Android Device Encryption
Finally, Android 3 introduced the Device Encryption feature which is implemented ineffectually: The device PIN is linked to the encryption password:
- A short pin renders the encryption useless but the device useable
- A strong password renders the device unuseable (because it needs to be entered any time the device is used!)
It is inconceivable why Google implemented the protection in such a bad, even unuseable way.
Even worse, some phones (at least the Samsung Galaxy S3 from AT&T (I747)) do not even allow PINs but require a full-blown pass phrase. Even the greatest security enthusiast won't accept entering a 10-character password everytime when the device is turned on.
Fortunately, there is a hack to decouple the PIN with the encryption password. It requires root and a terminal emulator such as ConnectBot. This text setups the device as follows:
- Use a PIN code to protect the device while it is running. I use a 4-digit PIN code
- A secure, alpha numeric passphrase for encryption (super-secure-long-password) which is resistant against brute force attacks and only needs to be entered during device boot.
Setting up encryption
First, set the Pin which should be used for the device. In my case, it was not possible to enable device encryption at all because it required an alpha numeric password. The device can be encrypted manually using the following command:
su vdc cryptfs enablecrypto inplace super-secure-long-password
Changing the PIN
It is not possible to change the PIN any more in the settings because everything except the alpha numeric password is greyed out. The solution is Tasker together with Secure Settings:
Create a task "ChangePin", add an Action "Plugin", "Secure Settings" and choose "Password/Pin" under "Dev Admin Actions" as Action. Choose "Enabled", "Pin Code" and enter the new Pin code, then run the task.
This action will also change the encryption password to the weak PIN, so proceed to the next section.
Changing the encryption password
The encryption password can be changed with the following command:
su vdc cryptfs changepw super-secure-long-password
Using a custom ROM / recovery with encryption
For whatever reason, nearly noone (and not even Android hackers) seem to use the encryption (FDE). Otherwise there is no reason why it would not work flawlessly with custom ROMs and within recovery.
With adb, /data (and /sdcard) can be mounted:
setprop ro.crypto.state encrypted vdc cryptfs checkpw 'your passphrase here' mount /dev/block/dm-0 /data
After that, nandroid backups can be performed, data can be pulled from the device etc.
CAUTION: At least in Cyanogenmod I find that Android does not accept the password in the regular boot any longer if it was mounted once this way! (but it can be mounted in recovery as often as needed).
UPDATE: YEAH, TWRP2 supports encryption! :-) http://teamw.in/project/twrp2
UPDATE 2: Unfortunately TWRP2 is not that reliable. I again faced the problem that twrp2 (188.8.131.52) did not accept the encryption password I set before, but it was accepted by Android 4.3 (d2att/I747 stock firmware)
M0rt15 meinte …
<comment date="2014-02-21T06:05:40Z" name="M0rt15"> I keep getting errors on running /system/bin/setprop, any ideas what it means?
CANNOT LINK EXECUTABLE: cannot locate symbol "__strlen_chk" referenced by "/system/bin/setprop" </comment>
Niki meinte …
<comment date="2014-02-21T06:08:24Z" name="Niki"> Maybe your ld is not set up properly or so (e.g. missing environment variables).
As stated in my update, I would STRONGLY urge you to take TWRP2!
Ninety-9 meinte …
<comment date="2014-12-01T19:54:46Z" name="Ninety-9"> Worked Perfect! Galaxy S4 Kitkat.
I had already encrypted the device earlier and I was sick of the fact that I either needed a super-short startup password, or a super-long screen wake password.
With the device already encrypted before I read your post, I used Tasker and SS to set the new pin, and yes, it changed both the unlock and encryption code simultaneously. Then I ran the SU code within the Terminal Emulator and voila, I was able to change the encryption password without modifying the unlock pin.
Very happy with your method. Others suggested using python code and other overly complicated methods. I guess it helps that I already had SU, Tasker, Secure Settings, and Terminal Emulator installed, by coincidence, really. </comment>
Ninety-9 meinte …
<comment date="2014-12-02T18:44:29Z" name="Ninety-9"> OH, I DO HAVE A WARNING!!! DO NOT EXCEED 16 CHARACTERS!!!!
"vdc cryptfs changepw" will gladly accept as many characters as you wish to enter. And why not? If I only have to enter this password on boot up, let's make it 20 or more!
Well, turns out that when you go to reboot your phone, Android only allows you enter a string of 16 characters. It would seem that my encryption is tied to a 17-character string and the phone is limited to a text box which only allows 16. I will probably have to Factory Reset. </comment>
Niki meinte …
<comment date="2014-12-02T19:06:42Z" name="Niki"> Ninety-9, thanks for this info! </comment>