Cryptfs Password Manager
Android device encryption password manager app. Lets you changes the Android disk encryption password. Essentially the same as
Code:
# vdc cryptfs changepw <newpassword>
but easier to use and slightly more foolproof. Requires root access.
WARNING
If you forget the new password after you change it, you will not be able to boot the device. You will have to perform a factory reset, DELETING all your data. Make sure you take a full backup before using this tool, and REMEMBER THE PASSWORD. You have been warned, use at your own risk!
Why and how to use this
Android 3.0 (Honeycomb) introduced disk encryption and it has been available on all subsequent versions. It encrypts the data partition with a key protected by a user-selected password and requires entering the password in order to boot the device. However, Android uses the device unlock password or PIN as the device encryption password, and doesn't allow you to change them independently. This effectively forces you to use a simple password, since you have to enter it each time you unlock your device, usually dozens of times a day. This tool allows you to change the encryption password to a more secure one, without affecting the screen unlock password/PIN. To change the device encryption password simply:
Enter the current password (initially the same as the unlock password/PIN)
Enter and confirm the new password
Hit 'Change password'
The changes take effect immediately, but you will only be required to enter the new password the next time you boot your device. Make sure you choose a good password, not based on a dictionary word, since automated tools can brute force a simple password in minutes. Above all, make sure you REMEMBER the new password.
If you change the device unlock password/PIN, the encryption password will be automatically changed as well. You need to use this tool again to change it back, if required.
Once Android adds an official way (system UI) to change the passwords independently, this tool will no longer be needed. Star this issue if you want this to happen:
code.google.com/p/android/issues/detail?id=29468
How to get it
The app is also available in the Google Play Store:
play.google.com/store/apps/details?id=org.nick.cryptfs.passwdmanager
And source is on Github, Apache 2.0 licensed:
github.com/nelenkov/cryptfs-password-manager
Acknowledgments
Borrows some code from github.com/project-voodoo/ota-rootkeeper-app, under the WTFPL license
Hey guys, so I have the CEO of my company phone which is a Note 3 on Verizon. I pushed out an ActiveSync Policy yesterday which has the following settings:
* Require Password
* Enable password recovery
* Allow simple password
* Minimum password length: 4
* Time without user input before the password must be re-entered: 2 minutes
He stated that he didn't put a password in... ಠ_ಠ - So I tried put him back to the old policy. I tried the Recovery Password that I found in exchange using: "Get-ActiveSyncDeviceStatistics -Mailbox:"jbrown" -ShowRecoveryPassword:$true" but that password does not work.
Is there any way to reset the passcode without wiping the device?
Also if you have any suggestions on 3rd party apps to not have this happen in the future on other devices, I'd greatly appreciate it.
Thanks,
MC
CM13 encryption is a nightmare.
I've only used CM11 encryption before (use Cryptfs Password Manager to change encryption password).
I installed CM13 on a LG G2 D800. I believe it has hardware-backed storage.
I encrypted my phone using `vdc cryptfs enablecrypto inplace password` as a test. Curious to see what happened when I changed encryption methods, I switched to password encryption with password `password`.
After running `vdc cryptfs changepw password password password password2`. I was able to successfully decrypt with "password2" and unlock with "password". So I assumed the command would work... this assumption would prove my downfall.
I then reenabled pattern unlock. Interestingly, I was able to reboot without so much as a password prompt, despite being "encrypted". So I reentered the pattern, making sure to first enable boot-time pattern prompt. (Really! What's the point of encryption if it doesn't depend on user input?)
Still in pattern mode, I attempted to secure decryption while maintaining convenient unlock pattern. `vdc cryptfs changepw pattern password password password` or `pattern password password` or `password password password password` or `password password password` I actually ran a long command a few times, then a short one repeatedly, then possibly the long one some more. Each time I ran it, I got `200 0 0`, which is supposed to indicate "no error".
Nonetheless, when I reboot, the phone still asks for the pattern (I had tried to add a decryption password), but rejects the unlock pattern I was using previously. It seems like the `changepw` commands did not enable the password, but merely corrupted the pattern.
How do I unlock encryption?
(repost https://www.reddit.com/r/cyanogenmo...3_lg_g2_pattern_encryption_bricked_after_vdc/ )
How did you get vdc cryptfs to work? I've tried adb shell and termux on the device and can't get the system to recognize either.. I've got busybox installed and am running as su, but can't get the command to take..
---------- Post added at 10:56 PM ---------- Previous post was at 10:46 PM ----------
cuhead528 said:
How did you get vdc cryptfs to work? I've tried adb shell and termux on the device and can't get the system to recognize either.. I've got busybox installed and am running as su, but can't get the command to take..
Click to expand...
Click to collapse
Figured this out - downloaded the cryptfs app from the playstore and then was able to use Termux to run the command.
First off, relevant Twitter post: https://twitter.com/laginimaineb/status/737051964857561093
posted by /u/sephr on reddit.com/r/android:
So basically, Full Disk Encryption is now much easier to bypass on many devices until this gets fixed. There are a few other things that rely on this, but FDE is the most important.
This is where your encryption key is stored. Your encryption key is itself encrypted by the password you enter to decrypt your device (your password decrypts a bigger more reliable password essentially), so if you don't have a very long and secure password, it is now easy to break FDE, as an attacker won't be limited by a limited number of password attempts.
Attackers can extract your key and brute force your password using it.
Hello,
I remember when i set up A1 in firstboot, it asked if i want to be prompted with a password before booting android, to which i said no.
So this in effect, must have encrypted with the default password on first boot. This lets the system boot, and core services started, if the device gets rebooted
without my knowledge(so that i recieve calls and sms) VS, if it asks password before booting(uses my pin as password instead of default password), the core services arent available untill i put my pin in.
This issue was supposed to get solved through Nougat's FBE.
So my question is that, does Mi A1 uses FBE, so that even if i had opted for my pin as password before booting, i would not be blocked of using core services like phone and sms, with OS waiting at pin prompt?
Thanks.
as i have researched more, A1 does not support FBE.
read this excellent writup
In the above article, it shows how to convert to file based encryption. This option in the developer settings is missing from A1.
this is the first major disappointment with A1. Was shocked on system setup to see this. Didn't expect this from a phone expected to receive updates upto P.
ashjas said:
as i have researched more, A1 does not support FBE.
read this excellent writup
In the above article, it shows how to convert to file based encryption. This option in the developer settings is missing from A1.
Click to expand...
Click to collapse
Why do you think ? What encryption does it use ?
It uses FDE. This can be seen when you reboot the device - the black background and basic keyboard. This is FDE.
FBE would boot the device in an intermediary state with wallpaper, full keyboard.
Now if you ask me FDE seems a bit more secure - you can be sure that everything on the device's data partition is encrypted and the only available function is emergency call.
FBE encrypts certain folders but more code is running at startup so you can in theory receive notifications and stuff for certain apps. I certainly don't need stuff running before i authenticate.
gradinaruvasile said:
It uses FDE. This can be seen when you reboot the device - the black background and basic keyboard. This is FDE.
FBE would boot the device in an intermediary state with wallpaper, full keyboard.
Now if you ask me FDE seems a bit more secure - you can be sure that everything on the device's data partition is encrypted and the only available function is emergency call.
FBE encrypts certain folders but more code is running at startup so you can in theory receive notifications and stuff for certain apps. I certainly don't need stuff running before i authenticate.
Click to expand...
Click to collapse
So when the phone was set up in a way, where there was no password asked during (in the middle of) the boot process, how easy would it be for thiefes to access data stored on a A1 ? And how much would it help them if bootlocker was unlocked ?
When you reboot the phone, and you do not have a FDE password set up, the phone still asks for a PIN aftrer booting, with the text "Unlock for all features and data". This sounds like FBE to me.
- PIN is probably from the SIM card. My A1 never asked anything until i set up a password. But mine came with Android 7.1.1 so it is a possibility that some to come with later versions (that have FBE?)?
- FDE is usually enabled anyway on Android 7.1+ but it has a default password set ("default_password" AFAIR). So if you run TWRP for example, even without installing it,it will acces your data because it knows this default password. If you specify a custom password the disk will not be unlocked without it.
- A locked bootloader brings additional security. The idea behind it is to have a verified boot chain - if someone gets hold of your phone to not be able to flash custom system apps on it.
The partitions are checksummed and verified via dm-verity. So at boot time any unauthorized alterations (done, say, with booted TWRP, installed Magist and root then re-locked bootloader afterwards) will trigger a "System Destroyed" message.
The above will be all disabled if you unlock the bootloader and install TWRP. As for now TWRP (or any other loader) cannot ensure system consistency. It is possible to flash stuff on your device by restarting it and launching TWRP. If you have a strong encryption password set up your data partition will still be inaccesible to them but if you get your phone back and start it up the malware will start and do nasty stuff like siphoning all your data, passwords etc (because you can flash system apps that can see everything on the device).
After restart, it asked me for a PIN and then for SIM PIN, (even when draw pattern was my configured way for unlock). It never again asked me for PIN, only right after reboot. Why else would I be asked for a PIN only after reboot, if not because of FBE?