First off, relevant Twitter post: https://twitter.com/laginimaineb/status/737051964857561093
posted by /u/sephr on reddit.com/r/android:
So basically, Full Disk Encryption is now much easier to bypass on many devices until this gets fixed. There are a few other things that rely on this, but FDE is the most important.
This is where your encryption key is stored. Your encryption key is itself encrypted by the password you enter to decrypt your device (your password decrypts a bigger more reliable password essentially), so if you don't have a very long and secure password, it is now easy to break FDE, as an attacker won't be limited by a limited number of password attempts.
Attackers can extract your key and brute force your password using it.
Related
Cryptfs Password Manager
Android device encryption password manager app. Lets you changes the Android disk encryption password. Essentially the same as
Code:
# vdc cryptfs changepw <newpassword>
but easier to use and slightly more foolproof. Requires root access.
WARNING
If you forget the new password after you change it, you will not be able to boot the device. You will have to perform a factory reset, DELETING all your data. Make sure you take a full backup before using this tool, and REMEMBER THE PASSWORD. You have been warned, use at your own risk!
Why and how to use this
Android 3.0 (Honeycomb) introduced disk encryption and it has been available on all subsequent versions. It encrypts the data partition with a key protected by a user-selected password and requires entering the password in order to boot the device. However, Android uses the device unlock password or PIN as the device encryption password, and doesn't allow you to change them independently. This effectively forces you to use a simple password, since you have to enter it each time you unlock your device, usually dozens of times a day. This tool allows you to change the encryption password to a more secure one, without affecting the screen unlock password/PIN. To change the device encryption password simply:
Enter the current password (initially the same as the unlock password/PIN)
Enter and confirm the new password
Hit 'Change password'
The changes take effect immediately, but you will only be required to enter the new password the next time you boot your device. Make sure you choose a good password, not based on a dictionary word, since automated tools can brute force a simple password in minutes. Above all, make sure you REMEMBER the new password.
If you change the device unlock password/PIN, the encryption password will be automatically changed as well. You need to use this tool again to change it back, if required.
Once Android adds an official way (system UI) to change the passwords independently, this tool will no longer be needed. Star this issue if you want this to happen:
code.google.com/p/android/issues/detail?id=29468
How to get it
The app is also available in the Google Play Store:
play.google.com/store/apps/details?id=org.nick.cryptfs.passwdmanager
And source is on Github, Apache 2.0 licensed:
github.com/nelenkov/cryptfs-password-manager
Acknowledgments
Borrows some code from github.com/project-voodoo/ota-rootkeeper-app, under the WTFPL license
CM13 encryption is a nightmare.
I've only used CM11 encryption before (use Cryptfs Password Manager to change encryption password).
I installed CM13 on a LG G2 D800. I believe it has hardware-backed storage.
I encrypted my phone using `vdc cryptfs enablecrypto inplace password` as a test. Curious to see what happened when I changed encryption methods, I switched to password encryption with password `password`.
After running `vdc cryptfs changepw password password password password2`. I was able to successfully decrypt with "password2" and unlock with "password". So I assumed the command would work... this assumption would prove my downfall.
I then reenabled pattern unlock. Interestingly, I was able to reboot without so much as a password prompt, despite being "encrypted". So I reentered the pattern, making sure to first enable boot-time pattern prompt. (Really! What's the point of encryption if it doesn't depend on user input?)
Still in pattern mode, I attempted to secure decryption while maintaining convenient unlock pattern. `vdc cryptfs changepw pattern password password password` or `pattern password password` or `password password password password` or `password password password` I actually ran a long command a few times, then a short one repeatedly, then possibly the long one some more. Each time I ran it, I got `200 0 0`, which is supposed to indicate "no error".
Nonetheless, when I reboot, the phone still asks for the pattern (I had tried to add a decryption password), but rejects the unlock pattern I was using previously. It seems like the `changepw` commands did not enable the password, but merely corrupted the pattern.
How do I unlock encryption?
(repost https://www.reddit.com/r/cyanogenmo...3_lg_g2_pattern_encryption_bricked_after_vdc/ )
How did you get vdc cryptfs to work? I've tried adb shell and termux on the device and can't get the system to recognize either.. I've got busybox installed and am running as su, but can't get the command to take..
---------- Post added at 10:56 PM ---------- Previous post was at 10:46 PM ----------
cuhead528 said:
How did you get vdc cryptfs to work? I've tried adb shell and termux on the device and can't get the system to recognize either.. I've got busybox installed and am running as su, but can't get the command to take..
Click to expand...
Click to collapse
Figured this out - downloaded the cryptfs app from the playstore and then was able to use Termux to run the command.
Hi, I have a Huawei Y625-U51 (Dual-SIM) running stock Android 4.4.2/EMUI 2.3 Lite and I would like to encrypt the device, but there are no Encryption options in "Settings > Personal > Security". Is there a way to make these options available or otherwise carry out a system encryption (i.e. using adb)?
Here's the about info to the device:
Model: HUAWEI Y625-U51
Android: 4.4.2
Secpatch-Lvl: 2015-11-01
EMUI: EMUI 2.3 Lite
Kernel: 3.4.0
Build-Number: Y625-U51V100R001C577B108
I already tried carrying out a factory reset but that didn't bring up the encryption options.
I'm well-versed with Windows/Linux system hacks but new to Android, so please bear with me. Any help would be greatly appreciated. Thx.
Encrypt Huawei Y625 via rooting and shell commands
After reading up a few articles on different ways to start encryption from the command line in various Android versions, I decided to experiment and got lucky. Here's what I did (if you want to repeat these steps I suggest you attach your phone to the charging cable first. Also remember that this will likely void your warranty bla bla ) :
rooted the Huawei Y625 using kingoRoot
installed Android Terminal Emulator and ran it
Once inside the terminal I entered
Code:
su
setenforce 0
vdc cryptfs enablecrypto inplace <YourPasswordInCleartext>
(I'm not sure whether the 'setenforce' command that sets SELinux to permissive mode is actually necessary. However, this will only change runtime mode, so you needn't worry that it may persist over reboots).
The screen then immediately went blank. I had forgotten to attach the phone to the charging cable so I scrambled to find it and finally got the phone attached. But it looked pretty much dead now.
After nothing happened for another while, I pressed the start button. The screen remained blank but I got to hear the familiar boot melody. After a while (maybe 2 or 3 minutes) I pressed start again. This time, a message appeared "Wait while your phone is being encrypted" plus a slowly increasing percentage.
* When the encryption had finished, the phone booted up as usual, only this time the familiar melody and splash screen was interrupted by the message "Type password to decrypt storage"
Minor drawbacks:
The boot process is interrupted somewhat uglily in the middle of the melody and splash screen to ask for the encryption password
TouchPal's data transfer agreement pops up every time you start to enter the decryption password (presumably because the answer is written to the /data partition which is still and encrypted and therefore not available yet at this point)
Bigger drawback:
There is no way to change the encryption password using the GUI. You have to run 'vdc cryptfs changepw <YourPasswordInCleartext>' from a shell (Result should be "200 0 0"). That's a bummer if you want to enable encryption for someone reliant on GUI apps.
One last note: this being Android 4.4.2 there is no way to encrypt the whole system. The method described above will encrypt the userdata partition (mounted as /data) only.
P.S.: Sorry for not sharing article and app links, but xda anti-spam settings prevented me as a new user from posting links. So sorry for the missing convenience, but I'm sure you'll be able to find the apps mentioned yourself and as for the articles - they were interesting but relating to wildly different Android versions with different command syntax, so you're propably better off just following the steps above anyway
Hello,
I remember when i set up A1 in firstboot, it asked if i want to be prompted with a password before booting android, to which i said no.
So this in effect, must have encrypted with the default password on first boot. This lets the system boot, and core services started, if the device gets rebooted
without my knowledge(so that i recieve calls and sms) VS, if it asks password before booting(uses my pin as password instead of default password), the core services arent available untill i put my pin in.
This issue was supposed to get solved through Nougat's FBE.
So my question is that, does Mi A1 uses FBE, so that even if i had opted for my pin as password before booting, i would not be blocked of using core services like phone and sms, with OS waiting at pin prompt?
Thanks.
as i have researched more, A1 does not support FBE.
read this excellent writup
In the above article, it shows how to convert to file based encryption. This option in the developer settings is missing from A1.
this is the first major disappointment with A1. Was shocked on system setup to see this. Didn't expect this from a phone expected to receive updates upto P.
ashjas said:
as i have researched more, A1 does not support FBE.
read this excellent writup
In the above article, it shows how to convert to file based encryption. This option in the developer settings is missing from A1.
Click to expand...
Click to collapse
Why do you think ? What encryption does it use ?
It uses FDE. This can be seen when you reboot the device - the black background and basic keyboard. This is FDE.
FBE would boot the device in an intermediary state with wallpaper, full keyboard.
Now if you ask me FDE seems a bit more secure - you can be sure that everything on the device's data partition is encrypted and the only available function is emergency call.
FBE encrypts certain folders but more code is running at startup so you can in theory receive notifications and stuff for certain apps. I certainly don't need stuff running before i authenticate.
gradinaruvasile said:
It uses FDE. This can be seen when you reboot the device - the black background and basic keyboard. This is FDE.
FBE would boot the device in an intermediary state with wallpaper, full keyboard.
Now if you ask me FDE seems a bit more secure - you can be sure that everything on the device's data partition is encrypted and the only available function is emergency call.
FBE encrypts certain folders but more code is running at startup so you can in theory receive notifications and stuff for certain apps. I certainly don't need stuff running before i authenticate.
Click to expand...
Click to collapse
So when the phone was set up in a way, where there was no password asked during (in the middle of) the boot process, how easy would it be for thiefes to access data stored on a A1 ? And how much would it help them if bootlocker was unlocked ?
When you reboot the phone, and you do not have a FDE password set up, the phone still asks for a PIN aftrer booting, with the text "Unlock for all features and data". This sounds like FBE to me.
- PIN is probably from the SIM card. My A1 never asked anything until i set up a password. But mine came with Android 7.1.1 so it is a possibility that some to come with later versions (that have FBE?)?
- FDE is usually enabled anyway on Android 7.1+ but it has a default password set ("default_password" AFAIR). So if you run TWRP for example, even without installing it,it will acces your data because it knows this default password. If you specify a custom password the disk will not be unlocked without it.
- A locked bootloader brings additional security. The idea behind it is to have a verified boot chain - if someone gets hold of your phone to not be able to flash custom system apps on it.
The partitions are checksummed and verified via dm-verity. So at boot time any unauthorized alterations (done, say, with booted TWRP, installed Magist and root then re-locked bootloader afterwards) will trigger a "System Destroyed" message.
The above will be all disabled if you unlock the bootloader and install TWRP. As for now TWRP (or any other loader) cannot ensure system consistency. It is possible to flash stuff on your device by restarting it and launching TWRP. If you have a strong encryption password set up your data partition will still be inaccesible to them but if you get your phone back and start it up the malware will start and do nasty stuff like siphoning all your data, passwords etc (because you can flash system apps that can see everything on the device).
After restart, it asked me for a PIN and then for SIM PIN, (even when draw pattern was my configured way for unlock). It never again asked me for PIN, only right after reboot. Why else would I be asked for a PIN only after reboot, if not because of FBE?
Hi,
I bought recently a oneplus 6t after four or five years using a nexus6. I am happy with it.
One question nonetheless : is there a possibility to change the encryption password ? Not to use the default password ? Which I do not know ....
On the Nexus 6 I could setup the encryption password to replace default_password - I was asked the chosen password early at boot before the login screen - but now one cannot use :
Code:
vdc cryptfs changepw password default_password <mypassword>
(No more possibility to use raw commands
Regards
You aren't confusing FDE (full disk encryption) with FBE (file based encryption)? The 6T uses FBE, I'm not aware of a way to convert to it to FDE.
Indeed I am confusing ..... What is disturbing me is the fact that there is an encryption password which I do not know ....
Regards