Android Device Encryption
Finally, Android 3 introduced the Device Encryption feature which is implemented ineffectually: The device PIN is linked to the encryption password:
- A short pin renders the encryption useless but the device useable
- A strong password renders the device unuseable (because it needs to be entered any time the device is used!)
It is inconceivable why Google implemented the protection in such a bad, even unuseable way.
Even worse, some phones (at least the Samsung Galaxy S3 from AT&T (I747)) do not even allow PINs but require a full-blown pass phrase. Even the greatest security enthusiast won't accept entering a 10-character password everytime when the device is turned on.
Fortunately, there is a hack to decouple the PIN with the encryption password. It requires root and a terminal emulator such as ConnectBot. This text setups the device as follows:
- Use a PIN code to protect the device while it is running. I use a 4-digit PIN code
- A secure, alpha numeric passphrase for encryption (super-secure-long-password) which is resistant against brute force attacks and only needs to be entered during device boot.
Setting up encryption
First, set the Pin which should be used for the device. In my case, it was not possible to enable device encryption at all because it required an alpha numeric password. The device can be encrypted manually using the following command:
su vdc cryptfs enablecrypto inplace super-secure-long-password
Changing the PIN
It is not possible to change the PIN any more in the settings because everything except the alpha numeric password is greyed out. The solution is Tasker together with Secure Settings:
Create a task "ChangePin", add an Action "Plugin", "Secure Settings" and choose "Password/Pin" under "Dev Admin Actions" as Action. Choose "Enabled", "Pin Code" and enter the new Pin code, then run the task.
This action will also change the encryption password to the weak PIN, so proceed to the next section.
Changing the encryption password
The encryption password can be changed with the following command:
su vdc cryptfs changepw super-secure-long-password
Using a custom ROM / recovery with encryption
For whatever reason, nearly noone (and not even Android hackers) seem to use the encryption (FDE). Otherwise there is no reason why it would not work flawlessly with custom ROMs and within recovery.
With adb, /data (and /sdcard) can be mounted:
setprop ro.crypto.state encrypted vdc cryptfs checkpw 'your passphrase here' mount /dev/block/dm-0 /data
After that, nandroid backups can be performed, data can be pulled from the device etc.
CAUTION: At least in Cyanogenmod I find that Android does not accept the password in the regular boot any longer if it was mounted once this way! (but it can be mounted in recovery as often as needed).