Is is possible to have storage encryption with a custom ROM? - Samsung Galaxy A40 Questions & Answers

As far as I can see, it appears that all custom roms disable encryption. I understand that twrp doesn't support decryption, but I would like to have it regardless.

Related

[Q] safely remove encryption

After receiving my beloved 1+2, I rooted it, installed TWRP and flashed Xposed. Then I encrypted the phone. After wanting to update the rom, I realized TWRP doesn't yet support encryption. I reflashed the stock recovery, which I found here. This didn't help either, no encryption supported.
How can you safely remove the encryption? Does anyone have a functioning setup with stock recovery an encrypted device? Or is it possible to flash new firmware throught fastboot leaving it encrypted?
I made my Htc M7 useless trying to remove it's encryption, so i'm really careful one the 1+2...
Does really nobody know how to reverse this prominent feature in android???
A simple factory reset from the settings menu completely removed the encryption

Re-encrypt Data?

I'm rooted using Magisk and I'm using ElementalX kernel, I do not have TWRP installed as I want to get OTAs... my question is, can I re-ecrypt my data without losing Magisk? I remember TWRP having problems decrypting the partition when I first tried to install Magisk/EX so, in case I lose Magisk, can I reinstall Magisk/EX in TWRP or Fashfire once I re-encrypt my device? (i.e. can TWRP decrypt "user encrypted" data partitions? and/or can Magisk run from an encrypted data partition?)
jhonyrod said:
I'm rooted using Magisk and I'm using ElementalX kernel, I do not have TWRP installed as I want to get OTAs... my question is, can I re-ecrypt my data without losing Magisk? I remember TWRP having problems decrypting the partition when I first tried to install Magisk/EX so, in case I lose Magisk, can I reinstall Magisk/EX in TWRP or Fashfire once I re-encrypt my device? (i.e. can TWRP decrypt "user encrypted" data partitions? and/or can Magisk run from an encrypted data partition?)
Click to expand...
Click to collapse
You have a premise incorrect here... If you are not 100% stock, you CANNOT take an OTA, even if you have stock recovery... you have modified the kernel, ramdisk image (Magisk), and likely the system partition (if not, why did you bother to root?), so OTA updates will FAIL. Even with FlashFire they are less there is less than a 50% success rate with this device when rooted.
Although I haven't tried in a long time, TWRP should handle encryption fine, as long as you know the password/PIN... I can't speak for ElementalX specifically, but it is a mainline kernel so I think it should be fine.
The point is that once you have unlocked the bootloader, your device security is pretty much zero... that is kind of a given, encryption helps safeguard your private information, but unlocked bootloader negates FRP and anyone could just fastboot TWRP, wipe and enjoy using your device. This is one of the reasons (of several) that I have stopped unlocking the bootloader and rooting anymore.
My question was mainly about Magisk and TWRP working with encrypted partitions.
About the security, I'm aware of the implications and I just want to keep my data safe, which is more important than the device itself.
As for the device modifications, AFAIK ElementalX uses the ramdisk just as Magisk does, it doesn't write anything to the kernel partition, also, I haven't modified /system at all; all possible modifications I've done have been through Magisk modules and Xposed (which I installed systemlessly of course). The main reason I rooted is indeed Xposed so I can use stuff like NeoPowerMenu, Whatsapp Extensions, ActivityForceNewTask, etc.
Given the fact that I've only modified the ramdisk so far, are you sure that I can't accept OTAs? (I know they'll break my current setup, but it should be easy to fix)
jhonyrod said:
My question was mainly about Magisk and TWRP working with encrypted partitions.
About the security, I'm aware of the implications and I just want to keep my data safe, which is more important than the device itself.
As for the device modifications, AFAIK ElementalX uses the ramdisk just as Magisk does, it doesn't write anything to the kernel partition, also, I haven't modified /system at all; all possible modifications I've done have been through Magisk modules and Xposed (which I installed systemlessly of course). The main reason I rooted is indeed Xposed so I can use stuff like NeoPowerMenu, Whatsapp Extensions, ActivityForceNewTask, etc.
Given the fact that I've only modified the ramdisk so far, are you sure that I can't accept OTAs? (I know they'll break my current setup, but it should be easy to fix)
Click to expand...
Click to collapse
Positive... 99% sure they will fail. And although Xposed may be installed systemless, it's modules still modify /system.

File-based encryption

Hello, everybody.
As the title says, I would like to know if our device is capable of having file-based encryption, in order to have Direct Boot enabled in custom ROMs. This would be helpful in an encrypted device that had a random reboot.
Thanks in advance.
I don't know :'v

TWRP decryption on H870 = OK or not?

Hello, despite searching i couldn't find my answer. Is TWRP able to decrypt the h870 encrypted data partition (through pin, pattern, etc..)? Very important for me & i got a good deal on it that expire soon. Hope you can tell me, thanks!
goja said:
Hello, despite searching i couldn't find my answer. Is TWRP able to decrypt the h870 encrypted data partition (through pin, pattern, etc..)? Very important for me & i got a good deal on it that expire soon. Hope you can tell me, thanks!
Click to expand...
Click to collapse
Unpredictable. I would keep data decrypted if you like to play with custom roms and TWRP. If you do stock based only (Nougat, Oreo), then encryption will work fine with Magisk rooting. To backup data using TWRP though, OFFICIAL TWRP for H870 can decrypt data fine but UNOFFICIAL TWRP won't (needed to flash newest custom roms). Some people use both TWRP versions (official one at twrp.me to backup rom, and unofficial 3.2.3 to flash latest custom roms)
I see.. And what's the lastest lineage/resurection rom that's compatible with offical twrp, how far does it goes..?
PS: "then encryption will work fine with Magisk rooting" what?! we're talking about twrp decryption, what's with magisk..?
goja said:
I see.. And what's the lastest lineage/resurection rom that's compatible with offical twrp, how far does it goes..?
PS: "then encryption will work fine with Magisk rooting" what?! we're talking about twrp decryption, what's with magisk..?
Click to expand...
Click to collapse
You're correct. Not related. Just poor choice of words.

Questions about device security with an unlocked bootloader

I have some questions about device security running with an unlocked bootloader.
I am somewhat experienced and comfortable with flashing custom ROMs, mostly LineageOS,
and flashing back the original stock ROMs for Pixel and Samsung devices.
I have recently experimented with running LineageOS 20 (Android 13) on a Samsung Galaxy
Tab S5e with Magisk (and a few Magisk modules). Within several of the XDA forums, and also at
other web sites, it's recommended with custom ROMs the bootloader not be re-locked since
this can create problems.
I use my S5e for steaming videos, basic web browsing and other things. I don't do banking or
have anything I would consider a huge security risk. My intent is to understand what risks
exist with an unlocked bootloader so I can make more informed decisions what I should/should
not install.
With later versions of Android, including 13, the built in storage is encrypted by default.
If the device is powered off filesystems are at rest in an encrypted state so is it possible
for someone else to gain access to my data if they power on the device or flash
their own recovery and/or custom OS? If someone boots into recovery mode encrypted
filesystems should not be mounted and remain unavailable. I'm wanting to understand where
there are weaknesses that could be exploited to access data.
If the device is powered on and the OS has been screen unlocked the first time after boot
(so encrypted filesystems are mounted and available) is access to my data at increased risk,
assuming USB debugging is disabled?
Can apps be sideloaded in recovery mode that an attacker could use to gain access to data
in other ways even if encrypted filesystems have not been mounted.
Any other security issues to be aware of?
If risks I haven't considered are too great I can also go back to stock ROM, but would consider
ways of mitigating or reducing any risks with a custom ROM and unlocked bootloader.
Please let me know if there is a more appropriate place for this posting.
Thanks,
Rodney
Samsung encryption not supported in TWRP recovery, but I have seen Samsung device running LineageOS on AOSP encryption.
of course on unlocked bootloader attacker can enable adb, inject scripts and gain root access easy. however, still it requires lock screen credentials for decrypting, so your personal data remains secured.
for some devices it's possible to set user-settable root of trust, this would allow to compile LineageOS with avb/dm-verity and re-lock bootloader.
Thanks for the reply, would be great to figure out a way to be able to lock the bootloader with LineageOS.
I do notice the "OEM Unlocking" option does not exist in Developer Settings in LineageOS 20.
lol have fun!
How to properly ENABLE dm-verity and FEC for /system on Motorola X4 with LineageOS 17.1?

Categories

Resources