Hello everybody,
I started encryption on my Magisk rooted crDroid 6.13. I saw the encryption screen for maybe 15 seconds, then a black screen. I expected it to have failed, but I waited for about 30 minutes to see if anything would happen and then restarted the phone, being prepared to flash the rom again.
After restart it actually asked me for my password in the same way I would expect in any encrypted android and in the settings it claims to be encrypted. My experience is, that it would need hours to fully encrypt the phone, but maybe it does it another way these days? I'm not fully convinced it actually encrypted all data.
Is there a way to check if my files are actually encrypted?
mxb93 said:
My experience is, that it would need hours to fully encrypt the phone, but maybe it does it another way these days? I'm not fully convinced it actually encrypted all data.
Is there a way to check if my files are actually encrypted?
Click to expand...
Click to collapse
Unless you flashed an encryption disabler, the userdata partition is always encrypted, even if you have no password/etc.
So maybe, your phone was just registering that you had to enter a password to boot it up? (ie. encrypting the encryption key, not the actual data)
Is there a way for a user to tell if their Android device is encrypted or not?
There is a semi-relevant thread on SO https://stackoverflow.com/questions/12640708/check-if-android-filesystem-is-encrypted that explains how a developer would determine if full-disk encryption is
android.stackexchange.com
a1291762 said:
Unless you flashed an encryption disabler, the userdata partition is always encrypted, even if you have no password/etc.
Click to expand...
Click to collapse
That's exactly what i did, but after a new TWRP was released, which promised access to encrypted data, I wanted to encrypt again. So before I tried encrypting again, my data was definitly not encrypted.
I followed your link and tried those adb command:
daisy:/ $ getprop ro.crypto.type
block
daisy:/ $ getprop ro.crypto.state
encrypted
It seems from there it's encrypted, but it's using block-mode instead of file based encryption. I would expect an android 10 rom to use file based encryption. I'm starting to think it might be better if I flash official again and then start the process of flashing crDroid etc again.
Related
Hello,
I hope someone will be able to help with this, although it is very much a case of user error! I upgraded my G3 to Marshmallow using the steps detailed here:
http://forum.xda-developers.com/lg-g3/development/stock-d855-30b-images-kdz-flashables-t3282012
It all worked perfectly until I decided to encrypt the handset. The encryption process worked as expected, but as I always did on previous Android versions, I used the CryptFS Password app to change the encryption password. The app advised that it was unable to change the password and that I should run the command via shell, which I did and it seemed to work. The problem is, I changed it to an alphanumeric password and my lock screen is just a numeric PIN, so upon reboot it prompts me to enter the password to decrypt but only allows me to enter numbers.
So, I kicked myself for not changing the lockscreen from PIN to password before rebooting, but figured I could just wipe/reflash and start again. However, when I reflash, I still get prompted for the encryption password at boot. So I figured I'd just enter the password wrong 30 times and factory reset the device that way, except that doesn't work either. It says it's going to reset, reboots to recovery (TWRP 2.8.7.0) and says it has reset, but then boots back to the encryption screen again (which now advises that I am -5 of 30 attempts!!).
Flashing CM13 or 12 works fine. I have settled on CM12 at the moment because it seems to be a bit more stable, but I'd ideally like to get back to stock Marshmallow. Is this possible?
I have tried wiping all partitions and data from within TWRP, and formatting partitions, all to no avail.
Is there any way I can reinstall stock Marshmallow?
Trying flashing marshmellow KDZ and it should reset everything
Let me know how things go
TTib said:
Hello,
I hope someone will be able to help with this, although it is very much a case of user error! I upgraded my G3 to Marshmallow using the steps detailed here:
http://forum.xda-developers.com/lg-g3/development/stock-d855-30b-images-kdz-flashables-t3282012
It all worked perfectly until I decided to encrypt the handset. The encryption process worked as expected, but as I always did on previous Android versions, I used the CryptFS Password app to change the encryption password. The app advised that it was unable to change the password and that I should run the command via shell, which I did and it seemed to work. The problem is, I changed it to an alphanumeric password and my lock screen is just a numeric PIN, so upon reboot it prompts me to enter the password to decrypt but only allows me to enter numbers.
So, I kicked myself for not changing the lockscreen from PIN to password before rebooting, but figured I could just wipe/reflash and start again. However, when I reflash, I still get prompted for the encryption password at boot. So I figured I'd just enter the password wrong 30 times and factory reset the device that way, except that doesn't work either. It says it's going to reset, reboots to recovery (TWRP 2.8.7.0) and says it has reset, but then boots back to the encryption screen again (which now advises that I am -5 of 30 attempts!!).
Flashing CM13 or 12 works fine. I have settled on CM12 at the moment because it seems to be a bit more stable, but I'd ideally like to get back to stock Marshmallow. Is this possible?
I have tried wiping all partitions and data from within TWRP, and formatting partitions, all to no avail.
Is there any way I can reinstall stock Marshmallow?
Click to expand...
Click to collapse
try booting into twrp, go into command terminal, manually format data partition using command line, then reflash cm12 and wipe cache and dalvik (you may not need to reflash it but why not if you are going back to mm)
if your partitions are the same as mine this is the command you want to run.
mke2fs -T ext4 /dev/block/mmcblk0p44
make sure you don't format the wrong partition check that your variant has the same partition (grab an app called diskinfo and click on data partition then alter the last parameter to w/e ur data partition is)
mmcblk0p44 is the paramater you want to change if yours isn't identical. this should reset encryption as data is the partition that gets encrypted.
after all of this use a guide to install marshmallow (kdz or something)
(when i encrypted my data partition twrp could no longer mount the partition to format it, but if you use command land format it formats the partition without mounting it.)
i'm assuming this is your issue as well.
KronicSkillz said:
try booting into twrp, go into command terminal, manually format data partition using command line, then reflash cm12 and wipe cache and dalvik (you may not need to reflash it but why not if you are going back to mm)
if your partitions are the same as mine this is the command you want to run.
mke2fs -T ext4 /dev/block/mmcblk0p44
make sure you don't format the wrong partition check that your variant has the same partition (grab an app called diskinfo and click on data partition then alter the last parameter to w/e ur data partition is)
mmcblk0p44 is the paramater you want to change if yours isn't identical. this should reset encryption as data is the partition that gets encrypted.
after all of this use a guide to install marshmallow (kdz or something)
(when i encrypted my data partition twrp could no longer mount the partition to format it, but if you use command land format it formats the partition without mounting it.)
i'm assuming this is your issue as well.
Click to expand...
Click to collapse
Hi, thanks for the advice, I gave it a try last night. My /data partition was named /dev/block/mmcblk0p43 according to DiskInfo, so I made sure the partition was unmounted in TWRP and formatted it via the terminal following your instructions and then reflashed the MM zip from the original link and... still encrypted.
I haven't tried flashing the kdz yet, as I use Linux and I don't believe there is a way to flash kdz files using *nix. I'll have to wait until the weekend and I'll try and do it via a VM.
I don't understand how this encrypted partition is still even there. I have CM12 installed and working, it's showing the full amount of disk space available, I've done multiple wipes, formats and resets, yet the minute I put MM on it, the phone thinks it's encrypted again.
I do actually know the encryption key, is there any way I can unlock the phone via ADB or something similar?
Not sure if it's relevant, but my phone model is D855. I don't think I mentioned that before.
Thanks for the help, I really appreciate it!
TTib said:
Hi, thanks for the advice, I gave it a try last night. My /data partition was named /dev/block/mmcblk0p43 according to DiskInfo, so I made sure the partition was unmounted in TWRP and formatted it via the terminal following your instructions and then reflashed the MM zip from the original link and... still encrypted.
I haven't tried flashing the kdz yet, as I use Linux and I don't believe there is a way to flash kdz files using *nix. I'll have to wait until the weekend and I'll try and do it via a VM.
I don't understand how this encrypted partition is still even there. I have CM12 installed and working, it's showing the full amount of disk space available, I've done multiple wipes, formats and resets, yet the minute I put MM on it, the phone thinks it's encrypted again.
I do actually know the encryption key, is there any way I can unlock the phone via ADB or something similar?
Not sure if it's relevant, but my phone model is D855. I don't think I mentioned that before.
Thanks for the help, I really appreciate it!
Click to expand...
Click to collapse
very strange when i did that it got rid of my encrypted partition... i'm not sure what else to say except maybe see if someone will lend you a windows pc to do kdz flash.
KronicSkillz said:
very strange when i did that it got rid of my encrypted partition... i'm not sure what else to say except maybe see if someone will lend you a windows pc to do kdz flash.
Click to expand...
Click to collapse
I flashed the kdz via LGUP and... now the phone won't boot to anything except TWRP. Have tried restoring two previous nandroid backups, installing CM12 and MM, all install without reporting errors. LGUP detects it as an unknown device, so can't flash kdz again. Might have bricked this one. :crying:
Phew. Okay, solved! I followed the following guide to flash an old version of the stock firmware: http://www.androidrootz.com/2014/07/how-to-unroot-lg-g3-all-variants.html.
Then, I upgraded, rooted, flash TWRP and finally installed MM again and it seems to be back to normal ("Android is starting" screen as we speak. Fingers crossed!). Thanks to everyone who helped me out with this one!
Whenever I flash a new rom after a fullwipe, I still have to type in a pin to boot the phone. I think this is called "verified boot". This is also the pin I need in TWRP to decrypt data. So obviously this pin has been stored outside of data or system partitions and is used upon every new install/boot of a new rom to encrypt it immediately upon first boot.
So where is this encryption key stored and how do I delete it?
Lownita said:
Whenever I flash a new rom after a fullwipe, I still have to type in a pin to boot the phone. I think this is called "verified boot". This is also the pin I need in TWRP to decrypt data. So obviously this pin has been stored outside of data or system partitions and is used upon every new install/boot of a new rom to encrypt it immediately upon first boot.
So where is this encryption key stored and how do I delete it?
Click to expand...
Click to collapse
If this link helps you ?
https://source.android.com/security/encryption/index.html
I have this exact problem, not sure how to resolve this issue but it seems my phone needs my pin even after wiping the phone.
I would love to fix this, if anybody has any tips that would be great, I am running a OnePlus 3 with root and twrp.
-thanks.
DonaldKerabatsos said:
I have this exact problem, not sure how to resolve this issue but it seems my phone needs my pin even after wiping the phone.
I would love to fix this, if anybody has any tips that would be great, I am running a OnePlus 3 with root and twrp.
-thanks.
Click to expand...
Click to collapse
Go to fastboot, type fastboot format userdata. Or go to twrp, wipe, wipe data via the button. This should do the same. Beware that data and your internal storage will get wiped.
to disable the pin you have to do this:
setting>security>screen lock> type PIN> PIN
then you will see Secure start-up ( Require PIN to start device/ No Thank you)
My work required that I encrypt my OP3T. I don't use my OP3T for work anymore.
I have read that it isn't possible to remove the encryption (If this isn't true, please let me know).
I would like to modify my existing encryption settings, so I had a few questions:
Can I change my current "strong" encryption password to a different password? It would be easier if my wife needs to get into it.
My OP3T is currently configured to require a password entry every time after rebooting. Can I turn this off?
I remember reading somewhere that I need to remove all fingerprint patterns before backing up the OP3T or I wouldn't be able to restore properly (which I always did before I encrypted my phone). Do I still need to do that before I backup my encrypted OP3T?
If I do a TWRP backup and then a wipe/restore (after entering the current password), can I remove the encryption, or will my phone still be encrypted?
Thanks,
¿GJ?
¿GotJazz? said:
My work required that I encrypt my OP3T. I don't use my OP3T for work anymore.
I have read that it isn't possible to remove the encryption (If this isn't true, please let me know).
I would like to modify my existing encryption settings, so I had a few questions:
Can I change my current "strong" encryption password to a different password? It would be easier if my wife needs to get into it.
My OP3T is currently configured to require a password entry every time after rebooting. Can I turn this off?
I remember reading somewhere that I need to remove all fingerprint patterns before backing up the OP3T or I wouldn't be able to restore properly (which I always did before I encrypted my phone). Do I still need to do that before I backup my encrypted OP3T?
If I do a TWRP backup and then a wipe/restore (after entering the current password), can I remove the encryption, or will my phone still be encrypted?
Thanks,
¿GJ?
Click to expand...
Click to collapse
It is possible to remove encryption but you will lose all data on the phone. You see OxygenOS has this very annoying force encryption. It basically means whenever you boot you phone and force encryption is on it will automatically encrypt. What I usually do is go to Fastboot then type "fastboot erase userdata" then I boot straight into TWRP and wipe every partition. After that I flash the rom and encryption should be gone (no more boot password).. If you have any more questions be sure to ask.
¿GotJazz? said:
My work required that I encrypt my OP3T. I don't use my OP3T for work anymore.
I have read that it isn't possible to remove the encryption (If this isn't true, please let me know).
I would like to modify my existing encryption settings, so I had a few questions:
Can I change my current "strong" encryption password to a different password? It would be easier if my wife needs to get into it.
My OP3T is currently configured to require a password entry every time after rebooting. Can I turn this off?
I remember reading somewhere that I need to remove all fingerprint patterns before backing up the OP3T or I wouldn't be able to restore properly (which I always did before I encrypted my phone). Do I still need to do that before I backup my encrypted OP3T?
If I do a TWRP backup and then a wipe/restore (after entering the current password), can I remove the encryption, or will my phone still be encrypted?
Thanks,
¿GJ?
Click to expand...
Click to collapse
1) It depends by the pattern/password/PIN you're using.
Android encryption is based on internal keys, do not consider it like Dm-crypt or BitLocker, they are quite different.
2) I discourage it.
Without bootup authentication, recovery is fully accessible, anyone can access/transfer data or wipe device.
3) I've read nothing about that.
4) Encryption is upper to /data: the only way to remove it is doing fastboot format userdata via ADB.
To make decryption permanent, you've to unlock bootloader, flash TWRP recovery, then install (at the same time) OxygenOS and Magisk.
Magisk will prevent the force encryption.
After first boot, you can remove Magisk.
Thanks, guys! Not the answers I hoped for, but good answers nonetheless.
Hello
About securing your device after having an unlocked bootloader. Using TWRP you can easily delete whatever lockscreen is installed by removing a few files from /data/system, the gatekeeper files and the three locksettings files.
You might as well not have a lockscreen at all if a potential phone thief has any idea what he's doing. How would you secure your device?
Encryption isn't possible on Lineage 14, and 15 still has too many bugs for me to consider using it. The only other option is staying stock and having a massively outdated Android security patch.
Are there any other security options I'm missing?
a tiny ant said:
Hello
About securing your device after having an unlocked bootloader. Using TWRP you can easily delete whatever lockscreen is installed by removing a few files from /data/system, the gatekeeper files and the three locksettings files.
You might as well not have a lockscreen at all if a potential phone thief has any idea what he's doing. How would you secure your device?
Encryption isn't possible on Lineage 14, and 15 still has too many bugs for me to consider using it. The only other option is staying stock and having a massively outdated Android security patch.
Are there any other security options I'm missing?
Click to expand...
Click to collapse
Install a stock recovery to avoid the easy deletion of files in TWRP.
But...as long as you have a LP or MM bootloader stack you can still boot a TWRP image by fastboot boot when having physical access. To avoid this you need the bootloader stack for N which is available only for h815 devices and denies fastboot boot commands. While fastboot flash is still available for flashing TWRP...
Another option:
Install any ROM which has working encryption. Encrypt the device.
Flash the ROM of your choice over it. The issue we had in 14.1 was about enabling(!) encryption. The decrypt of a previous one worked fine. Just ensure that you do not use format data as that would remove encryption.
Even when you have encrypted your device your bootloader unlock will let a door open which can allow the modification of system files (which never gets encrypted). Means: I can place a malware in system, you will boot next time android and activate my malware after you have entered your pass for the decrypt.
So all the above can make things harder for an attacker while not impossible to break.
TLDR;
Once unlocked there is always a way to allow access. The warnings of the vendors are there for a reason
Sent from my LG-H815 using XDA Labs
steadfasterX said:
Install a stock recovery to avoid the easy deletion of files in TWRP.
But...as long as you have a LP or MM bootloader stack you can still boot a TWRP image by fastboot boot when having physical access. To avoid this you need the bootloader stack for N which is available only for h815 devices and denies fastboot boot commands. While fastboot flash is still available for flashing TWRP...
Another option:
Install any ROM which has working encryption. Encrypt the device.
Flash the ROM of your choice over it. The issue we had in 14.1 was about enabling(!) encryption. The decrypt of a previous one worked fine. Just ensure that you do not use format data as that would remove encryption.
Even when you have encrypted your device your bootloader unlock will let a door open which can allow the modification of system files (which never gets encrypted). Means: I can place a malware in system, you will boot next time android and activate my malware after you have entered your pass for the decrypt.
So all the above can make things harder for an attacker while not impossible to break.
TLDR;
Once unlocked there is always a way to allow access. The warnings of the vendors are there for a reason
Sent from my LG-H815 using XDA Labs
Click to expand...
Click to collapse
Thanks! Very informative post. I think the risks of having an unlocked bootloader are acceptable if the phones' data can be encrypted.
I have tried encrypting on stock Nougat and then flashing LineageOS over it, however it resulted in the LineageOS installation not recognizing my pattern and refusing to boot past the boot prompt. Maybe deleting the keyguard files right after flashing? I will try this later.
So the next step was disabling the pattern altogether and then trying to use TWRP again, but then it asks for a password, which technically shouldn't exist since there isn't any lock on the screen.
**Well I've actually figured this one out, apparently Android defaults to "default_password". It almost seems too silly to be true but it has to be something I guess. Will try flashing LOS later over an encrypted storage.
steadfasterX said:
Another option:
Install any ROM which has working encryption. Encrypt the device.
Flash the ROM of your choice over it. The issue we had in 14.1 was about enabling(!) encryption. The decrypt of a previous one worked fine. Just ensure that you do not use format data as that would remove encryption.
Click to expand...
Click to collapse
I've actually tried this, encrypting from stock Nougat and flashing Lineage over it, except then Lineage refuses to boot, asking for a password instead. "default_password" doesn't work even though no actual password is set.
It seems to be dependant on what setting it was on stock nougat, as it could also ask for a pattern which then won't be accepted.
I also cannot find any lockscreen or keyguard related files in /data/system after flashing stock Nougat. Are there any other options I could try? The device is decrypted in TWRP before rebooting, but afterwards the encryption activates making it no longer possible to enter the system.
Another bit of a strange/interesting thing. The only way out was to format data, thus removing encryption. I then restore a TWRP backup where encryption was enabled, deleted the lockscreen files and upon booting the device appeared to be fully encrypted again. Is this a bug or something?
Sadly my phone is corrupt and cant start anymore ... I want to use Newsflasher to rescue my Phone.
Before I want to use TWRP to make a backup. But I cannot enter TWRP.
As far as I understood TWRP cannot be installed on XZ2 compact, but it can be temporarily flashed (as I of course did to get my LineageOS Android 11).
But now when I flash it TWRP asks for a Password.
I just have my regular Screen Unlock Password - but if I type it in it tells me PASSWORD FAILED.
How can that be? Which other Password could it be? I dont know any ...
Obviously I would just remove the screen lock in Android. But it's corrupt x(
I want to do this before I have to do the wipe with Newflasher
If I ignore data encryption then it tells me when booting system that I have no OS installed ...
So then I will never be able to get my data back because encryption with password is still active and I cannot boot to turn it off?
And TWRP is bugged so it does not accept my real password? (How can that be omg ...)
Nothing can done now u have to flash flash a fastboot rom on your device without backup
That is
the_arxyn said:
Nothing can done now u have to flash flash a fastboot rom on your device without backup
Click to expand...
Click to collapse
That is what I was already thinking but yes let it be :/
I will use the old file that I used 2 years ago and also worked when I had to do the same.
For a strange reason it does not work when executing in the original created folder (by Xperifirm), but only if I push it on a external Hard Drive?
Otherwise it will tell FINISHED but it just took 3 seconds, which it will also do if it is played in any other folder ...
Anyways it asked me for a weird reason if I want to keep my userdata. I was thinking that there is no way to install a new OS but still keep the old data. I did it but then at the end of the Flashing it told the Sync did not work. I still booted up and it tells that it cant load the Android. So I dont know if this happened because I either left the user data intact or because that sync at the end did not work.
I'm just now scared to erase it when trying again, just in case that indeed I could safe my data.
So what is the story behind that *Erase User data Y / N*. Can I indeed keep my files this way?