Decrypting Storage - Google Pixel XL Questions & Answers

I know on most devices I've owned you needed a non-encrypted kernel and I had to perform a format of data to remove encryption. I have seen a few posts in a couple of other threads but nothing I saw was definitive. Does anyone know if unencrypting the XL is even possible? If so, which kernel are you using?

I also have the same question, I just want descrpt data partition to avoid risk when I turn to TWRP and MultiROM in future,
So anyone try this? I can not understand why I need Magisk here??
http://androiding.how/disable-verity-force-encryption-pixel-xl-decrypt/

Mike02z said:
I know on most devices I've owned you needed a non-encrypted kernel and I had to perform a format of data to remove encryption. I have seen a few posts in a couple of other threads but nothing I saw was definitive. Does anyone know if unencrypting the XL is even possible? If so, which kernel are you using?
Click to expand...
Click to collapse
Azlun said:
I also have the same question, I just want descrpt data partition to avoid risk when I turn to TWRP and MultiROM in future,
So anyone try this? I can not understand why I need Magisk here??
http://androiding.how/disable-verity-force-encryption-pixel-xl-decrypt/
Click to expand...
Click to collapse
Notice in the attached that it states that TWRP plus SuperSU decrypts file based encryption.... https://www.xda-developers.com/supersu-updated-to-work-with-twrp-on-pixel-and-pixelxl/

cam30era said:
Notice in the attached that it states that TWRP plus SuperSU decrypts file based encryption.... https://www.xda-developers.com/supersu-updated-to-work-with-twrp-on-pixel-and-pixelxl/
Click to expand...
Click to collapse
" Dees_Troy to allow TWRP to decrypt the data partition involves modifying the same init binary " is NOT what I want according developer's
https://plus.google.com/+DeesTroy Pixel update 4 picture.
What I want is need the full device decryption permanently, on Anroid running time, not only on TWRP.
so, I think that is maybe more than TWRP can do, I guess a special boot.img or a kernel patch zip is need to reach what I need.

Mike02z said:
I know on most devices I've owned you needed a non-encrypted kernel and I had to perform a format of data to remove encryption. I have seen a few posts in a couple of other threads but nothing I saw was definitive. Does anyone know if unencrypting the XL is even possible? If so, which kernel are you using?
Click to expand...
Click to collapse
Decrypting your pixel is possible. The process isn't much different than any previous Nexus. It differs due to the removal of the recovery partition thus the recovery fstab is now in the kernels ramdisk. So you must edit out forecencryption in both fstabs. (fstab.marlin,fstab.recovery).
Fastboot format userdata, flash a modified kernel, done..
Haven't seen any custom kernels that remove the flag yet so I modified ElementalX.
http://forum.xda-developers.com/pix...oem-unlock-t3498287/post69733387#post69733387

blueyes said:
Decrypting your pixel is possible. The process isn't much different than any previous Nexus. It differs due to the removal of the recovery partition thus the recovery fstab is now in the kernels ramdisk. So you must edit out forecencryption in both fstabs. (fstab.marlin,fstab.recovery).
Fastboot format userdata, flash a modified kernel, done..
Haven't seen any custom kernels that remove the flag yet so I modified ElementalX.
http://forum.xda-developers.com/pix...oem-unlock-t3498287/post69733387#post69733387
Click to expand...
Click to collapse
I did use your modified Elemental kernel that was in the thread about the ability to show that your bootloader is unlocked.
Here is what I did...
Went into TWRP and did a format data from the wipe menu.
Flashed your kernel via USB SD dongle.
Rebooted.
Took about 5-8 minutes to boot but when I went into "Security" it still showed my phone was encrypted. I did this with every Nexus device I've owned but not sure what I'm doing wrong.

Mike02z said:
I did use your modified Elemental kernel that was in the thread about the ability to show that your bootloader is unlocked.
Here is what I did...
Went into TWRP and did a format data from the wipe menu.
Flashed your kernel via USB SD dongle.
Rebooted.
Took about 5-8 minutes to boot but when I went into "Security" it still showed my phone was encrypted. I did this with every Nexus device I've owned but not sure what I'm doing wrong.
Click to expand...
Click to collapse
Don't you need to format user data with fast boot to decrypt?
Sent from my Google Pixel XL using XDA Labs

Related

[Q] Clockworkmod and ICS-encryption

I found following article: "android.stackexchange.com/questions/19286/will-a-custom-recovery-work-with-an-encrypted-device"
According to this description, it should be possible to use the ICS encryption after partitioning the SDcard. Has anyone already tried it?
Article:
"Mount one partition on /sdcard so that it could be used by system & leave other one (Clockwork Mod can do mounting too)."
How can I do this?
Bump
Nobody tried it yet???
i think is better u dont use encryption at all...
if u need encryption for security reason, then u have to stay stock (botloader locked, no root, no cwm, otherwise the encryption has no sense to be done)..in case u want leave the encryption mode, u have to factory reset the phone
clockwork mod is not able to to backup, restore or flash a zip on an encrypted rom (easy to search around to discover this, as i just did now)
Why do you think there are no point with encryption with unlocked bootloader and root?
To me it seems thats when its most important, since its then very easy to get to your data and the only way to protect them?
I am using Titanium Backup and send the backups encrypted to Dropbox, not that much work to wipe and flash ROMS. Kernels you can still flash, at least With Francos app. The only downside is that need a PC to wipe since you have to do it through fastboot.
andQlimax said:
i think is better u dont use encryption at all...
if u need encryption for security reason, then u have to stay stock (botloader locked, no root, no cwm, otherwise the encryption has no sense to be done)..in case u want leave the encryption mode, u have to factory reset the phone
clockwork mod is not able to to backup, restore or flash a zip on an encrypted rom (easy to search around to discover this, as i just did now)
Click to expand...
Click to collapse
B1ny said:
Why do you think there are no point with encryption with unlocked bootloader and root?
To me it seems thats when its most important, since its then very easy to get to your data and the only way to protect them?
Click to expand...
Click to collapse
yes, infact what i mean is that if u want protect more ur data, then stay also with the bootloader locked etc (even if the encryption should be enough)
Have thought about also locking the bootloader since you have to wipe anyways, and need a PC. Will not be much more work/time. But is it really any need?
andQlimax said:
yes, infact what i mean is that if u want protect more ur data, then stay also with the bootloader locked etc (even if the encryption should be enough)
Click to expand...
Click to collapse
if u need encryption for security reason, then u have to stay stock (botloader locked, no root, no cwm, otherwise the encryption has no sense to be done)..in case u want leave the encryption mode, u have to factory reset the phone
Click to expand...
Click to collapse
From my point of view I also think that encryption is very important for rooted devices. If you loose your phone, it's very easy to get your privat data on the sdcard and app-data (acounts,...). With an encrypted device, the data are safe and that's all what I want.
clockwork mod is not able to to backup, restore or flash a zip on an encrypted rom
Click to expand...
Click to collapse
Also if you create a seperate partition - see article in my first post ???
I would also be interested if this was possible.
Reason being - my employer requires that my phone be encrypted and unrooted. I have been investigating a dual boot setup where I could boot my unrooted, encrypted, stock android image so that I can use it for corporate email and when I need root for something like tethering I could boot off the rooted image.
This way my corporate data would be encrypted and I would be adhering to company policy but I can also enjoy the flexibility of a rooted phone when I need it without wiping my phone every time I want to switch back and fourth.
the /cache partition is the answer, i think
I found out that the stock recovery, as expected, also cannot access the /SDcard partition. However, it looks in the /cache partition for update.zip files when the phone is encrypted. I was able to copy the 4.0.4 update to the cache partition and load it from there. Seems like CWM just needs to be updated to have an option to look there for zip files and we should be able to load them up.
chhall said:
I found out that the stock recovery, as expected, also cannot access the /SDcard partition. However, it looks in the /cache partition for update.zip files when the phone is encrypted. I was able to copy the 4.0.4 update to the cache partition and load it from there. Seems like CWM just needs to be updated to have an option to look there for zip files and we should be able to load them up.
Click to expand...
Click to collapse
The problem is /cache is 100 MB, and some (most?) ROMs are way more than that.
So I don't think using /cache is a fix.
I'm not sure of how CWM mounts the external SD card, but if it uses /mnt/sdcard/external_sd then it's impossible to use the external SD card because it depends on the internal SD for the mount point.
If this isn't the case, then it should be possible to partition the external SD card... Is it?
That leaves us with the only possible solution the partitioning of the internal SD card as mentioned in the link provided by OP.
Has anyone done this?
EDIT:
According to CM9's nightlies "know issues" list, encryption has already been solved and is working. I'm wondering how did they fix it.
bump
anybody knows the answer?
ghost shell said:
According to CM9's nightlies "know issues" list, encryption has already been solved and is working.
Click to expand...
Click to collapse
Could you give me a link to this?
There is a work around for flashing in CWM recovery by using the system ram as a temp file system.
You can use the dd command in adb to backup the entire current firmware and restore it in fast boot.
You can also use the backup and restore feature in ics to backup your sdcard contents and some apks.
There is a dev who is working on a full nandroid equivalent on an encrypted system. He is half way there. It requires cm recovery which has dmcrypt support.
http://forum.xda-developers.com/showpost.php?p=25635462&postcount=54
Check out the entire thread for other info for flashing custom roms via system ram.
ghost shell said:
bump
anybody knows the answer?
Click to expand...
Click to collapse
DanderMan said:
Could you give me a link to this?
Click to expand...
Click to collapse
http://teamhacksung.org/wiki/index.php/CyanogenMod9:GT-I9100:Nightly:Known_issues
Encryption used to be on the know issues, but not anymore. I don't know the status for the Nexus.
Also: http://forum.xda-developers.com/showpost.php?p=25515675&postcount=53
@bunklung
Thanks.
I'm still digesting the information.
The sad part is that even a normal factory reset doesn't allow removing encryption. If at least that would be possible it wouldn't be that bad.
EDIT2:
I've been reading and not even the ram trick would work with me because I can't get adbd running in CWM.
adb doesn't detect any device when the phone is in CWM-recovery mode.
Anyone found a way to revert to stock with cwm already installed for an encrypted phone?

Why disable encryption?

I have seen several posts referring to disabling encryption but not a reason why I should. I am rooted, running 6.0.1, and I skipped the decryption step during the root. My phone says it is encrypted. I haven't noticed any lag but I have only had my phone for 1.5 weeks. One would "assume" that having it encrypted would be better. So why would I want to disable it? Is there a cumulative effect that I don't know about?
Thank you.
If you don't want to and you want to leave it encrypted go for it. An encrypted fs will have slower read/write speeds, and some people aren't worried about having their phone encrypted. You can always re encrypt in security settings just now you wont be forced to have it on.
For my personal device i never use encryption, without it devices are notably faster for me.
67p912 said:
I have seen several posts referring to disabling encryption but not a reason why I should. I am rooted, running 6.0.1, and I skipped the decryption step during the root. My phone says it is encrypted. I haven't noticed any lag but I have only had my phone for 1.5 weeks. One would "assume" that having it encrypted would be better. So why would I want to disable it? Is there a cumulative effect that I don't know about?
Thank you.
Click to expand...
Click to collapse
It's more convenient for flashing ROMs if it's decrypted. Because TWRP recovery can't see an encrypted partition, you can't download a ROM to your phone's storage and then flash it in recovery. It would be nice if we could have two data partitions, an encrypted one and an unencrypted one.
Jacquestrapp said:
It's more convenient for flashing ROMs if it's decrypted. Because TWRP recovery can't see an encrypted partition, you can't download a ROM to your phone's storage and then flash it in recovery. It would be nice if we could have two data partitions, an encrypted one and an unencrypted one.
Click to expand...
Click to collapse
TWRP has be able to 'see' encrypted storage for a while now.
Sent from my Nexus 5X using Tapatalk
PiousInquisitor said:
TWRP has be able to 'see' encrypted storage for a while now.
Click to expand...
Click to collapse
Is there some kind of trick to that, or some setting in TWRP that needs to be enabled? It didn't work for me the first time I tried it.
Jacquestrapp said:
Is there some kind of trick to that, or some setting in TWRP that needs to be enabled? It didn't work for me the first time I tried it.
Click to expand...
Click to collapse
It just works and has since November with TWRP version 2.8.7.2.
Sent from my Nexus 5X using Tapatalk
Regarding encryption, if I were to do a twrp backup with 'encryption on', can i restore that backup on a 'encryption off' phone after.
My plan is to:
Nandroid backup with encryption on
Decrypt (which erases all user data)
Restore backup
How will this affect the backup since 1 has encryption on previously?
how to disable encryption?
cavalloz said:
how to disable encryption?
Click to expand...
Click to collapse
Code:
fastboot format userdata
^^^This will wipe your internal storage^^^
Edit: Need a modified kernel that doesn't force encryption.
How about a few more details on turning off encryption please.
Sent from my Nexus 5X using Tapatalk

TWRP unable to decrypt data

I have an unlocked bootloader and custom rooted rom. I was going to re-flash it since my battery life has not been great. I booted to recovery but am unable to decrypt /data with my boot up password. It does work after boot, however.
Only thing recently I did was change kernel with EX kernel manager. I am assuming this is what caused the issue. I changed back to stock kernel but still not able to decrypt.
I plan on wiping my phone and setting it up again with backups I made but would like to know how to prevent this in the future if possible.
Thanks
Just flash new recovery
#pnexusj# said:
Just flash new recovery
Click to expand...
Click to collapse
Yea, just saw that. Thanks!

[ROOT] SuperSU 2.74-2 With ForceEncrypt Set to Default

Update (May 20): Update to latest version 2.74-2
All versions after SuperSU 2.72 has force encrypt support built in. However it will still disable force encryption by default, you have to set flags manually.
I only modified the default value of the force encrypt flag in the flashing script, so no need to worry that this might break things
If your OCD forces you to use the official version, please look here for instructions to set the flag manually by yourself.
Hi, many people have their hands on the HTC 10, and you may found out that wiping data after rooted with SuperSU, your signal will be broken.
This is caused by the fact that by default, SuperSU's flashing script will change the data encryption flag from "forceencrypt" to "encryptable". If you wiped data after the flag is set to "encryptable", your data partition will be decrypted. In many times, decrypted data is good, but on the HTC 10, for some unknown reason the signal will break with data decrypted.
More info here:
[PSA][MUST SEE] New HTC Policy : Things You Should Know Before Unlocking Bootloader
This issue has caught more attention after an S-OFF method is available. You're required to have root and wipe data after gaining S-OFF. The developer of the S-OFF tool has created a tutorial for this particular problem, you can find it here:
[Guide] Root (Optionally s-off) and Keep your radio working
I slightly modified the SuperSU flashing script, so now it won't change the encryption flag.
This zip will remain useful until we find a way to decrypt our data partition with working signal.
Hi,
this works without problems, big tanks. Device is rooted now.
regards
starbase64
Big thanks. I wish I would have had this yesterday afternoon!
Now I just need to get a stock 1.21.617.3 image to start again with my US unlocked. If anyone has it, please let me know.
Is there a way to manually change the flag back to forceencrypt?
MNoisy said:
Big thanks. I wish I would have had this yesterday afternoon!
Now I just need to get a stock 1.21.617.3 image to start again with my US unlocked. If anyone has it, please let me know.
Is there a way to manually change the flag back to forceencrypt?
Click to expand...
Click to collapse
I have TWRP images for system_image and boot if you need them to fix broken signal as per @jcase. We're both 1.21.617.3
datafoo said:
I have TWRP images for system_image and boot if you need them to fix broken signal as per @jcase. We're both 1.21.617.3
Click to expand...
Click to collapse
Yes yes yes please! THANK YOU!
Where can I find them?
Nice buddy, will update the method used in my build, makes life a lot easier.
I had considered making similar modifications but you appear to have beaten me too it
topjohnwu said:
Hi, many people have their hands on the HTC 10, and you may found out that wiping data after rooted with SuperSU, your signal will be broken.
This is caused by the fact that by default, SuperSU's flashing script will change the data encryption flag from "forceencrypt" to "encryptable". If you wiped data after the flag is set to "encryptable", your data partition will be decrypted. In many times, decrypted data is good, but on the HTC 10, for some unknown reason the signal will break with data decrypted.
More info here:
[PSA][MUST SEE] New HTC Policy : Things You Should Know Before Unlocking Bootloader
This issue has caught more attention after an S-OFF method is available. You're required to have root and wipe data after gaining S-OFF. The developer of the S-OFF tool has created a tutorial for this particular problem, you can find it here:
[Guide] Root (Optionally s-off) and Keep your radio working
Here I come up with a more elegant solution. I slightly modified the SuperSU flashing script, so now it won't change the encryption flag, and also won't remove dm-verify.
NOTE: If your boot image is already modified, it will not reset the flag back to forceencrypt. You have to restore to the stock boot image, then flash this zip. The way I accomplished this is reverting a few modification from the previous ramdisk, so the ramdisk itself has to be stock.
Devs can include this zip into their rom, so users can wipe their whole data with your rom installed.
This zip will be useful until we find a way to decrypt our data partition with working signal.
Click to expand...
Click to collapse
I would NOT use this zip to root the HTC 10, you really need to remove verity, this is going to cause many many many issues, its going to softbrick a huge number of phones, anything from a lot of root apps, to restoring a twrp backup is going to trip dm-verity
SuperSU v2.72 has all of this built in via KEEPVERITY and KEEPFORCEENCRYPT flags. It's not publicly released yet but will be within a few days.
Chainfire said:
SuperSU v2.72 has all of this built in via KEEPVERITY and KEEPFORCEENCRYPT flags. It's not publicly released yet but will be within a few days.
Click to expand...
Click to collapse
Out of curiosity, where will we put those flags? /data/.supersu isn't an option, because /data is encrypted and unmountable, and /system/.supersu isn't an option if /system is read-only and we want to preserve dm-verity.
jcase said:
I would NOT use this zip to root the HTC 10, you really need to remove verity, this is going to cause many many many issues, its going to softbrick a huge number of phones, anything from a lot of root apps, to restoring a twrp backup is going to trip dm-verity
Click to expand...
Click to collapse
My system is modified, but everything is working fine. I'm using this without a problem so I shared it.
Is it because my device is S-OFF? If this is the case, then I'll remove the link. Thanks for the kind remind.
topjohnwu said:
My system is modified, but everything is working fine. I'm using this without a problem so I shared it.
Is it because my device is S-OFF? If this is the case, then I'll remove the link. Thanks for the kind remind.
Click to expand...
Click to collapse
I'd have to look at the zip and test to see why. It could be that your particular firmware isn't actually enforcing dm-verity (I believe google mandates this on 6.0+), that HTC disables enforcing when s-off or the zip isn't properly enforcing verity.
Best advice is not to enforce verity on system if you are rooted.
What should (and did for my phone) happen if you have dm-verity enabled on system and a modified system is the phone shouldn't successfully boot.
Captain_Throwback said:
Out of curiosity, where will we put those flags? /data/.supersu isn't an option, because /data is encrypted and unmountable, and /system/.supersu isn't an option if /system is read-only and we want to preserve dm-verity.
Click to expand...
Click to collapse
I've added /cache/.supersu as location specifically for those devices with a TWRP that can't read encrypted /data.
Still, you can echo to /data/.supersu even if /data isn't mounted and that'll still work. It just will not persist between boots.
Custom ROM devs should put it in /system/.supersu, though, or set the variable in shell and export that variable (important!) before running the SuperSU ZIP.
Chainfire said:
I've added /cache/.supersu as location specifically for those devices with a TWRP that can't read encrypted /data.
Still, you can echo to /data/.supersu even if /data isn't mounted and that'll still work. It just will not persist between boots.
Custom ROM devs should put it in /system/.supersu, though, or set the variable in shell and export that variable (important!) before running the SuperSU ZIP.
Click to expand...
Click to collapse
Will that cause complications for users who wipe cache often?
Sorry everyone, didn't though much about the dm_verity.
Re-uploaded one with dm_verity removed.
Everyone should re-flash this zip if you've used the old one, thanks a lot.
@LeeDroid, could you please test if this works on your rom?
topjohnwu said:
Sorry everyone, didn't though much about the dm_verity.
Re-uploaded one with dm_verity removed.
Everyone should re-flash this zip if you've used the old one, thanks a lot.
@LeeDroid, could you please test if this works on your rom?
Click to expand...
Click to collapse
Will have a bash tonight mate
topjohnwu said:
Sorry everyone, didn't though much about the dm_verity.
Re-uploaded one with dm_verity removed.
Everyone should re-flash this zip if you've used the old one, thanks a lot.
@LeeDroid, could you please test if this works on your rom?
Click to expand...
Click to collapse
still no go on boot
LeeDroid said:
still no go on boot
Click to expand...
Click to collapse
Yeah... Just tested myself and it won't boot.
It's weird though, it can boot on my modified system
I might need more investigation, or just wait for Chainfire to release the new update.
Is it OK to use SYSTEMLESS with your current build?
Thanks
ah, perhaps encountered a blarf
you wanna stick with blarp ... he's much nicer
topjohnwu said:
Yeah... Just tested myself and it won't boot.
It's weird though, it can boot on my modified system
I might need more investigation, or just wait for Chainfire to release the new update.
Click to expand...
Click to collapse
Ahh, I knew why.
I cannot separate the forceencrypt flag patch and verify flag by modifying the script.
Had to wait for Chainfire to release new version, or we have to manually modify the boot image.

disable the encryption on stock rom 7.1.1

hi, I unlocked and rooted my nexus with 5x stock rom 7.1.1
I try to disable the encryption of files by formatting the data partition, but if you check in the SECURITY settings, the phone is always encrypted.
What am I doing wrong? Thank you.
Decrypt Question
Are you flashing SuperSu to patch kernel to remove forced encryp or flashing a custom kernel to remove it? If not, the stock kernel will re-encrypt upon boot.
I think that is normal, mine also shows encrypted currently with a stock kernel. Only time I need to decrypt is in TWRP, and instead of a password, I'm using a pattern.
TypNguy said:
I think that is normal, mine also shows encrypted currently with a stock kernel. Only time I need to decrypt is in TWRP, and instead of a password, I'm using a pattern.
Click to expand...
Click to collapse
That's probably not the kind of decryption he was looking for.
The correct answer has been given
thanks for the answers, but I still have the same problem.
I rooted, I installed the latest TWRP recovery, as well installed nexus ...
Then I formatato the DATA partition.
Start the well nexus (latest version) and under the heading Safety, the phone is still encrypted!
The kernel of pure nexus is stock?

Categories

Resources