It just occured to me, that despite encrypting my device, I can boot into TWRP recovery and flash things to various partitions without entering a password.
Doesn't that essentially mean that the encryption key must be stored somewhere by TWRP in a clear (unencrypted) form?
If so, doesn't root basically render device encryption meaningless? Sure the average phone thief might not care to crack into it, but it would probably be trivial for anybody with a little technical knowledge and time on their hands. And police probably have a step-by-step process for cracking rooted devices.
Does root compromise encryption?
static416 said:
It just occured to me, that despite encrypting my device, I can boot into TWRP recovery and flash things to various partitions without entering a password.
Doesn't that essentially mean that the encryption key must be stored somewhere by TWRP in a clear (unencrypted) form?
If so, doesn't root basically render device encryption meaningless? Sure the average phone thief might not care to crack into it, but it would probably be trivial for anybody with a little technical knowledge and time on their hands. And police probably have a step-by-step process for cracking rooted devices.
Does root compromise encryption?
Click to expand...
Click to collapse
To answer your exact question, no, root doesn't compromise encryption. Root and TWRP are two separate things, you can have TWRP without root. However, TWRP does allow access to your data without requiring authorisation.
Doesn't "enable Password on Boot" in Settings/Security, force a password onto TWRP as well?
Sent from my Nexus 5X using Tapatalk
SlimSnoopOS said:
Doesn't "enable Password on Boot" in Settings/Security, force a password onto TWRP as well?
Sent from my Nexus 5X using Tapatalk
Click to expand...
Click to collapse
Yeah that's a good point, I don't use that feature as I find it annoying so I forgot about it.
SlimSnoopOS said:
Doesn't "enable Password on Boot" in Settings/Security, force a password onto TWRP as well?
Sent from my Nexus 5X using Tapatalk
Click to expand...
Click to collapse
The only way your data is truly encrypted (in my opinion) is doing just that.
Agent said:
The only way your data is truly encrypted (in my opinion) is doing just that.
Click to expand...
Click to collapse
Thanks so much! This is exactly what I was looking for.
I don't know why it didn't occur to me earlier. I'm glad I don't have to choose between security and usability (root, TWRP, etc).
i was thinking about this today actually, because my phone has no encryption (both system and userdata).
However, with purenexus rom and cerberus if your phone is ON when it's stolen, you can essentially prevent someone from booting into recovery since the normal power menu is not available, and pressing and holding the power button for 10 secs just reboots the phone into OS again which is locked. Also, the USB defaults to charging, so data is inaccessible.
is there a way boot into recovery in a situation such as this?
2x4 said:
i was thinking about this today actually, because my phone has no encryption (both system and userdata).
However, with purenexus rom and cerberus if your phone is ON when it's stolen, you can essentially prevent someone from booting into recovery since the normal power menu is not available, and pressing and holding the power button for 10 secs just reboots the phone into OS again which is locked. Also, the USB defaults to charging, so data is inaccessible.
is there a way boot into recovery in a situation such as this?
Click to expand...
Click to collapse
They can hold Power and volume down to boot right into bootloader (and subsequently recovery) from lockscreen. I did this last night since restoring my TWRP 3.0 backup locked me out of my 5X lol
Edit: just want to be clear, I do not have Cerberus. idk if it blocks the above combo as well
SlimSnoopOS said:
They can hold Power and volume down to boot right into bootloader (and subsequently recovery) from lockscreen. I did this last night since restoring my TWRP 3.0 backup locked me out of my 5X lol
Edit: just want to be clear, I do not have Cerberus. idk if it blocks the above combo as well
Click to expand...
Click to collapse
You're right, that way definitely works. And I'm not sure that it it can block that tbh
2x4 said:
You're right, that way definitely works. And I'm not sure that it it can block that tbh
Click to expand...
Click to collapse
Keep in mind that when your data is encrypted and a boot password is used, they may can get into the bootloader, but they can not get inside your system. They will have to wipe it to get anything on it that will work.
Agent said:
Keep in mind that when your data is encrypted and a boot password is used, they may can get into the bootloader, but they can not get inside your system. They will have to wipe it to get anything on it that will work.
Click to expand...
Click to collapse
Thanks for the clarification. Is there any way to get the boot password feature without encrypting my data?
Related
I pulled my Nexus 7 out of my bag this morning and the screen is asking me to put in my password to decrypt storage. I never encrypted my tablet so I have no password and it was working fine last night. Does anyone have any advice on what I can do?
Connect to your PC see if you can back up your important files, somehow I doubt you'll be able to do this but try anyway.
If you have a backup recovery image then you can at least go back (Providing you are rooted and have a backup available!)
Never used encryption myself, I don't expect you'll get past this because if you do what's the point of encryption if its easily bypassed?
Good luck anyway, I feel a wipe/ format is on the cards.
Hopefully some of the other xda users may have some other suggestions
Thanks. do you know how to wipe/format it from this point. I don't have anything too terribly important at this point on the device, but I would love to be able to use it again.
TimmyUK said:
Connect to your PC see if you can back up your important files, somehow I doubt you'll be able to do this but try anyway.
If you have a backup recovery image then you can at least go back (Providing you are rooted and have a backup available!)
Never used encryption myself, I don't expect you'll get past this because if you do what's the point of encryption if its easily bypassed?
Good luck anyway, I feel a wipe/ format is on the cards.
Hopefully some of the other xda users may have some other suggestions
Click to expand...
Click to collapse
Should be power and volume button down when starting the tablet in order to access the recovery menu.
http://support.google.com/nexus/bin/answer.py?hl=en&answer=2668187
Sent from my Nexus 7 using xda app-developers app
I've read that some people like to install twrp, root, etc. and then re lock the bootloader. Is there any benefits to doing that? And is there a way to unlock/lock without wiping every time you unlock again?
It's better to relock it as if your phone is lost or stolen unlocking it ends up wiping the phone. Your data is safer.
[hfm] said:
It's better to relock it as if your phone is lost or stolen unlocking it ends up wiping the phone. Your data is safer.
Click to expand...
Click to collapse
Can you still flash roms with the bootloader locked?
kingmikel said:
Can you still flash roms with the bootloader locked?
Click to expand...
Click to collapse
No, you can't if bootloader is locked, first thing is to unlock the bootloader.
yangqi said:
No, you can't if bootloader is locked, first thing is to unlock the bootloader.
Click to expand...
Click to collapse
which wipes your data.
640k said:
which wipes your data.
Click to expand...
Click to collapse
Which kind of forces you into a clean wipe each time you flash. Like you should.
Besides, with Nandroid + titanium backups = not a big deal. You can always go back to where you were before flash or restore apps after.
Is there even a working TWRP for the N6P yet?!
With these new bootloaders, on a locked status, can you temp boot into an external recovery?
Re-locking your bootloader can be risky. If you're on a custom rom and rooted, if something goes wrong, and you can't boot into Android, you could be stuck in a loop and have to either re-flash the rom in recovery (hopefully custom recovery) or wipe and re-flash stock via fastboot. Alternatively, you could experience the same issues using a custom kernel on stock for root. Basically, with the new verity checks and security framework, at this point with the phone being so new, you're better off sticking with it locked or unlocked and keeping it that way for optimal use.
TWRP should add a password function.
It won't unlock features until you enter a password. This protects the phone even with an unlocked bootloader.
kibmikey1 said:
Re-locking your bootloader can be risky. If you're on a custom rom and rooted, if something goes wrong, and you can't boot into Android, you could be stuck in a loop and have to either re-flash the rom in recovery (hopefully custom recovery) or wipe and re-flash stock via fastboot. Alternatively, you could experience the same issues using a custom kernel on stock for root. Basically, with the new verity checks and security framework, at this point with the phone being so new, you're better off sticking with it locked or unlocked and keeping it that way for optimal use.
Click to expand...
Click to collapse
I hadn't thought it of it that way! Good point, and thanks for the advice!
Elnrik said:
Which kind of forces you into a clean wipe each time you flash. Like you should.
Click to expand...
Click to collapse
I agree that clean wipes are the way to go, but it wipes everything including pictures, media, anything you might want to flash. You have to move everything to a pc, and then move it back which can be a hassle.
yangqi said:
No, you can't if bootloader is locked, first thing is to unlock the bootloader.
Click to expand...
Click to collapse
What I meant is, if I unlock the bootloader and install twrp, can I re lock the bootloader and have twrp continue to work and be able to wipe, flash, etc.
tech_head said:
TWRP should add a password function.
It won't unlock features until you enter a password. This protects the phone even with an unlocked bootloader.
Click to expand...
Click to collapse
This times a million!!
tech_head said:
TWRP should add a password function.
It won't unlock features until you enter a password. This protects the phone even with an unlocked bootloader.
Click to expand...
Click to collapse
This won't effectively do anything. TWRP is just the recovery component. As long as your bootloader is unlocked, a thief can just boot into the bootloader and overwrite your recovery with his own (a new TWRP without a password, CWM, stock, etc).
Pbrah said:
This won't effectively do anything. TWRP is just the recovery component. As long as your bootloader is unlocked, a thief can just boot into the bootloader and overwrite your recovery with his own (a new TWRP without a password, CWM, stock, etc).
Click to expand...
Click to collapse
When did the average pickpocketer, street mugger or armed robber become an expert Android developer? Chances are, the thug who steals your phone never heard of XDA anyways
I say keep your bootloader unlocked and stop overestimating **** Dastardly's IQ :silly:
hudsoncouto said:
When did the average pickpocketer, street mugger or armed robber become an expert Android developer?
Click to expand...
Click to collapse
Never. I was just pointing out the flaw in the belief that putting a password on TWRP will somehow stop a determined thief from accessing your data.
Elnrik said:
Which kind of forces you into a clean wipe each time you flash. Like you should.
Besides, with Nandroid + titanium backups = not a big deal. You can always go back to where you were before flash or restore apps after.
Click to expand...
Click to collapse
Your Nandroid would get wiped also, though.
Sent from my Nexus 6P using Tapatalk
jackdubl said:
Your Nandroid would get wiped also, though.
Sent from my Nexus 6P using Tapatalk
Click to expand...
Click to collapse
Nope. Why would someone store backups on the device they are backing up? That's just crazy talk. :silly:
http://amzn.com/B00Q4U7LIO
Of course, I'm going to have to get something like this to replace it. Hopefully something comes along which will fit on my key ring.
Edit: Or This or That.
Elnrik said:
Nope. Why would someone store backups on the device they are backing up? That's just crazy talk. :silly:
http://amzn.com/B00Q4U7LIO
Of course, I'm going to have to get something like this to replace it. Hopefully something comes along which will fit on my key ring.
Edit: Or This or That.
Click to expand...
Click to collapse
.
Or this may be mo betta.
http://forum.xda-developers.com/nexus-6p/accessories/mini-microsd-reader-redux-type-c-t3235374
Born<ICs said:
.
Or this may be mo betta.
http://forum.xda-developers.com/nexus-6p/accessories/mini-microsd-reader-redux-type-c-t3235374
Click to expand...
Click to collapse
Looks interesting. Might have to just do this though. http://www.ncixus.com/products/?sku=115950
Elnrik said:
Looks interesting. Might have to just do this though. http://www.ncixus.com/products/?sku=115950
Click to expand...
Click to collapse
.
Nah, Kickstarter one looks better and only $11 bucks. Plugs have lots of faster cards lying around.
tech_head said:
TWRP should add a password function.
It won't unlock features until you enter a password. This protects the phone even with an unlocked bootloader.
Click to expand...
Click to collapse
I also would like it, but here it says why they don't want to add this function: https://twrp.me/faq/securetwrp.html.
There are a trwp skin that adds a simple password protection. but I have never proved it.
In an effort to keep this chatter out of other threads, here is the info that you seek. I didn't discover this process @DespairFactor and Bryant (not sure of his XDA handle) get the credit.
First you need to go through the Google set up and Skip everything except, the unlock Theft Protection. It will then ask you if you want to add the Google account and you say no. If at any point you say yes to something or add a pin / fingerprint it will encrypt. Then you need to reboot to the bootloader and run, fastboot format userdata then, Boot and Skip through the set up again. As long as you do not add a pin / password or a google account you will stay un-encrypted. This will work on the stock boot.img.
Reserved
Any advantage of doing it? In theory it should work faster, but is it visible?
Hola
And further to @DforDesign's question, I take it that having a decrypted device helps with existing TRWP and available custom kernel installations? I haven't reviewed the Development sub-forums yet as I am still awaiting my device.
Thanks for the guide.
If you do stay unencrypted, isn't all we can do for now is just edit the build prop? Anything else? I thought magisk would still bootloop
DforDesign said:
Any advantage of doing it? In theory it should work faster, but is it visible?
Click to expand...
Click to collapse
Depends on if you talk to people that wear tin foil hats, that also gives you your answer.
so after the setup, can you add your google account, fingerprint/pin later?
xryousukex said:
so after the setup, can you add your google account, fingerprint/pin later?
Click to expand...
Click to collapse
Then you will lose twrp after doing that process. It will be encrypted.
Let me make sure I'm understanding this.
I already set up my 2 XL with pin and fingerprint, so now it's encrypted making seeing root file tree impossible (like sdcard, download folder).
If I reset my device, and say NO to everything requiring pin or fingerprint on the device, I can set it up normally and still have access to the root file tree?
So long as I don't password, pin, fingerprint protect the device, I'll continue to have access to these files, right?
But this also means no google account activity (Gmail, contacts , photos, etc) right?
Yes for now, that's exactly what that means, at least for now until TWRP , or AOSP recovery is update and worked on to work with our device.
Az Biker said:
Let me make sure I'm understanding this.
I already set up my 2 XL with pin and fingerprint, so now it's encrypted making seeing root file tree impossible (like sdcard, download folder).
If I reset my device, and say NO to everything requiring pin or fingerprint on the device, I can set it up normally and still have access to the root file tree?
So long as I don't password, pin, fingerprint protect the device, I'll continue to have access to these files, right?
But this also means no google account activity (Gmail, contacts , photos, etc) right?
Click to expand...
Click to collapse
You understand correctly. The only thing I'm not sure about is whether or not a factory reset will be enough. We used format userdata in fastboot to achieve it. It may be a good test to see if simply linking a Google account will trip encryption.
I can add my google account as long as i dont set a pin or fingerprinter my phone's internal storage is visible via TWRP with no issues.
Let me add something we discovered. It seems to be on the pin/pattern setup only. I think you can do everything else to stay decrypted in twrp. Now might thought was to setup everything they way you want without pin/pattern and you can then backup. Then save that backup on a PC. After that you lock your device via pin/pattern. If for some reason something screws up instead of setting everything up again. Just factory reset and skip everything and place backup on SD card then boot twrp and try to restore. Someone want to test this theory lol????
Sent from my Nexus 6 using Tapatalk
bryantjopplin said:
Let me add something we discovered. It seems to be on the pin/pattern setup only. I think you can do everything else to stay decrypted in twrp. Now might thought was to setup everything they way you want without pin/pattern and you can then backup. Then save that backup on a PC. After that you lock your device via pin/pattern. If for some reason something screws up instead of setting everything up again. Just factory reset and skip everything and place backup on SD card then boot twrp and try to restore. Someone want to test this theory lol????
Sent from my Nexus 6 using Tapatalk
Click to expand...
Click to collapse
Thanks for confirming
Great! Thanks. I can't use TWRP on the Nov patch but I have a question... I'm now using a permissive kernel. Can I simply wipe userdata to unencrypt? Can you confirm? Is the command fastboot format userdata?
Thanks in advance!
Mike02z said:
Great! Thanks. I can't use TWRP on the Nov patch but I have a question... I'm now using a permissive kernel. Can I simply wipe userdata to unencrypt? Can you confirm? Is the command fastboot format userdata?
Thanks in advance!
Click to expand...
Click to collapse
Yes, but twrp is still not functional
bryantjopplin said:
Yes, but twrp is still not functional
Click to expand...
Click to collapse
Thanks. I didn't realize we needed twrp. I was thinking we could just use fastboot erase userdata in leu of twrp.
Can't you just factory reset and then flash Magisk before re-setting up your phone? I thought Magisk disabled force encrypt by default.
Mike02z said:
Thanks. I didn't realize we needed twrp. I was thinking we could just use fastboot erase userdata in leu of twrp.
Click to expand...
Click to collapse
No you can, I thought you were thinking format userdata would fix twrp. Sorry
TheSt33v said:
Can't you just factory reset and then flash Magisk before re-setting up your phone? I thought Magisk disabled force encrypt by default.
Click to expand...
Click to collapse
Tried it, no luck. Removed my Google account, reset phone, did not log into my Google account and did not set up any PIN or password and it's still encrypted. I'll try fastboot erase userdata and cache and see if that works.
Hi so I just rooted my op6t yesterday after having it for a couple weeks and I did everything fine and installed a couple root apps. I later discovered custom kernels and wanted to flash one. I went into twrp and all the folders were weird names and the same thing shows on my computer when I plug the phone in. After looking it up my phone is encrypted. I never clicked anything that said to encrypted my phone and it wasn't encrypted before. In Android it says it's encrypted and now I have to reset it to unencrypt it? I'm ok with that but that's a little annoying. Some people said something about a bug in twrp that has to do with encryption but I'm confused why my phone just did that. I restored apps and settings with Google backup which I ran right before I rooted the phone and restored right after I rooted it. Does anyone know what caused it to encrypt itself and how I can prevent it from doing it again? Thanks.
Sounds like you need to do a lot more reading before you attempt to modify your phone. The phone comes encrypted from the factory. There are plenty of topics about this exact issue. Also, if you had read anything in this thread then you would see that decryption in TWRP was fixed a while ago. (https://forum.xda-developers.com/on...overy-unofficial-twrp-touch-recovery-t3861482)
are you sure you had encryption disabled before? my 6t was encrypted from the beginning. I installed root with twrp by using ADB sideload and I never used the file explorer from twrp itself.
if encryption was off, this happened on my old Nexus 6 sometimes too after installing a custom kernel. it was every time really annoying that I got force encrypted even when the kernel builder stated that it does not...
OnkeIM said:
are you sure you had encryption disabled before? my 6t was encrypted from the beginning. I installed root with twrp by using ADB sideload and I never used the file explorer from twrp itself.
if encryption was off, this happened on my old Nexus 6 sometimes too after installing a custom kernel. it was every time really annoying that I got force encrypted even when the kernel builder stated that it does not...
Click to expand...
Click to collapse
Maybe it was encrypted from the factory. I could access files through my computer though. Should I reset the phone and flash twrp again then turn off encryption in Android settings? I'm a bit new to this so I'm not entirely sure. I just followed the guide on xda for rooting and unlocking the 6t bootloader.
Skyline3499 said:
Maybe it was encrypted from the factory. I could access files through my computer though. Should I reset the phone and flash twrp again then turn off encryption in Android settings? I'm a bit new to this so I'm not entirely sure. I just followed the guide on xda for rooting and unlocking the 6t bootloader.
Click to expand...
Click to collapse
You should still be able to access files from the computer.
The phone should work fine.
It's just that the version of TWRP you have does not support encryption.
tech_head said:
You should still be able to access files from the computer.
The phone should work fine.
It's just that the version of TWRP you have does not support encryption.
Click to expand...
Click to collapse
I think it does though I tried the decrypt command in twrp terminal but it failed. It wants a password and I tried my pin which didn't work.
Skyline3499 said:
I think it does though I tried the decrypt command in twrp terminal but it failed. It wants a password and I tried my pin which didn't work.
Click to expand...
Click to collapse
That version of TWRP does not support decryption.
GO back and flash the stock boot image.
Temp boot TWRP.
install Magisk and move on.
yerger said:
Sounds like you need to do a lot more reading before you attempt to modify your phone. The phone comes encrypted from the factory. There are plenty of topics about this exact issue. Also, if you had read anything in this thread then you would see that decryption in TWRP was fixed a while ago. (https://forum.xda-developers.com/on...overy-unofficial-twrp-touch-recovery-t3861482)
Click to expand...
Click to collapse
Ok, thanks, that twrp version worked with the encryption and everything if fine now.
Well, decryption actually. I would love to disable encryption entirely like on the OP6, but apparently that's not possible due to the fingerprint or something. It's so frustrating. I load OOS then Havoc (or ASOIP, maybe others) and everything seems fine until i try to flash something in TWRP only to find it won't accept my pattern, pin, fingerprint etc. Anyone seen this?
You have to clean flash an April security patch build, add your password/pin etc., then dirty flash to May and it will work
The other day it did that to me but when I skipped the pattern my files still showed up as normal. I'm using TWRP 3.3.0-2
king_david43 said:
The other day it did that to me but when I skipped the pattern my files still showed up as normal. I'm using TWRP 3.3.0-2
Click to expand...
Click to collapse
ZeroKool76 said:
You have to clean flash an April security patch build, add your password/pin etc., then dirty flash to May and it will work
Click to expand...
Click to collapse
Hmm, i swear i think i tried that a couple times. :latest release, no beta.
I'm very familiar with wiping the data partition to create a fresh decrypt one. I think i just need a no-forced encrypt zip like on OP6. Unfortunately i think that screws up login attempts because of the fingerprint being proprietary. If someone knows a way or is working on it, you'd be my hero.
jaysonic88 said:
Hmm, i swear i think i tried that a couple times. :latest release, no beta.
I'm very familiar with wiping the data partition to create a fresh decrypt one. I think i just need a no-forced encrypt zip like on OP6. Unfortunately i think that screws up login attempts because of the fingerprint being proprietary. If someone knows a way or is working on it, you'd be my hero.
Click to expand...
Click to collapse
Have you tried to format data instead of wiping? Some ROMs like treskmod require this for successful decryption.
reppi said:
Have you tried to format data instead of wiping? Some ROMs like treskmod require this for successful decryption.
Click to expand...
Click to collapse
Sorry, yes that's what i mean. I indeed do completely format the data partition where it prompts and requires "yes" to do so. The odd thing is it DOES decrypt it just sometimes encrypts again and then locks me out. I do tend to reinstall twrp and root more than is probably required (to get safetynet passed). Is there some rule i need to follow or something i need to do during each flash to prevent this?
Thanks by the way for everyone's input.
jaysonic88 said:
Sorry, yes that's what i mean. I indeed do completely format the data partition where it prompts and requires "yes" to do so. The odd thing is it DOES decrypt it just sometimes encrypts again and then locks me out. I do tend to reinstall twrp and root more than is probably required (to get safetynet passed). Is there some rule i need to follow or something i need to do during each flash to prevent this?
Thanks by the way for everyone's input.
Click to expand...
Click to collapse
Ok, i think i found the issue. According to the guy who wrote the unofffical TWRP 3.3.02 it's a bug in the code. He sent the info including the lines of code that were causing the problem to teamwin.
https://forum.xda-developers.com/showpost.php?p=79515334&postcount=2559