Related
Android 3+ has a nice feature -- device encryption. You can encrypt the contents of your device with a password, and after that this password must be entered during device boot, otherwise the data is permanently lost.
The bad thing is that this password is set to the screen lock PIN / password. So you either set a short password or PIN, that you can enter quickly each time you unlock your phone from sleep (but this provides weak encryption), or set a long password and have to type it 20-30 times during the day.
This stupid behavior may be fixed easily. Android provides command-line tool called 'vdc', an interface to Android Volume Manager. As written in "Notes on the implementation of encryption in Android 3.0" [1], it has a command 'cryptfs changepw', that allows changing encryption password. Of course this command must be executed as root.
vdc has some other commands related to encryption, one of them is 'cryptfs verifypw', that allows to validate the supplied password.
I'm currently writing an application that will assist user with changing encryption password. This is my first public application for Android. You can find a source code on GitHub [2]. It is very simple, but maybe android gurus here may find what to make better.
Comments and pull requests are welcome
Thanks!
[1] http source.android.com/tech/encryption/android_crypto_implementation.html
[2] https github.com/kibab/encpasschanger
Updated 30.06.2012: Added APK file!
Kibab said:
Android 3+ has a nice feature -- device encryption. You can encrypt the contents of your device with a password, and after that this password must be entered during device boot, otherwise the data is permanently lost.
The bad thing is that this password is set to the screen lock PIN / password. So you either set a short password or PIN, that you can enter quickly each time you unlock your phone from sleep (but this provides weak encryption), or set a long password and have to type it 20-30 times during the day.
This stupid behavior may be fixed easily. Android provides command-line tool called 'vdc', an interface to Android Volume Manager. As written in "Notes on the implementation of encryption in Android 3.0" [1], it has a command 'cryptfs changepw', that allows changing encryption password. Of course this command must be executed as root.
vdc has some other commands related to encryption, one of them is 'cryptfs verifypw', that allows to validate the supplied password.
I'm currently writing an application that will assist user with changing encryption password. This is my first public application for Android. You can find a source code on GitHub [2]. It is very simple, but maybe android gurus here may find what to make better.
Comments and pull requests are welcome
Thanks!
[1] http source.android.com/tech/encryption/android_crypto_implementation.html
[2] https github.com/kibab/encpasschanger
Click to expand...
Click to collapse
Sorry im noob
What will change visualy?
Or screenshot?
Sent from my LT26i using XDA Premium HD app
Thank you for this. I wanted a more simple password for the unlock, but a longer more complicated password for the decryption. You should put it on the market and charge $.99USD (or equivalent in your currency) as it's quite useful. I'd buy it
Thank you!
Actually I have registered myself as Google Play Developer, now I'm waiting for approval. As soon as my registration is approved, I will update this thread
Although I'm going to make a free and donate versions, because I believe that will help to make Android better, and people who want to say "Thank you" will buy Donate version anyway
uDroid said:
Sorry im noob
What will change visualy?
Or screenshot?
Sent from my LT26i using XDA Premium HD app
Click to expand...
Click to collapse
Nothing will change visually, hence no screenshot. What's important is that you may set strong password for decrypting the internal storage, but keep using simple password (or PIN) to unlock the screen.
P.S. I have verified that my app works on Jelly Bean too.
I have finally published an application on Google Play! Currently there is a free version, Donate version will come a bit later
The link is: https:// play.google.com/store/apps/details?id=com.kibab.android.EncPassChanger
Enjoy!
Thanks for that app, that is also what annoyed me
Thanks for this. I've been trying to work out why encryption wont work on any ROM on my HOX (dies with unable to get size of block device cryptfs), and you have given me a good lead to investigate with vdc. Information on encryption in android is sparse, and almost all threads here on XDA get no replies.
Thanks again.
I've been tempted to use device encryption recently, but there is a distinct lack of information about it, particularly on custom ROMs...
Might need to give it a go, just the lack of backup abilities might be an issue...
pulser_g2 said:
I've been tempted to use device encryption recently, but there is a distinct lack of information about it, particularly on custom ROMs...
Might need to give it a go, just the lack of backup abilities might be an issue...
Click to expand...
Click to collapse
I use CM10 on the Galaxy Nexus (maguro). Encrypted. Actually, only /data is encrypted. /system stays unencrypted. And this App works as described.
For Backup use TWRP. It asks for your password to decrypt storage.
You can then backup, restore, flash, install whole ROMs, wipe and what not.
>> I would like to see this app in Play Store <<
I should read before I post:
Kibab said:
I have finally published an application on Google Play! Currently there is a free version, Donate version will come a bit later
The link is: https://play.google.com/store/apps/details?id=com.kibab.android.EncPassChanger
Enjoy!
Click to expand...
Click to collapse
Thanks for that
btw. The encrypted /data partition lets you have two boot animations, one that is shown before code has been entered (the one in /system/media) and one after the correct code entry (the one in /data/local).
zurchpet said:
I use CM10 on the Galaxy Nexus (maguro). Encrypted. Actually, only /data is encrypted. /system stays unencrypted. And this App works as described.
For Backup use TWRP. It asks for your password to decrypt storage.
You can then backup, restore, flash, install whole ROMs, wipe and what not.
>> I would like to see this app in Play Store <<
btw. The encrypted /data partition lets you have two boot animations, one that is shown before code has been entered (the one in /system/media) and one after the correct code entry (the one in /data/local).
Click to expand...
Click to collapse
Hmm... I have i9100 (S2), so I would need to see about putting TWRP onto it...
Yeah, only data and SD are encrypted... Can TWRP cope with encrypted SD btw?
Great, it's easier than to change on command line
This should just be default android behavior
pulser_g2 said:
Hmm... I have i9100 (S2), so I would need to see about putting TWRP onto it...
Yeah, only data and SD are encrypted... Can TWRP cope with encrypted SD btw?
Click to expand...
Click to collapse
Yes, SD is encrypted too. And TWRP can only read from it after correct code entry. Don't know about the external SD though (since the Galaxy Nexus doesn0t have one).
zurchpet said:
Yes, SD is encrypted too. And TWRP can only read from it after correct code entry. Don't know about the external SD though (since the Galaxy Nexus doesn0t have one).
Click to expand...
Click to collapse
Wish I had a second phone, then I could just research this
Quite awesome. Now, can I use a strong password for encryption and then pattern lock for normal day to day use? That would be my ideal situation. I heart pattern lock!
Just trying to clarify how this works... so you keep your normal 'short' pin unlock code for unlocking the screen, but set a long code for decryption, and this code will only be requested once per boot, during bootup? Is this correct?
Thanks
How it works
Yes Sir. You are correct.
adrianblack said:
Quite awesome. Now, can I use a strong password for encryption and then pattern lock for normal day to day use? That would be my ideal situation. I heart pattern lock!
Click to expand...
Click to collapse
Unfortunately it's not possible to use pattern lock while using device encryption, Android forbids it. Patching Android framework will help, but this is completely another story and possible suggestion for ROM makers such as Cyanogenmod.
Is the 16 character Android limitation present, when using this tool? I currently use a 16 character device encryption/unlock pass phrase. I'd like to strengthen the device pass phrase some more.
I don't know if this is even possible during the device boot sequence, but being able to use a Yubikey with an OTG cable would be awesome!
RF
I tried to add my company email on my rooted S5 and got to the encryption step where it told me to charge my phone to 80% and plug in and that it could take an hour. I didn't do it, and backed out. It did make me create a pin although, I may have had the pin enabled from FoxFi requirement. Regardless. I just did the Xposed Framework and tried the disable exchange pin, and it wouldn't let me. So I tried to unlink my work account and reboot. It still held on to needing the Pin/Password. I'm not exactly sure what's going on with it right now, but currently, I do not have FoxFi installed or my work email linked, and all the lock screen options are greyed out except for password. So I tried to clear the credentials and it's greyed out (turned off by administrator, encryption policy or credential storage) too. I'm also not sure if my phone is encrypted or not, because the message under Security > Encrypt Device says "80% battery, takes an hour, and plug in" (as if it's not encrypted), but the Encrypt External SD Card below says "SD card encryption has been turned on / Selected options - full encryption".
I would just like to go back to normal, but I'm not sure how. I've also seen that if you factory reset the phone that the encryption isn't removed. Can someone help please? Thanks in advance.
how about http://forum.xda-developers.com/showthread.php?t=2784880 ? Will get you back to stock for sure....
Any one else? This is what I'm actually trying to avoid, but wool if I have to. Anyone with a suggestion that doesn't involve resetting my phone?
One last thing though, if I do end up odin-ing, do I need to do the optional repartition step in the instructions to make sure that are areas of my phone ate decrypted?
Hi everyone,
A friend of mine got a second-hand tablet Samsung 500t from one of her relatives.
She set her password, but she forgot it after a while. She asked me to help her to sort the problem out but I don't know windows RT and I don't know exactly what to do. In addition, we don't have any cd or user's manual. I tried to reset and I launched the procedure which always ended up with this message:
"Insert your windows installation or recovery media to continue".
I don't know what to do now, and, unfortunately, she hasn't got any back up.
Can anyone help me? Thank you.
Is she using a local account or a Microsoft account? If the latter, you can just reset your password the same way you would if you forgot, say, your Hotmail password. Go to https://login.live.com and follow the "forgot password" steps.
If it's a local account, that's more awkward. There are various steps (short of a full wipe) that you can do, but if you don't know the Admin password then most of the non-wipe options require things like Linux liveCD (or live flashdrive) images and forcibly resetting the password.
GoodDayToDie said:
Is she using a local account or a Microsoft account? If the latter, you can just reset your password the same way you would if you forgot, say, your Hotmail password. Go to login.live and follow the "forgot password" steps.
If it's a local account, that's more awkward. There are various steps (short of a full wipe) that you can do, but if you don't know the Admin password then most of the non-wipe options require things like Linux liveCD (or live flashdrive) images and forcibly resetting the password.
Click to expand...
Click to collapse
She is using a local account. We asked her relative, the former owner, about a Microsoft account, but he didn't know and remember anything about that.
Can you explain me more about using a Distro Linux to reset the password on the tablet?
I used a linux live many times, and I can manage it for easy tasks, but I have never used it to reset or to recover a password on a Window OS.
Thank you, Bob.
If you boot a Linux live image - probably off a flashdrive, unless you have a handy USB optical drive - it can mount the internal NTFS file system and find Security Account Manager (SAM). There are tools that will modify a SAM file to overwrite the password for a user. It's also possible for some tools to brute-force the password, though this can take a long time, or to look it up in a "rainbow table" of pre-computed password hashes (won't work for really complex passwords, though). Forcibly resetting the password will cause you to lose any data encrypted with it, which may include things like passwords the OS was storing for you.
Some stuff that can be used to try and recover passwords (or reset them): http://smallvoid.com/article/winnt-password-recovery.html
There's a bunch of others out there too. Here's another link: http://www.mydigitallife.info/reset...trator-or-user-password-with-chntpw-in-linux/
GoodDayToDie said:
If you boot a Linux live image - probably off a flashdrive, unless you have a handy USB optical drive - it can mount the internal NTFS file system and find Security Account Manager (SAM). There are tools that will modify a SAM file to overwrite the password for a user. It's also possible for some tools to brute-force the password, though this can take a long time, or to look it up in a "rainbow table" of pre-computed password hashes (won't work for really complex passwords, though). Forcibly resetting the password will cause you to lose any data encrypted with it, which may include things like passwords the OS was storing for you.
Some stuff that can be used to try and recover passwords (or reset them):smallvoid
There's a bunch of others out there too. Here's another link: mydigitallife.info/reset-and-change-windows-nt2000-administrator-or-user-password-
Click to expand...
Click to collapse
Can I simply delete the SAM file? I don't think she cares to lose any data so much.
Ok. I was wondering how I can run the usb drive on a windows rt tablet. Is there a "boot device option" like on an ordinary pc/notebook?
Thanks again?:
PS: By the way, where can I find an image of Window 8 rt if I want to totally reset the tablet and install a clear OS?
Aw crap, I can't believe this but I forgot you were talking about an RT device. Forget everything I just said; Secure Boot won't allow it to run a Linux image even if you had an ARM-based one.
Deleting the entire SAM will render the device unbootable. It's not just user account logon details stored there; every account (including the various system ones) are there. On the other hand, if you can extract the SAM somehow, another computer will be able to edit it just fine even though it comes from RT; it's a registry hive and is architecture-independent.
Total reset is probably the easiest option, if she doesn't mind the risk of losing data. It requires a device-specific image though; there should be one (recovery partition) on the tablet, but if that was removed you'll need to find one for download or get Samsung to handle it for you. The Surface RT / 2 images are available here on XDA but I don't know about any of the Samsung tablets.
Go look on the support website (or call support) for instructions on performing a factory reset of the tablet under normal circumstances. That will work if the recovery partition wasn't removed.
GoodDayToDie said:
Aw crap, I can't believe this but I forgot you were talking about an RT device. Forget everything I just said; Secure Boot won't allow it to run a Linux image even if you had an ARM-based one.
Deleting the entire SAM will render the device unbootable. It's not just user account logon details stored there; every account (including the various system ones) are there. On the other hand, if you can extract the SAM somehow, another computer will be able to edit it just fine even though it comes from RT; it's a registry hive and is architecture-independent.
Total reset is probably the easiest option, if she doesn't mind the risk of losing data. It requires a device-specific image though; there should be one (recovery partition) on the tablet, but if that was removed you'll need to find one for download or get Samsung to handle it for you. The Surface RT / 2 images are available here on XDA but I don't know about any of the Samsung tablets.
Go look on the support website (or call support) for instructions on performing a factory reset of the tablet under normal circumstances. That will work if the recovery partition wasn't removed.
Click to expand...
Click to collapse
Ok, I understood.
Can I somehow install a Window 8.1 pro x86 on this device? It has got an Intel Atom processor, after all.
I need drivers, though.
Thanks again.
Now you say it's a x86 device while earlier it was ARM (Windows RT). Make up your mind, it can't be both!
Amax said:
Now you say it's a x86 device while earlier it was ARM (Windows RT). Make up your mind, it can't be both!
Click to expand...
Click to collapse
...hmm actually I'm not sure. The tablet is not mine. I thought it had a Windows Rt OS. But since you say that it can't be an x86 device with an RT OS at same time...I need to find out what it really is. Thanks.
OK
I've finally found out what the OS is?
It's window 8 32bit.
The complete name of the tablet is:
samsung ativ smart xe500t1c-a01it
More, I have it at my home now.
Can we continue the topic?
Thanks
Then the methods GoodDayToDie mentioned in post #4 should work
ok
I fixed it by using Lazesoft recovery.
Thanks
Loss Password? All is not loss, even with the fact you can not boot from a USB stick drive with a password reset tool on it. The answer is actually quite simple with local access to the device Windows 8 is installed on. As long as you can get into recovery by using the "hold volume up" and pushing "Power" button method. You then simply picked Advance Recovery Options till you see Command Prompt in the menu and here's the link that'll take you the rest of the way below. What this does is replace Access Tools (for blind, etc) in Login Screen (lower left corner) with a Command Prompt window. Since it's in with the Root C drive, it makes it quite simple to merely change the password right there and be able to use it to log in immediately.
Thought your computer was safe from hackers locally? Think again (can only be run locally though, not remotely), but if you didn't have this option none of the free or pay4 password reset tools would work either. This is what they are actually doing and then they remove the Command Prompt window when done. Just like you will after using this very simple method. Or you need to use Windows Password Key to reset Samsung password.
Hey guys,
I haven't really come across these terms before.
What does being "encrypted" / "unencrypted" mean?
I know what the words mean but I'm not sure what people are referring when using these terms. Could you please briefly explain?
It means whether your /data partition is encrypted or not. By default, OEMs are forced to have encrypted partitions.
Nobody would be able to.look at your data without your pattern or pin code. Even if they reset, they have to enter pattern.
In Settings > Security & Location > Encryption & Credentials it says, "Phone not encrypted".
I want to encrypt my phone to protect the data in case I lose the phone, but is it working? Any important things I should know?
My key concerns:
1. Will I still be able to do OTA updates of LineageOS microG after encrypting?
2. Will I be able to backup phone using TWRP?
3. Will I be able to restore backups with TWRP?
4. Can I decrypt backups using TWRP to get my data?
I found a bunch of old threads from 2014 and it sounded unstable to encrypt. I don't see newer threads though.
Thank you for any guidance you may be able to provide as I am a LineageOS noob (less than 1 month experience!) .
Before this official TWRP update it was not working.
I encrypted my phone before one month ago. when i downloaded and installed the OTA update, the decryption pattern did not recognized. I was damn sure about the correct pattern to unlock but it didn't worked. I need to reset my phone to make it working.
I am not sure if its working now after updates from both TWRP and Lineage os.
please reply if any one know about current situation.
[NOTE]: If you are noob and trying to encrypt your phone, then keep backup of your internal storage and all apps, Sms and Contacts etc. because, after encryption, you can not access files and appdata from internal storage.
[email protected] said:
I encrypted my phone before one month ago. when i downloaded and installed the OTA update, the decryption pattern did not recognized. I was damn sure about the correct pattern to unlock but it didn't worked. I need to reset my phone to make it working.
Click to expand...
Click to collapse
Thank you for this! Possibly saved me. I don't care about accessing my encrypted data through TWRP, but I do want to be able to do OTA. I also want my data protected if I lose my phone.
In the latest release of TWRP 3.4.0-0 there seem to have done lots of work on encryption
Encryption
ext4Crypt Wrapped Key Update - Peter Cai
Fix upgrading encryption key if export fails - Peter Cai
Fix wrapped key support for devices without metadata partition - mauronofrio
Don't skip decryption when using block map file in order to write to /data in ORS - CaptainThrowback
FDE - Decrypt master key first - AndroidableDroid
vold_decrypt - set Android version and patch level automatically - CaptainThrowback
Set wrapped decrypt support by twrp flag - Peter Cai
Don't try wrapped support unless needed - mauronofrio
restore ext4 policy on /data/cache - Bigbiff
multiuser decryption - Noah Jacobson
FDE retry - AndroidableDroid
Click to expand...
Click to collapse
So, tell me about encryption. posted on Reddit --> This thread from 2 years ago on reddit has some phones working with encryption and some not working.
So who else is running full disk encryption on their LineageOS install? I guess I have to try it and pray next week.