roms are authenticating you.
kennonk said:
When you first booted up your stock phone and went through setup it asks if you want to secure the phone using pin/pattern/passphrase. I think that is where it is created then that key is written somewhere, not on the data or system partitions because is persists between wipes, and that is where TWRP and all future roms are authenticating you.
Click to expand...
Click to collapse
Ok, I can not remember this... Then I guess the phone just stated it was encrypted and wasn't... And how can I change this pattern or unencrypt the phone?
Gerrit507 said:
Ok, I can not remember this... Then I guess the phone just stated it was encrypted and wasn't... And how can I change this pattern or unencrypt the phone?
Click to expand...
Click to collapse
Here is how to decrypt without losing data. http://forum.xda-developers.com/oneplus-3/how-to/unencrypt-oxygenos-loosing-data-t3412228
There is another article I think I saw it on the OnePlus forums about how to decrypt and wipe which will let you change the passphrase I think.
Basically if you decrypt, then flash Oxygen or Hydrogen without SuperSU it will force you to re-encrypt. At least that is my understanding as I haven't decrypted yet.
Good luck
kennonk said:
Here is how to decrypt without losing data. http://forum.xda-developers.com/oneplus-3/how-to/unencrypt-oxygenos-loosing-data-t3412228
There is another article I think I saw it on the OnePlus forums about how to decrypt and wipe which will let you change the passphrase I think.
Basically if you decrypt, then flash Oxygen or Hydrogen without SuperSU it will force you to re-encrypt. At least that is my understanding as I haven't decrypted yet.
Good luck
Click to expand...
Click to collapse
As far as I understood it, it's all about wiping userdata, which I did before flashing Freedom OS. This might explain why I had no encryption... Still strange that it did not prompt me again to set a new one...
edit: FreedomOS has supersu, but systemless... I also flashed supersu right after CM which is even more strange...
Gerrit507 said:
As far as I understood it, it's all about wiping userdata, which I did before flashing Freedom OS. This might explain why I had no encryption... Still strange that it did not prompt me again to set a new one...
Click to expand...
Click to collapse
Yeah I have wiped userdata and system and clean reflashed like 20-30 times in the last few weeks and I've never been prompted to recreate the initial passphrase I set for encryption.
kennonk said:
Yeah I have wiped userdata and system and clean reflashed like 20-30 times in the last few weeks and I've never been prompted to recreate the initial passphrase I set for encryption.
Click to expand...
Click to collapse
But I never had to decrypt in TWRP... It's mysterious As far as I understand the guide he just wipes userdata and the encryption is gone... Is there somebody who knows for sure where the key is located actually?
edit: Seems like the encryption key is coupled to your password
When a user elects to change or remove their password in settings, the UI sends the command cryptfs changepw to vold, and vold re-encrypts the disk master key with the new password.
Click to expand...
Click to collapse
https://source.android.com/security/encryption/
I can confirm that. I changed my pattern and unlocked the phone with it at booting.
If I remove my password it still says "encrypted" in security but I don't have to enter any pattern at boot.
Mine says "Encrypted" under Settings > Security & Fingerprint > Encryption but I can boot into TWRP and browse the entire file system without ever entering my pin code.
dcdruck1117 said:
Mine says "Encrypted" under Settings > Security & Fingerprint > Encryption but I can boot into TWRP and browse the entire file system without ever entering my pin code.
Click to expand...
Click to collapse
Sounds like you have the same issue like I had. It seems to me like an issue in OOS.
This is awesome. I thought rooting and unlocking the bootloader to install custom ROMs would need the phone to be decrypted -- great, great news!
So without knowing the passphrase a possible attacker can't get to the data even when the bootloader is unlocked and OS rooted?
kanttii said:
This is awesome. I thought rooting and unlocking the bootloader to install custom ROMs would need the phone to be decrypted -- great, great news!
So without knowing the passphrase a possible attacker can't get to the data even when the bootloader is unlocked and OS rooted?
Click to expand...
Click to collapse
Yes, all your data is being decrypted after your enter the passphrase.
Does anyone have any idea how I can encrypt my phone if it already says Settings > Security & fingerprint > Encryption > Encrypt phone = "Encrypted"? It's clearly not actually encrypted because I do not have to enter any pin to boot or read data in TWRP.
dcdruck1117 said:
Does anyone have any idea how I can encrypt my phone if it already says Settings > Security & fingerprint > Encryption > Encrypt phone = "Encrypted"? It's clearly not actually encrypted because I do not have to enter any pin to boot or read data in TWRP.
Click to expand...
Click to collapse
Go to lock screen settings and set it up again. You will be prompted if you want to enter pin every reboot.
proag said:
Go to lock screen settings and set it up again. You will be prompted if you want to enter pin every reboot.
Click to expand...
Click to collapse
Hey, thanks! The "require PIN to start device" screen doesn't make any mention of encryption, so I was under the impression that it was far more basic and wasn't at all related to encryption. I tried it though and now TWRP does ask me to decrypt my data partition, so it does work. Thanks for the assist!
been following this thread and i had a quick questions - so it looks like if you unlock BL and run a custom ROM, you can still have the security of encryption, but does this ONLY apply to the USERDATA partition?
for example, could someone launch TWRP recovery on your phone and flash something into the SYSTEM partition without ever touching your userdata partition (ie, a keylogger or malware)?
It seems to me that only the data partition is encrypted, but someone correct me if I'm wrong. I looked at the Android full disk encryption page and I only see mentions of the data partition.
dcdruck1117 said:
It seems to me that only the data partition is encrypted, but someone correct me if I'm wrong. I looked at the Android full disk encryption page and I only see mentions of the data partition.
Click to expand...
Click to collapse
so system is never encrypted? i guess at that point the stock recovery stops you from flashing malware but \TWRP wont
dcdruck1117 said:
It seems to me that only the data partition is encrypted, but someone correct me if I'm wrong. I looked at the Android full disk encryption page and I only see mentions of the data partition.
Click to expand...
Click to collapse
Your internal storage is mounted into your data partition actually. I think this means it's also encrypted.
2x4 said:
so system is never encrypted? i guess at that point the stock recovery stops you from flashing malware but \TWRP wont
Click to expand...
Click to collapse
I see no reason behind encrypting system, it's used read-only anyway as long as you don't flash something to it.
edit: Ah I see now what you mean. But if you have stock recovery you can also simply flash twrp over it or flash something to system via adb... I don't know if it would even be possible technically to encrypt system. Anyway I think the only solution would be to lock the bootloader I think. I don't know what actually happens if you lock your bootloader again while on twrp and custom rom, might brick your device
Related
Be warned: Encrypting your device can be dangerous
Hello, As Google has decided to turn encryption on as a standard in the upcoming Android 5.0, I thought I would give it a test on my CosmicCM 5.4. I started the encryption and it prompts you that you for a passcode that will be used from now on, so far no problem. It started encrypting my device and it was running for some time(I left it alone for an hour) and reboots a couple of times. After he's finished the annoyance came. first you will have to type twice your password with a reboot, one time do decrypt your device the second time to enter your device. Be aware that performance can be slowed through encryption, and it can negatively impact battery life too. So I decide to go back. The Problem: Once encrypted, you can't decrypt it easily. When encrypting the phone android will tell you you can only decrypt it using a factory reset. Naturally you assume it's talking about the "Factory Data Reset" option found in Settings --> Backup and Reset and this works. Now I wanted to try a rom (TW 4.2.2 based) and see how this worked and after installing and booting. I got prompted to enter the decryption and of course this didn’t work anymore as there is no data for the password. So I assumed you can wipe everything from your custom recovery mod (CWM, TWRP, or one of those). Wrong! You'll get beautiful "can't mount /data" messages and more. After some hard time I got everything working again, by flashing CosmicCM again. The phone booted al clean again without asking for encryption and when you check the menu it also mentioned encryption is deactivated. Trying the previous rom again just triggerd the encryption again. So It seems that there is still somewhere a hidden encrypted protection that will be activated when I flash a different rom. So be warned and don’t play with encrypting your device as you could brick it. Didn't have time to investigate further on how I can remove it completely, but my guess is I have to redo all the partitions.
I was on the same boat a month ago
akiratoriyama said: I was on the same boat a month ago Click to expand... Click to collapse I wish you told me sooner Did you redo all the partitions to get the encryption completely removed?
RichyE said: I wish you told me sooner Did you redo all the partitions to get the encryption completely removed? Click to expand... Click to collapse I think I had to wipe my data via Philz, CWM and stock to remove encryption.
akiratoriyama said: I think I had to wipe my data via Philz, CWM and stock to remove encryption. Click to expand... Click to collapse Thanks for the info, will try to flash stock this week and see if this helps
Can't decrypt phone
Hey guys, Just as I wanted to update to an Android M ROM I realized decrypting the phone somehow doesn't work. In Settings it says "Encrypted Phone Encrypted" but if I click it nothing happens. Here is a video for demostration: https://youtu.be/cOFFZuckUU0 . In Recovery I can't mount any of the encrypted partitions yet when I restart my phone it does't ask for the decryption code and Android works like always. Any way to get the phone decrypted again? Thanks in advance! P.S.: After hours of research I couldn't find anything remotely similar to my issue. It doesn't even make sense that the phone decrypts itself without me putting in a code... P.S.S: Oh and the issue appeared just a few days ago. Before that I could encrypt and decrypt my phone as often as i wanted to and android always asked for the code before booting.
Anyone?
.TanTien said: Anyone? Click to expand... Click to collapse You can't decrypt. You mast make a full wipe. If You dont want lose date use Titanium Backup or TWRP Manager with live backup. You can only turn off, not decrypt ! a sd card encryption
Root and Security / Prevent Flash Recovery / Prevents to Decrypt Data
Hello. I search for a way to hold my HTC 10 safe if someone sholud take my phone. Actually i am able to read all my data over the TWRP, doesn't matter if i use the safest security things, like the phone goes back to facroty reset after to much wrong password tries. No one should be able to Flash a recovery oder take my data out, actually you just need to flash TWRP to uncrypt the Data Partition. Is there any way to make my phone with root really safe? Does it affect something if the Option "Unlock OEM" in the Developer Settings ist checked or not? Thank you
You have to go to Settings->Security->Screen lock Here you select what you want (pattern, pin, password,..) and then enter yours security, then it will show another screen and just select "Require pattern to start device" and then re-enter security again. Now after factory reset if someone wants to use the phone he/she will have to enter your gmail credential to use the phone... it will not work without google account. This is as much as we can do. Also you can flash stock recovery and disable USB debugging
CrazyCypher said: You have to go to Settings->Security->Screen lock Here you select what you want (pattern, pin, password,..) and then enter yours security, then it will show another screen and just select "Require pattern to start device" and then re-enter security again. Now after factory reset if someone wants to use the phone he/she will have to enter your gmail credential to use the phone... it will not work without google account. This is as much as we can do. Also you can flash stock recovery and disable USB debugging Click to expand... Click to collapse I guess though, if phone is stolen and you have twrp installed, your in trouble, if they know what they're doing. Cause your phone is decrypted once in recovery, afaik. If someone can correct me, I would like to know. Always assumed all bets are off once twrp installed.
purple patch said: I guess though, if phone is stolen and you have twrp installed, your in trouble, if they know what they're doing. Cause your phone is decrypted once in recovery, afaik. If someone can correct me, I would like to know. Always assumed all bets are off once twrp installed. Click to expand... Click to collapse Follow what I wrote in my previous post. If you do so, TWRP will ask you for security (pattern, pass, etc) to decrypt data otherwise it will not bi able to
CrazyCypher said: Follow what I wrote in my previous post. If you do so, TWRP will ask you for security (pattern, pass, etc) to decrypt data otherwise it will not bi able to Click to expand... Click to collapse Oh OK thanks. So when i use encrypted system but choose not to use a password to start phone as you mentioned, twrp is just using a default password to decrypt?
purple patch said: Oh OK thanks. So when i use encrypted system but choose not to use a password to start phone as you mentioned, twrp is just using a default password to decrypt? Click to expand... Click to collapse I think so, yes. If you correctly enabled security so it appears before phone turns on and also to be enabled in TWRP, you will every reboot get this window before you can use the phone: http://www.androidcentral.com/sites...2/decrypt-screen-htc-one-a9.jpg?itok=56N6fDJE I get this window, but I have pattern..this is picture from web
CrazyCypher said: I think so, yes. If you correctly enabled security so it appears before phone turns on and also to be enabled in TWRP, you will every reboot get this window before you can use the phone: http://www.androidcentral.com/sites...2/decrypt-screen-htc-one-a9.jpg?itok=56N6fDJE I get this window, but I have pattern..this is picture from web Click to expand... Click to collapse Yes, I've seen that before phone boots. But did not realise it stops you from decrypting in twrp. I have always been able to get in to twrp without pin/pattern. Now you mention though, wipe data in twrp was the only way to remove that security screen, so it's probably still encrypted until that is done. Thanks, makes sense now.
purple patch said: Yes, I've seen that before phone boots. But did not realise it stops you from decrypting in twrp. I have always been able to get in to twrp without pin/pattern. Now you mention though, wipe data in twrp was the only way to remove that security screen, so it's probably still encrypted until that is done. Thanks, makes sense now. Click to expand... Click to collapse Try to boot in TWRP... I am being asked to input pattern to decrypt data before I can enter TWRP... I wasn't always being asked, before I selected the setting in "Settings->Security->Screen lock" TWRP just said it decrypted data with default passowrd... now that I enabled in "Settings->Security->Screen lock", also TWRP ask me to input before it can decrypt. ALSO be sure you have latest TWRP installed, previous version were not able to decrypt data no matter what setting you had.
CrazyCypher said: You have to go to Settings->Security->Screen lock Here you select what you want (pattern, pin, password,..) and then enter yours security, then it will show another screen and just select "Require pattern to start device" and then re-enter security again. Now after factory reset if someone wants to use the phone he/she will have to enter your gmail credential to use the phone... it will not work without google account. This is as much as we can do. Also you can flash stock recovery and disable USB debugging Click to expand... Click to collapse Thank you for this Information, if this is really safe it would be really nice. I will try it as soon as possible after i backed my device up. And it is still save, doesn't matter which TWRP version (or maybe other recovery) you will flash? I like the idea to still use TWRP. Could it be still possible to have root with the strok recovery? USB Debugging is still off since i got my device and i flashed it already back to stock recovery for the OTA and again to TWRP, i never enablet USB Debuging, i think this option does not affect anything? Or do you mean i shold disable "OEM Unlock" or what will happen if you set disable to this option?
Nobody who steals a phone is too interested in your data unless that is the sole reason why they took your phone. Sent from my HTC 10 using XDA-Developers mobile app
Thank you, it seems like it works if you choose "Require pattern to start device" Actually i didn't try to flash, wipe, format or something else but i guess whatever you will do, its not possible to decript the internal storage again? @Android The Greek.. yes this is the reason for this thread, because if you took a rooted phone, i guess you always will be able to flash them so that you can use it again?.. If its not rooted, you should not be able to use this phone again if you choose this security.
I actually got another question. What is if someone does flash another backup to system and more, but just let "data" stay. Is the encryption still save and all the keys stored in the "data" partition or its possible to get access to data?
A few questions about encryption
Since this is my first phone with encryption and fingerprint reader after my Nexus 5, I am a tad bit confused about the whole topic. So here are a few questions about it: I currently have ressurection remix installed and in security settings it says my phone would be encrypted. If I click on this, nothing happens, so I guess I cannot change the encrypted state? When I boot into TWRP, I am asked to decrypt data with my passkey, which I set up while OOS was still installed. So does this persist through system and data wipes? If so, how can I actually change this passphrase? Might be kind of similar to question 1. What would be the right way to relock the bootloader without bricking the phone if this passphrase is not stored in data or system partition? With every factory reset and flashing a new rom, does everything get encrypted with the passphrase I have setup before?
Does Encryption NEVER work in ROMS
So I kind of like the fact encryption is turned on automatically by Nextbit (and I did figure out how to get out of my encryption loop) And I have tried to encrypt the disk with -Pacman ROM -Reserrection ROM -Paranoid Android and all of them bootloop and never actuall boot up once you press "encrypt".... so is it impossible to encrypt once you have an unlocked bootloader and recovery installed? I get its detrimental to the whole process of flashing incessantly but still
Grrrrrrr Can sum1 confirm
tlxxxsracer said: If you unlock the bootloader,that alone won't cause encryption issues. You have to flash a specific boot.img or zip that will disable encryption. Don't unencrypt and should be fine. Not sure why you'd want to encrypt if your BL is unlocked. Encryption only hurts performance Click to expand... Click to collapse thanks for the reply I wanted to encrypt my current ROM to just get the extra protection from theft or lost device. I really like the current ROM im using and dont need to flash anymore currentlty, so i would be fine locking it down with encryption But i cant get ANY of the ROMS to encrypt like they normally do say compared to the G3
So there is a solution to this. Basically, when you encrypt the file system on one rom, even when you wipe the data certain things are still tied to the old file system. That's why when you go to encrypt the encryption fails, because the remnant stuff from the other rom is in the way. The solution is to completely reformat the data partition (using TWRP, select format data, or change the data file system to F2FS and then back to ext4.). This will clear the conflicts causing encryption to bootloop. However, this process will need to be repeated every single time you switch roms (updating a rom is fine).
I believe Cyanogenmod supports encryption, though I have never tried it.
yanowman said: So I kind of like the fact encryption is turned on automatically by Nextbit (and I did figure out how to get out of my encryption loop) And I have tried to encrypt the disk with -Pacman ROM -Reserrection ROM -Paranoid Android and all of them bootloop and never actuall boot up once you press "encrypt".... so is it impossible to encrypt once you have an unlocked bootloader and recovery installed? I get its detrimental to the whole process of flashing incessantly but still Click to expand... Click to collapse If you flashed the custom boot image, you CANNOT re encrypt your phone. Won't work.