Four Questions about OP3T Encryption - OnePlus 3 Questions & Answers

My work required that I encrypt my OP3T. I don't use my OP3T for work anymore.
I have read that it isn't possible to remove the encryption (If this isn't true, please let me know).
I would like to modify my existing encryption settings, so I had a few questions:
Can I change my current "strong" encryption password to a different password? It would be easier if my wife needs to get into it.
My OP3T is currently configured to require a password entry every time after rebooting. Can I turn this off?
I remember reading somewhere that I need to remove all fingerprint patterns before backing up the OP3T or I wouldn't be able to restore properly (which I always did before I encrypted my phone). Do I still need to do that before I backup my encrypted OP3T?
If I do a TWRP backup and then a wipe/restore (after entering the current password), can I remove the encryption, or will my phone still be encrypted?
Thanks,
¿GJ?

¿GotJazz? said:
My work required that I encrypt my OP3T. I don't use my OP3T for work anymore.
I have read that it isn't possible to remove the encryption (If this isn't true, please let me know).
I would like to modify my existing encryption settings, so I had a few questions:
Can I change my current "strong" encryption password to a different password? It would be easier if my wife needs to get into it.
My OP3T is currently configured to require a password entry every time after rebooting. Can I turn this off?
I remember reading somewhere that I need to remove all fingerprint patterns before backing up the OP3T or I wouldn't be able to restore properly (which I always did before I encrypted my phone). Do I still need to do that before I backup my encrypted OP3T?
If I do a TWRP backup and then a wipe/restore (after entering the current password), can I remove the encryption, or will my phone still be encrypted?
Thanks,
¿GJ?
Click to expand...
Click to collapse
It is possible to remove encryption but you will lose all data on the phone. You see OxygenOS has this very annoying force encryption. It basically means whenever you boot you phone and force encryption is on it will automatically encrypt. What I usually do is go to Fastboot then type "fastboot erase userdata" then I boot straight into TWRP and wipe every partition. After that I flash the rom and encryption should be gone (no more boot password).. If you have any more questions be sure to ask.

¿GotJazz? said:
My work required that I encrypt my OP3T. I don't use my OP3T for work anymore.
I have read that it isn't possible to remove the encryption (If this isn't true, please let me know).
I would like to modify my existing encryption settings, so I had a few questions:
Can I change my current "strong" encryption password to a different password? It would be easier if my wife needs to get into it.
My OP3T is currently configured to require a password entry every time after rebooting. Can I turn this off?
I remember reading somewhere that I need to remove all fingerprint patterns before backing up the OP3T or I wouldn't be able to restore properly (which I always did before I encrypted my phone). Do I still need to do that before I backup my encrypted OP3T?
If I do a TWRP backup and then a wipe/restore (after entering the current password), can I remove the encryption, or will my phone still be encrypted?
Thanks,
¿GJ?
Click to expand...
Click to collapse
1) It depends by the pattern/password/PIN you're using.
Android encryption is based on internal keys, do not consider it like Dm-crypt or BitLocker, they are quite different.
2) I discourage it.
Without bootup authentication, recovery is fully accessible, anyone can access/transfer data or wipe device.
3) I've read nothing about that.
4) Encryption is upper to /data: the only way to remove it is doing fastboot format userdata via ADB.
To make decryption permanent, you've to unlock bootloader, flash TWRP recovery, then install (at the same time) OxygenOS and Magisk.
Magisk will prevent the force encryption.
After first boot, you can remove Magisk.

Thanks, guys! Not the answers I hoped for, but good answers nonetheless.

Related

How do I change the encryption key?

Whenever I flash a new rom after a fullwipe, I still have to type in a pin to boot the phone. I think this is called "verified boot". This is also the pin I need in TWRP to decrypt data. So obviously this pin has been stored outside of data or system partitions and is used upon every new install/boot of a new rom to encrypt it immediately upon first boot.
So where is this encryption key stored and how do I delete it?
Lownita said:
Whenever I flash a new rom after a fullwipe, I still have to type in a pin to boot the phone. I think this is called "verified boot". This is also the pin I need in TWRP to decrypt data. So obviously this pin has been stored outside of data or system partitions and is used upon every new install/boot of a new rom to encrypt it immediately upon first boot.
So where is this encryption key stored and how do I delete it?
Click to expand...
Click to collapse
If this link helps you ?
https://source.android.com/security/encryption/index.html
I have this exact problem, not sure how to resolve this issue but it seems my phone needs my pin even after wiping the phone.
I would love to fix this, if anybody has any tips that would be great, I am running a OnePlus 3 with root and twrp.
-thanks.
DonaldKerabatsos said:
I have this exact problem, not sure how to resolve this issue but it seems my phone needs my pin even after wiping the phone.
I would love to fix this, if anybody has any tips that would be great, I am running a OnePlus 3 with root and twrp.
-thanks.
Click to expand...
Click to collapse
Go to fastboot, type fastboot format userdata. Or go to twrp, wipe, wipe data via the button. This should do the same. Beware that data and your internal storage will get wiped.
to disable the pin you have to do this:
setting>security>screen lock> type PIN> PIN
then you will see Secure start-up ( Require PIN to start device/ No Thank you)

Magisk and encryption

I installed RessurectionRemix and i followed the process i will describe now:
I was on 8.7.5 developer.
Flash MIUI from Mi Flash Tool just click on option Clean All, Let it flash and boot up, after it boots reboot to fastboot since you did only clean all it'll not relock BL.
Then flash twrp in fastboot. Go to wipe> advance> select everything (data, system, cache, dalvik, internal, vendor) everything. And swipe right.
Now keep in mind do not touch the format data option at all.
Now go to reboot menu and reboot to recovery after it boots back to recovery transfer the ROM and other files, flash and reboot system and you'll have 100% encrypted device.
Flash the rom
Flash gapps
After that process everything worked fine and the phone was encrypted. Almost instantly (5-10secs) after I power the phone it asked for password.
But i installed magisk through TWRP and since then it asks for password when the phone boots completely and asks the password just to unlock the lockscreen.
Inside settings it says phone is encrypted but my guess is, that it isn't encrypted.
How can i fix that? What is wrong in the process i followed? What is the correct process?
Thank you!
I guess those steps were for lineage os. For others, you've to format data to disable encryption.
i want to have encryption enabled.
I dont want encryption disabled.
What are you asking exactly?
If you go to
Settings - Security & Privacy - Encryption & Credentials - Under Encryption
Are you been offered the choice to encrypt phone? If your not then it is already encrypted.
Is it requesting a password to boot and also to unlock the device?
If you need password to boot, then you selected that as an option when setting up password.
Can be removed by changing your password to swipe/none and setup your password again.
If TWRP, can not decrypt the device, make sure your using the latest.
Why didn't you post your query in RR thread?
corkiejp said:
What are you asking exactly?
If you go to
Settings - Security & Privacy - Encryption & Credentials - Under Encryption
Are you been offered the choice to encrypt phone? If your not then it is already encrypted.
Is it requesting a password to boot and also to unlock the device?
If you need password to boot, then you selected that as an option when setting up password.
Can be removed by changing your password to swipe/none and setup your password again.
If TWRP, can not decrypt the device, make sure your using the latest.
Why didn't you post your query in RR thread?
Click to expand...
Click to collapse
I didnt post in RR because, i tried Aospextended and the same thing happened.
Thank you very much for the solution you gave!! I disabled screen lock,re-enable it with password and now it asks for passwoed on boot and on TWRP.
Thank you again!

pin password required after reboot

Just unlocked my bootloader and flashed a ROM. Every time I reboot the phone it will ask you for a password first before it can boot.
I searched it on google and said its a data encryption for new android versions
Is there any way to decrypt o to remove the password everyboot?
You enabled that when setting up your pin/password.
Change it back to none or swipe and setup your password again, and make sure required on boot is not selected!
You basically enabled encryption. Go into your custom recovery -> formate data. I recommend flashing Magisk (so you disable forced encryption & dm verity) or you can flash lazy flasher (search it on github or google).
If you do so your device gets formatted as well
Also, make sure to backup everything before formatting because everything will be deleted.

Device security after unlocking bootloader without encryption

Hello
About securing your device after having an unlocked bootloader. Using TWRP you can easily delete whatever lockscreen is installed by removing a few files from /data/system, the gatekeeper files and the three locksettings files.
You might as well not have a lockscreen at all if a potential phone thief has any idea what he's doing. How would you secure your device?
Encryption isn't possible on Lineage 14, and 15 still has too many bugs for me to consider using it. The only other option is staying stock and having a massively outdated Android security patch.
Are there any other security options I'm missing?
a tiny ant said:
Hello
About securing your device after having an unlocked bootloader. Using TWRP you can easily delete whatever lockscreen is installed by removing a few files from /data/system, the gatekeeper files and the three locksettings files.
You might as well not have a lockscreen at all if a potential phone thief has any idea what he's doing. How would you secure your device?
Encryption isn't possible on Lineage 14, and 15 still has too many bugs for me to consider using it. The only other option is staying stock and having a massively outdated Android security patch.
Are there any other security options I'm missing?
Click to expand...
Click to collapse
Install a stock recovery to avoid the easy deletion of files in TWRP.
But...as long as you have a LP or MM bootloader stack you can still boot a TWRP image by fastboot boot when having physical access. To avoid this you need the bootloader stack for N which is available only for h815 devices and denies fastboot boot commands. While fastboot flash is still available for flashing TWRP...
Another option:
Install any ROM which has working encryption. Encrypt the device.
Flash the ROM of your choice over it. The issue we had in 14.1 was about enabling(!) encryption. The decrypt of a previous one worked fine. Just ensure that you do not use format data as that would remove encryption.
Even when you have encrypted your device your bootloader unlock will let a door open which can allow the modification of system files (which never gets encrypted). Means: I can place a malware in system, you will boot next time android and activate my malware after you have entered your pass for the decrypt.
So all the above can make things harder for an attacker while not impossible to break.
TLDR;
Once unlocked there is always a way to allow access. The warnings of the vendors are there for a reason
Sent from my LG-H815 using XDA Labs
steadfasterX said:
Install a stock recovery to avoid the easy deletion of files in TWRP.
But...as long as you have a LP or MM bootloader stack you can still boot a TWRP image by fastboot boot when having physical access. To avoid this you need the bootloader stack for N which is available only for h815 devices and denies fastboot boot commands. While fastboot flash is still available for flashing TWRP...
Another option:
Install any ROM which has working encryption. Encrypt the device.
Flash the ROM of your choice over it. The issue we had in 14.1 was about enabling(!) encryption. The decrypt of a previous one worked fine. Just ensure that you do not use format data as that would remove encryption.
Even when you have encrypted your device your bootloader unlock will let a door open which can allow the modification of system files (which never gets encrypted). Means: I can place a malware in system, you will boot next time android and activate my malware after you have entered your pass for the decrypt.
So all the above can make things harder for an attacker while not impossible to break.
TLDR;
Once unlocked there is always a way to allow access. The warnings of the vendors are there for a reason
Sent from my LG-H815 using XDA Labs
Click to expand...
Click to collapse
Thanks! Very informative post. I think the risks of having an unlocked bootloader are acceptable if the phones' data can be encrypted.
I have tried encrypting on stock Nougat and then flashing LineageOS over it, however it resulted in the LineageOS installation not recognizing my pattern and refusing to boot past the boot prompt. Maybe deleting the keyguard files right after flashing? I will try this later.
So the next step was disabling the pattern altogether and then trying to use TWRP again, but then it asks for a password, which technically shouldn't exist since there isn't any lock on the screen.
**Well I've actually figured this one out, apparently Android defaults to "default_password". It almost seems too silly to be true but it has to be something I guess. Will try flashing LOS later over an encrypted storage.
steadfasterX said:
Another option:
Install any ROM which has working encryption. Encrypt the device.
Flash the ROM of your choice over it. The issue we had in 14.1 was about enabling(!) encryption. The decrypt of a previous one worked fine. Just ensure that you do not use format data as that would remove encryption.
Click to expand...
Click to collapse
I've actually tried this, encrypting from stock Nougat and flashing Lineage over it, except then Lineage refuses to boot, asking for a password instead. "default_password" doesn't work even though no actual password is set.
It seems to be dependant on what setting it was on stock nougat, as it could also ask for a pattern which then won't be accepted.
I also cannot find any lockscreen or keyguard related files in /data/system after flashing stock Nougat. Are there any other options I could try? The device is decrypted in TWRP before rebooting, but afterwards the encryption activates making it no longer possible to enter the system.
Another bit of a strange/interesting thing. The only way out was to format data, thus removing encryption. I then restore a TWRP backup where encryption was enabled, deleted the lockscreen files and upon booting the device appeared to be fully encrypted again. Is this a bug or something?

How to actually check if files are encrypted?

Hello everybody,
I started encryption on my Magisk rooted crDroid 6.13. I saw the encryption screen for maybe 15 seconds, then a black screen. I expected it to have failed, but I waited for about 30 minutes to see if anything would happen and then restarted the phone, being prepared to flash the rom again.
After restart it actually asked me for my password in the same way I would expect in any encrypted android and in the settings it claims to be encrypted. My experience is, that it would need hours to fully encrypt the phone, but maybe it does it another way these days? I'm not fully convinced it actually encrypted all data.
Is there a way to check if my files are actually encrypted?
mxb93 said:
My experience is, that it would need hours to fully encrypt the phone, but maybe it does it another way these days? I'm not fully convinced it actually encrypted all data.
Is there a way to check if my files are actually encrypted?
Click to expand...
Click to collapse
Unless you flashed an encryption disabler, the userdata partition is always encrypted, even if you have no password/etc.
So maybe, your phone was just registering that you had to enter a password to boot it up? (ie. encrypting the encryption key, not the actual data)
Is there a way for a user to tell if their Android device is encrypted or not?
There is a semi-relevant thread on SO https://stackoverflow.com/questions/12640708/check-if-android-filesystem-is-encrypted that explains how a developer would determine if full-disk encryption is
android.stackexchange.com
a1291762 said:
Unless you flashed an encryption disabler, the userdata partition is always encrypted, even if you have no password/etc.
Click to expand...
Click to collapse
That's exactly what i did, but after a new TWRP was released, which promised access to encrypted data, I wanted to encrypt again. So before I tried encrypting again, my data was definitly not encrypted.
I followed your link and tried those adb command:
daisy:/ $ getprop ro.crypto.type
block
daisy:/ $ getprop ro.crypto.state
encrypted
It seems from there it's encrypted, but it's using block-mode instead of file based encryption. I would expect an android 10 rom to use file based encryption. I'm starting to think it might be better if I flash official again and then start the process of flashing crDroid etc again.

Categories

Resources