Now, you can encrypt your device once only and still have the ability to backup/restore, upgrade or change to a different rom without losing encryption or re-encrypting your device. You can also get rid of screen lock pin/password, which is required by Google to have encryption.
As many of us may know, TWRP unlike CWM can deal with encrypted Data partition and internal storage. As such, if you encrypt your custom CM/AOSP based rom and subsequently enter recovery (TWRP only), you are asked for your password and then TWRP decrypts and mounts your encrypted Data, which allows you to upgrade the rom, install a different custom rom or backup your current rom while preserving encryption. What is interesting is that when you install a new rom (or reinstall the old one), you can get rid of screen lock password completely. In other words, your password is used only for encrypting/decrypting.
Now, a word of caution about short passwords. A 4-5 character pin/password defeats the purpose of encryption, since it takes about 4 minutes to break it. There are ways, however, to have separate passwords for encryption and screen lock or, as shown in this guide, get rid of screen lock password completely. Here is what you can do:
1. Have TWRP recovery (CWM does not work)
2. Encrypt your current data and internal storage (go to Security menu and choose encrypt; you will be forced to set encryption password, which will also be your screen lock password).
3. When you are done, turn the phone off and on to check that decryption/encryption works.
4. Next, install encryption password changer from fdroid:
https://f-droid.org/repository/browse/?fdfilter=encrypt&fdid=com.kibab.android.EncPassChanger or this one:
https://f-droid.org/repository/browse/?fdfilter=encrypt&fdid=org.nick.cryptfs.passwdmanager
5. Change your password to a strong and long one. Make a note of it, as if you forget it, you will have to reset your device in flashtool, meaning flashing stock et al, which is pain. You will only need your long password when you are turning your device on. You won't have to enter that or another password, when the device is running.
6. Next, you want to reinstall your current rom or install a new one. For that do:
7. Enter TWRP recovery, enter your password and your system/data/cards will be mounted. Reinstall your rom (install, not restore) or install a new one. Remember, the only thing you need in your new rom is TWRP recovery. Once you are done, reboot the device. You will have your new rom encrypted with no screen password. From that point and on, you can backup your rom (and do other things) that TWRP recovery allows.
Thanks for your guide.
I really tried to follow it to the end, but TWRP will not mount my internal storage. Neither with the original password nor after I changed it to a more complex one.
Unfortunately, I always end up with the "Password Failed, Please Try Again" error message.
Is there any way to make TWRP work with my encrypted internal storage?
Related
Many corporate IT security policies including mine at work are requiring that all devices used for work, i.e. BYOD, must be encrypted. I prefer my device to be rooted…and control my device to my liking. There’s a problem though… it’s not easy encrypting with root present. I set out on a mission to get it working.
There is very little information about encrypting Galaxy S6 devices (or any Galaxy for that matter) with root. I've tried numerous methods around the web and here on XDA but none worked with any of the current ROMs. I spent several days researching, investigating, and testing various methods before finding a solution that works.
Although not required, I started a fresh start—flashed the official Marshmallow stock ROM for my device (SM-G920i) and in the process wipe my device completely, including formatting the data partition and wiping the internal SD.
I previously had Lollipop installed with custom ROM. A nandroid was performed, ran TiBu then copied all the contents of the internal memory on my laptop prior to going to official stock. Can never be too careful.
The steps outlined below was tested on both ALEXIS ROM 5.0 and XtreStoLite 3.3.1 ROMs using the G920i unlocked variant. It may work on other international variants.
Flash stock Marshmallow ROM through Odin in ‘AP’ with AutoReboot and NAND Erase checked (from Odin v3.11.1 options)
Flash CF-AutoRoot via ODIN [let it auto-reboot when complete]
Flash TWRP 3.0.2-1 via ODIN [disable auto-reboot in ODIN options]
Reboot into TWRP recovery
Perform factory reset then format Data partition
Reboot TWRP recovery so that the Data partition is refreshed
Copy custom ROM and other flash files you’ll be using to /sdcard/ using ADB Push command. For example o adb push Rom.zip /sdcard/tools.
Flash custom ROM then reboot
Be patient—reboot will take about 5 minutes
Power off then boot into TWRP again to perform a factory reset and wipe Delvic cache
Reboot - wait patiently as boot will take several minutes
When the system finally boots up go through the first start wizard then go into setting to set up pin and fingerprints you wish to use
Encrypt phone -- this will take a while before it's complete. Be patient; the device will reboot several times, ask for password at boot-up then boot into the finally into the system.
The phone is now encrypted. Because we performed a factory reset, root and TWRP recovery were removed. We now have to flash CF-autoroot and TWRP recovery via Odin. Again, patience is required--it'll take about 5-10 minutes for the boot to complete.
Note that TWRP does not know how to decrypt Samsung encryption and therefore it can't read the /data/ partition. That partition will either have to be formatted before flashing a new ROM or removing encryption. Now I did not test removing the encryption, but I’d suggest that you have current backups of your device prior to performing that task.
I hope this helps anyone experiencing this issue.
Seems to me, that if they want the device encrypted, they would also prohibit root, it is a security risk.
So is there any chance to update an encrypted Rom via TWRP?
Good walkthrough.
I did also some research and i found on some other forums the opinion, that a full-disk-encryption on a rooted phone make not much sense,
where you can replace/install the custom recovery and decrpt the data with some adb commands? Is that true?
Confusing.
tefole said:
Good walkthrough.
I did also some research and i found on some other forums the opinion, that a full-disk-encryption on a rooted phone make not much sense,
where you can replace/install the custom recovery and decrpt the data with some adb commands? Is that true?
Confusing.
Click to expand...
Click to collapse
twrp do don't support samsung decryption, so encrypted data can be only deleted. but, if you enable reactivation lock, then, you can't flash in recovery, so stolen phone is like brick
BUT with custom rom (TyrannusRom and note 7 port) encrypted phone do not boot (boot loop), so there I finished my work with encryption
paulyz said:
twrp do don't support samsung decryption, so encrypted data can be only deleted. but, if you enable reactivation lock, then, you can't flash in recovery, so stolen phone is like brick
Click to expand...
Click to collapse
I see.
I believe, that i can live without the ability that TWRP doenst decrypt the /data and the /sdcard partition,
if I can run with a CFW, and if the phone is rooted and encrypted.
After i put the CFW on the phone, even I need TWRP anymore. Usually i try to dont change the CFW so frequently.
With reactivation look you mention the "OEM unlock" in the Android\developer settings I guess?
Is the flashing really locked, like brick, really? If you can't flash in recovery, but how to restore a stock firmware with odin? Isnt it the same?
I didnt get that
tefole said:
I see.
I believe, that i can live without the ability that TWRP doenst decrypt the /data and the /sdcard partition,
if I can run with a CFW, and if the phone is rooted and encrypted.
After i put the CFW on the phone, even I need TWRP anymore. Usually i try to dont change the CFW so frequently.
With reactivation look you mention the "OEM unlock" in the Android\developer settings I guess?
Is the flashing really locked, like brick, really? If you can't flash in recovery, but how to restore a stock firmware with odin? Isnt it the same?
I didnt get that
Click to expand...
Click to collapse
"Reactivation lock lets you use your Samsung account to prevent others from activating your device if it's ever lost or stolen. With Reactivation lock turned on, you will be required to enter your Samsung account credentials prior to performing a factory reset on the device. Your Samsung account login should be something you can easily remember."
when RL activated, you can't flash, you always get error.
One big problem, what after encryption you can't update ROM, change or update kernel and etc.
I see., thx for the infos.
I did some research as well. With activated RL you can go only in download mode and install stock with Odin.
But the phone is going to ask you for your samsung account credentials - anyway.
tefole said:
I see., thx for the infos.
I did some research as well. With activated RL you can go only in download mode and install stock with Odin.
But the phone is going to ask you for your samsung account credentials - anyway.
Click to expand...
Click to collapse
if you will find useful information, post, because, I very interested too, just do not have a lot time to play with this.
Hello.
Today I restarted the phone in TWRP to wipe cache. It did not accepted my password, although I remembered it correctly. I tried to enter the ROM, but it still didn't accept it. After many many tries, I succeeded in entering the rom. Googled about this and someone said
Simply boot into TWRP and enter your PIN (if you've set one) to decrypt the stroage. If you don't have TWRP (for whatever reason) you can do so via ADB too but ONLY if you've connected your phone to your PC beforehand and also accepted it's fingerprint on the phone itself.
Delete (or rename) the following files inside /data/system (note that probably not all of them exist for you, simply delete those you can find):
password.key
pattern.key
locksettings.db-wal
locksettings.db-shm
locksettings.db
Reboot the phone and (if you've set a PIN) enter it to decrypt the storage one more time. After that you can simply unlock your phone with a swipe.
Go into Settings > Security and set your preferred unlock method again, Android will ask you if you want to set a boot-time code too. Select whatever you want here, it's a nice security addition but can be annoying sometimes.
Enjoy your phone again!
Click to expand...
Click to collapse
I did that, but now when I enter the rom, it just shows the wallpaper with nothing on it. If I try to enter TWRP, it asks for a password and my old one does not work. I wanted to flash the rom via TWRP, but everything is encrypted. Tried installing the custom recovery to flash from the sd card, but the files or still encrypted.
What can I try next? I really really dont wan't to format everything, as I have lots of files and photos on the phone. Thanks!!
reneftw said:
Hello.
Today I restarted the phone in TWRP to wipe cache. It did not accepted my password, although I remembered it correctly. I tried to enter the ROM, but it still didn't accept it. After many many tries, I succeeded in entering the rom. Googled about this and someone said
I did that, but now when I enter the rom, it just shows the wallpaper with nothing on it. If I try to enter TWRP, it asks for a password and my old one does not work. I wanted to flash the rom via TWRP, but everything is encrypted. Tried installing the custom recovery to flash from the sd card, but the files or still encrypted.
What can I try next? I really really dont wan't to format everything, as I have lots of files and photos on the phone. Thanks!!
Click to expand...
Click to collapse
If you are able to get into the phone, then go in and remove your security, pin / password etc.
I'm hazarding a guest that you decrypted your device and now you're stuck like this ?
You may have to format data, not a wipe, a format.
Not sure if the OnePlus has a safe mode but that should enable you to get into the OS and make the needed changes in security then go to twrp and you should be good to go.
Are you able to see your data when connected to a computer? IE when your phone boots ? Get your data backed up.
Sent from my ONEPLUS A5000 using XDA-Developers Legacy app
This has been extremely frustrating but I can't get any password to work when I try to decrypt this in recovery when it prompts for the password.
Where I'm at now:
I did a FULL wipe of my phone (System, Data, Internal Storage).
I installed Lineage 15.1 and GApps (minimal install) and did just the bare minimum to get into the system when it started up (no Wifi, no Google account setup, etc). I then immediately Encrypted the phone without setting any Security pin/pw/etc. I rebooted into recovery and the default password (which I googled was 'default_password') didn't work.
I then wiped everything again and repeated above and redid the same procedure, but this time I set a PIN for security, and then encrypted the phone. Rebooted into recovery and tried the PIN to decrypt - no go.
I'm at a loss on how to make recovery useful with an encrypted /data partition. I'm required by my company to encrypt my phone if I wish to use it for company email, etc, but I also like to upgrade ROMs, kernals, Magisk etc as well. This a complete showstopper for me if I have to do a complete format everytime I wish to upgrade components of the ROM/kernel/etc.
Anyone have any suggestions on how to get this working?
I have a One Plus 6t international version rooted through Magisk. I was debloating some One Plus system apps this morning and removed something I shouldn't have.... now the reboot gets stuck on the loading screen, then boots into TWRP recovery. I'm trying to restore from backup but everything is encrypted and TWRP isn't asking me for a password to decrypt.
I don't have a pin or anything set on the phone at the moment
Tried the twrp decrypt <pin> command with the default password but it just says 'Failed to decrypt data'.
Anything I'm missing here or do I just to reformat and give up on the encrypted data?
devianaviator said:
I have a One Plus 6t international version rooted through Magisk. I was debloating some One Plus system apps this morning and removed something I shouldn't have.... now the reboot gets stuck on the loading screen, then boots into TWRP recovery. I'm trying to restore from backup but everything is encrypted and TWRP isn't asking me for a password to decrypt.
I don't have a pin or anything set on the phone at the moment
Tried the twrp decrypt <pin> command with the default password but it just says 'Failed to decrypt data'.
Anything I'm missing here or do I just to reformat and give up on the encrypted data?
Click to expand...
Click to collapse
Managed to decrypt the files by installing a different version of TWRP: https://forum.xda-developers.com/on...overy-unofficial-twrp-touch-recovery-t3861482
Turns out I did not bother to do any backups...
Can copy all of the pictures and documents out though which was what I was primarily after.
Hi
I was trying to flash xiaomi.eu (xiaomi.eu_multi_HMK20MI9T_V12.5.2.0.RFJCNXM_v12-11) custom rom to my Mi 9T device via TWRP recovery
I booted into recovery then I noticed TWRP isn't asking for a password for decryption
So dumb me ignored it and "Advance Wiped" all partitions except "Internal Memory" and flashed the rom from "USB OTG"
then problems started to appear
first the rom didn't boot and was stuck in a boot loop
so I wiped and reflashed the original "miui_DAVINCIGlobal_V12.1.4.0.RFJMIXM_e0ac13ed89_11.0" rom via TWRP from "USB OTG" to be able to back up my files and do a proper format/decrypt
but the internal storage is now still encrypted and cannot be accessed
I tried twrp decrypt command with all combinations of passwords pins pattern numbers that I used since first bought the phone but none of them worked
I know I should have backed up my files
Now I want to know how can decrypt /data/media/0 aka /sdcard aka Internal Memory and get my files
like mounting it in windows through some adb and other software and decrypting with known key combinations and passwords
or through twrp or whatever that maybe work
I really can't afford to lose my data AGAIN
yes, that wasn't my first time!!!!!
I promise if this gets right I devote the rest my life to the open-source community
excuse me for my bad English.
When flashing a custom ROM, or going back from, you HAVE to Format (not just Wipe) Data
(And you don't need to wipe System because new ROM will overwrite it anyway, and you better never wipe Persist and so)
Obviously, you must backup your photos, data, etc, before switching the ROM
Data on Internal memory is encrypted, and not by your unlock pin (unlock pin just serves to verify and read the key).
New ROM reinitializes the encryption key
Hence, AFAIK, you cannot decrypt anymore because you don't know the encryption key that was used for data on your Internal memory
Seems you have similar problem as I have
zgfg said:
When flashing a custom ROM, or going back from, you HAVE to Format (not just Wipe) Data
(And you don't need to wipe System because new ROM will overwrite it anyway, and you better never wipe Persist and so)
Obviously, you must backup your photos, data, etc, before switching the ROM
Data on Internal memory is encrypted, and not by your unlock pin (unlock pin just serves to verify and read the key).
New ROM reinitializes the encryption key
Hence, AFAIK, you cannot decrypt anymore because you don't know the encryption key that was used for data on your Internal memory
Click to expand...
Click to collapse
ok
a question
why the twrp was not asking for decryption in first place?
ehsan1326 said:
ok
a question
why the twrp was not asking for decryption in first place?
Click to expand...
Click to collapse
No idea - ask devs of your custom ROM how they implement encryption and what is the proper way to install the ROM