Title says it all. Is there any known way to have root and device encryption still possible?
Thanks a lot.
plop12345 said:
Title says it all. Is there any known way to have root and device encryption still possible?
Thanks a lot.
Click to expand...
Click to collapse
Not currently. Unless you can trick the device into thinking it's fully charged and plugged in at the same time??
Jammol said:
Not currently. Unless you can trick the device into thinking it's fully charged and plugged in at the same time??
Click to expand...
Click to collapse
I never thought of this question, but good question. So root trips knox to stop encryption? Kinda lame if so.
Jammol said:
Not currently. Unless you can trick the device into thinking it's fully charged and plugged in at the same time??
Click to expand...
Click to collapse
Got it working with the stock ROM in the mean time. Just don't use TWRP to flash Magisk. Keep the stock recovery, Use Magisk Manager to patch boot.img (check tar format in settings) , then flash back via Odin, boot and factory reset. Done.
No luck with any custom ROM yet. Desperately looking for help. Would also pay quite a bit to have someone skilled looking into this. I don't want to keep the Korean ROM of my N950N
Nick216ohio said:
I never thought of this question, but good question. So root trips knox to stop encryption? Kinda lame if so.
Click to expand...
Click to collapse
No, flashing with TWRP requires to format data. That step loses encryption.
For some reason it's then impossible with Magisk or pph root to just reencrypt the phone from a custom ROM. It dies with invalid encryption and looses all your data when you try.
It's a bit different with SuperSU. Here it thinks encryption went well and tries to mount it on next boot, but then fails.
From my current knowledge it seems it needs stock recovery to recreate an encrypted data partition that actually works. That's the bit I'm stuck now...
plop12345 said:
No, flashing with TWRP requires to format data. That step loses encryption.
For some reason it's then impossible with Magisk or pph root to just reencrypt the phone from a custom ROM. It dies with invalid encryption and looses all your data when you try.
It's a bit different with SuperSU. Here it thinks encryption went well and tries to mount it on next boot, but then fails.
From my current knowledge it seems it needs stock recovery to recreate an encrypted data partition that actually works. That's the bit I'm stuck now...
Click to expand...
Click to collapse
On the Snap version, using SamFail gets rid of encryption. There's no way to encrypt for us with root because of the 80% short coming.
Jammol said:
On the Snap version, using SamFail gets rid of encryption. There's no way to encrypt for us with root because of the 80% short coming.
Click to expand...
Click to collapse
Ah crap, didn't even think of that issue
Anyway, at least to me a phone without reliable encryption is not usable as daily driver. I wonder why this gets so little attention. I spend some days now trying to resolve this, but there is not much information out there or I'm not capable to dig it up.
I couldn't even find a clear statement, what it actually is that prevents TWRP to mount encrypted /data on modern Samsung phones.
I known they do their own SOC based hardware encryption, but what is it that TWRP can't get? Does the trusted zone not release the key if a custom binary boots? I really like to understand a bit more on how this actually works.
Thanks
Figured it out: https://forum.xda-developers.com/galaxy-note-8/how-to/guide-how-to-root-device-encryption-t3742493
Related
Has any one worked out a way of encrypting your note and still be able to run a custom ROM? The warning about this on the safestrap thread has been up for a long time (since KitKat?) and I was hoping that someone might have made some headway into this...
If not, how do I re-root post encryption? I don't even really know what limitations to expect after this process either.
Any help, advice, links, karma loans, anything really would be appreciated!
Cheers
brisinger08 said:
Has any one worked out a way of encrypting your note and still be able to run a custom ROM? The warning about this on the safestrap thread has been up for a long time (since KitKat?) and I was hoping that someone might have made some headway into this...
If not, how do I re-root post encryption? I don't even really know what limitations to expect after this process either.
Any help, advice, links, karma loans, anything really would be appreciated!
Cheers
Click to expand...
Click to collapse
This is what worked for me...
I just flashed my NC2 backup to stock slot, uninstalled safestrap, busybox, unrooted with supersu and rebooted. I ran "quick encryption" with no problems (I didn't try full device) and towelroot worked as usual. Full root access probably defeats the purpose of encryption but that wasn't my call
Boot screen is clean, no custom triangle and I did not run triangleaway
As we know google is going to pre enable the Data encryption on Android L and we already have it as an optional extra security ..
So before anyone rushes to enable it to feel more Secured . First let's learn about it ..
As this option is available in Security .
If you enable it you have to enter password/PIN(compulsory) ..
80% minimum battery + plugged in for charging is necessary .
Once the encryption starts it will take about 15 minutes to complete the process ..
Once it's complete , it will automatically reboot the phone . booting will be in 2 stages.. On first stage it will ask for password/PIN to decrypt the phone/phone storage
And then the second boot process will be the normal one ..
And now comes the warning part ..
Once you encrypt the data , you have to decrypt it on every boot and you can't disable this .. You have to factory reset the phone to remove this .
And here at XDA we flash mods and zips etc almost every day/week ..
So if you encrypt your phone and then you flash anything via bootloader ..IT WILL FORMAT EVERYTHING ..(including internal storage, basically factory reset)
So if you are an advanced user with custom rom/recovery etc i suggest you to first do a complete backup If you really want to try the data encryption .
So i hope this information be helpful for those who are unaware and don't know what can happen , and i suggest you to read about it before you enable it ..
For most of us, we already know that encryption causes issues, always. Maybe not immediately, but always at some point.
Its the new people that go "oh encryption, sounds good, must use", when they don't have any data that's actually important enough to justify the need for encryption.
Lethargy said:
For most of us, we already know that encryption causes issues, always. Maybe not immediately, but always at some point.
Its the new people that go "oh encryption, sounds good, must use", when they don't have any data that's actually important enough to justify the need for encryption.
Click to expand...
Click to collapse
That's why i created a new thread specially for those who are inexperienced .
Not everyone are born developers/pro
Everyone learns with making mistakes
And our Job is to help them at XDA .
IMO this is what XDA is for at the first place ..
I'll rely on custom ROMs as always, that certainly have it disabled by default.
I think it's insane google would try to force this on us. Shame on them. ?
How does android L handle staying unlocked in trusted areas if encryption is enabled?
Despite the warning, we will see how the encryption will work in Android L. It might not be the same process as described from Kitkat/JB of encryption.
Who know if the process of encryption will be changed in Android L, so that you don't have to do each step to encrypt/decry pt and the flashing/modding issues.
I see many bricks coming from this as well, from unknowing flashers.
inferol said:
Despite the warning, we will see how the encryption will work in Android L. It might not be the same process as described from Kitkat/JB of encryption.
Who know if the process of encryption will be changed in Android L, so that you don't have to do each step to encrypt/decry pt and the flashing/modding issues.
Click to expand...
Click to collapse
Probably they are going to change the way it works .. , because they haven't updated it since it first came out with ICS ..
The inability to use pattern lock is enough to turn me off Android encryption. All the other problems just makes it a no brainer.
May be they have overcome these issues and thus made it default....
I find no sense in making some hectic procedure as default
wow. wonder who will have access to the encryption keys.. or more likely supplied the encryption technique in the first place?
cough... nsa, feds, gchq, ect...... cough
don't believe the security services fake crying about encrytion... just a fairy story to pacify the sheep
meangreenie said:
wow. wonder who will have access to the encryption keys.. or more likely supplied the encryption technique in the first place?
cough... nsa, feds, gchq, ect...... cough
don't believe the security services fake crying about encrytion... just a fairy story to pacify the sheep
Click to expand...
Click to collapse
When NSA forced TrueCrypt to hand over their keys, they essentially and purposely updated their product to be broken to ensure no one used it. Wonder what Google would do?
Sent from my Nexus 5 using Tapatalk
Wakamatsu said:
The inability to use pattern lock is enough to turn me off Android encryption. All the other problems just makes it a no brainer.
Click to expand...
Click to collapse
You can't do it out of the box, but you can make it work fairly easy with twrp and a backup. The quick version is:
before encryption, setup your pattern lock, do a nandroid backup in twrp. Reboot, change to a PIN/password to allow encryption, perform encryption process. Boot back into twrp, it will prompt you to enter your pin/password, since it can decrypt and then function inside of the encrypted volume (and therefore restore an unencrypted backup inside of the encrypted envelope in essence). Restore your backup that has pattern unlock and reboot. It should prompt you for your strong pin/password on each initial boot, but once booted, it will use your pattern unlock. Downside is you can't change your pattern after that, so pick what you want the first time. You can change your pin/password if you want, I use EncPassChanger myself. I also use bootunlocker to relock the bootloader after I'm done, just have to make sure to unlock before flashing any updates.
I use this process on both my N5 and 2013 N7.
rootSU said:
When NSA forced TrueCrypt to hand over their keys, they essentially and purposely updated their product to be broken to ensure no one used it. Wonder what Google would do?
Sent from my Nexus 5 using Tapatalk
Click to expand...
Click to collapse
Source for this?
markassbuster said:
Source for this?
Click to expand...
Click to collapse
Action speaks louder than words sometimes all u need is to observe
markassbuster said:
Source for this?
Click to expand...
Click to collapse
They can't really openly say that buy the industry "knows".
But the opening paragraph of this page hints at it.
http://truecrypt.sourceforge.net
rootSU said:
They can't really openly say that buy the industry "knows".
But the opening paragraph of this page hints at it.
http://truecrypt.sourceforge.net
Click to expand...
Click to collapse
AH OK thanks. I thought there was some recent, concrete news about what went down.
Thing is, now what will we gotta do to still be able to flash zips with encrypted device? XD
So I recently encrypted my phone....because I read it only encrypts the data partition...so if I wanted to update my CM11 version (m9 to m10 for example) I wouldn't be able to?
I should have read into it more I guess...
edit: TWRP saved my ass. Just looked at it and it decrypts the data partition.
I encrypted my phone, but now wish I hadn't. I'm pretty sure it is the cause of some small issues I have had flashing different ROMs.
fml :crying:
I'm new to the 6 and I haven't really read too much into the whole encryption thing, so I don't know the pros/cons of having it that way, or not.
During my first boot of this thing, I started the unlock/root process, then I quickly remembered about encryption...and what the whole thing was about. Well I'm curious, are these custom ROM's built without the encryption? In the security menu of Chroma, encryption is enabled. In another ROM which specifically stated encryption was off...it was actually on.
So I'm confused.
Thanks.
Some ROMs do not force encryption. They can still be encrypted. It depends on the kernel. You will need to perform a wipe to unencrypt
stevew84 said:
I'm new to the 6 and I haven't really read too much into the whole encryption thing, so I don't know the pros/cons of having it that way, or not.
During my first boot of this thing, I started the unlock/root process, then I quickly remembered about encryption...and what the whole thing was about. Well I'm curious, are these custom ROM's built without the encryption? In the security menu of Chroma, encryption is enabled. In another ROM which specifically stated encryption was off...it was actually on.
So I'm confused.
Thanks.
Click to expand...
Click to collapse
It depends on the state of your device before you flash the ROM. If you are unencrypted prior to flashing the ROM, you will stay unencrypted. And if encrypted, you will stay encrypted. For most ROMs. Read the fine print in the OP.
cam30era said:
It depends on the state of your device before you flash the ROM. If you are unencrypted prior to flashing the ROM, you will stay unencrypted. And if encrypted, you will stay encrypted. For most ROMs. Read the fine print in the OP.
Click to expand...
Click to collapse
I've also read about long "encrypting now" screens during first boot of fresh ROM's, I've never seen those.
Encryption depends on the kernel or more accurately the fstab, so it depends what kernel is supplied with the ROM or which kernel you plan on flashing with the ROM.
There are 2 types of ROM. Stock based and AOSP based. I find it hard to believe any AOSP ROM dev would turn on force encryption, but with a stock ROM, it could be on or off - depending. Read each thread to find out.
All ROMs and kernels are encryption enabled by the way. Turning off force encryption inky prevents first boot from encrypting your data partition. You can still turn on encryption yourself in settings and if you're already encrypted, turning off force encryption will not unencrypt your data, so it will still be on. Once force encryption has been turned off, you must then format /userdata to remove encryption
stevew84 said:
I've also read about long "encrypting now" screens during first boot of fresh ROM's, I've never seen those.
Click to expand...
Click to collapse
Correct. If you are unsure of your kernel status go to Settings/Security/Encryption. If it says "Encrypt phone", then you are unencrypted.
cam30era said:
Correct. If you are unsure of your kernel status go to Settings/Security/Encryption. If it says "Encrypt phone", then you are unencrypted.
Click to expand...
Click to collapse
Ah alright, well each and every time I flash something new, I'm encrypted. I'm interested in getting rid of that, but not sure exactly how to do it.
stevew84 said:
Ah alright, well each and every time I flash something new, I'm encrypted. I'm interested in getting rid of that, but not sure exactly how to do it.
Click to expand...
Click to collapse
It says in my post
Encryption will stay on unless you completely wipe the device and have a kernel installed that doesn't force you to encrypt. So you'll never see an option for decrypting your device. This comes with a huge warning that ANYTHING on the internal storage will be lost, that goes for the ROM and your files, including your ROM zip files for flashing. If you want to decrypt the device I suggest you first practice by flashing a ROM that you copy into your phone while in recovery so you know you can do it.
Guide: http://forum.xda-developers.com/nexus-6/development/disable-forced-encryption-gain-root-t2946715
This will get you to a clean slate, make sure you test MTP (file transfer over usb from computer) in recovery and verify that you can move files over to your device in recovery. You should already have a custom recovery installed such as TWRP. If you are considering disabling make sure you know exactly what is going on first, its not as straight forward as it seems. Goodluck
stevew84 said:
Ah alright, well each and every time I flash something new, I'm encrypted. I'm interested in getting rid of that, but not sure exactly how to do it.
Click to expand...
Click to collapse
If you are on stock, rooted, or a non-CM12 based ROM, one way is to go here > http://forum.xda-developers.com/nexus-6/development/disable-forced-encryption-gain-root-t2946715
Remember, after flashing the boot.img, you need to "fastboot format userdata" to unencrypt. This will wipe your SDcard.
rootSU said:
It says in my post
Click to expand...
Click to collapse
Sorry, I didn't see you posted.
Right now with Chroma + Vindicator kernel...Encryption states Enabled in the security menu.
stevew84 said:
Sorry, I didn't see you posted.
Right now with Chroma + Vindicator kernel...Encryption states Enabled in the security menu.
Click to expand...
Click to collapse
Because you were already encrypted.
stevew84 said:
I don't know the pros/cons of having it that way, or not.
Click to expand...
Click to collapse
Pros for encryption;
- security. This is pretty obvious, if somebody hostile gets their hands on your phone, your data will not be obtained by them.
Cons;
- performance and battery life. There is indication in AOSP that google *intends* to activate hardware crypto, but as of yet, have not. That means that the crypto function is done on your main CPU, which is (a) not as fast as the hwcrypto block, and (b) takes up valuable CPU cycles from other software that is running, and (c) anything that uses CPU heavily will consume battery.
Another con with encryption that I have (which I admit is extremely unlikely - but has happened in the past) is that files that are backed up off the device may not get decrypted correctly, leaving them corrupt. That is my main hate of encryption. That and the fact that I cannot automate my TWRP backups
rootSU said:
Another con with encryption that I have (which I admit is extremely unlikely - but has happened in the past) is that files that are backed up off the device may not get decrypted correctly, leaving them corrupt. That is my main hate of encryption. That and the fact that I cannot automate my TWRP backups
Click to expand...
Click to collapse
That isn't a con of encryption. That's a con of using broken software to perform your backup.
doitright said:
That isn't a con of encryption. That's a con of using broken software to perform your backup.
Click to expand...
Click to collapse
The con of encrypting data is that it may not always decrypt-able. Regardless of the root cause being Android, Windows, Linux or "broken software". If doing something to your data leads to it being useless via whatever means, then there is a negative effect of doing that something to your data
Hello all.
I always keep a pass code on my phone and use smart devices and locations to keep it unlocked in trusted places. I am thinking of turning on encryption to keep the data secure if the phone is ever truly lost.
I am running CF's rom on an unlocked bootloader. If I backup in TWRP and store that backup on my PC, what would be the best method of restoring it if I find the encryption to be too much of a burden?
Also, is the recovery partition encrypted when this is done? If so, how would I actually factory reset to remove the encryption before a restore?
Thanks!
I'm not an expert on using encryption on an unlocked bootloader, but from what little I've read and tried, it can be tricky. I am also using CF's rom, and whenever I try to encrypt the device, the screen goes black and won't respond until I hold down the power button for a pretty long time. I've read that you need to be on a 100% stock rom if you want to encrypt the device, and then after that you can modify it as you please. The recovery partition is not encrypted. That's about all I know.
I have always had my device encrypted. I can't recall a single issue. BL unlocked. CF 1.2.7.
Wynnded said:
I have always had my device encrypted. I can't recall a single issue. BL unlocked. CF 1.2.7.
Click to expand...
Click to collapse
Had you encrypted before installing the rom then?
Coronado is dead said:
Had you encrypted before installing the rom then?
Click to expand...
Click to collapse
I don't recall precisely, but I strongly suspect so.
I was bored, so I reflashed the stock rom and encrypted the phone. Took only a few minutes. I don't really see what the point is though, since it doesn't ask for a password at boot like it's supposed to.
Also, as long as you have TWRP installed, anyone who is even slightly knowledgeable can have 100% access to all of your files, no password required.
TheSt33v said:
I was bored, so I reflashed the stock rom and encrypted the phone. Took only a few minutes. I don't really see what the point is though, since it doesn't ask for a password at boot like it's supposed to.
Also, as long as you have TWRP installed, anyone who is even slightly knowledgeable can have 100% access to all of your files, no password required.
Click to expand...
Click to collapse
Interesting....mine requires a PW at boot....
Additionally, I have to type my PW when booting into TWRP.
Wynnded said:
Interesting....mine requires a PW at boot....
Additionally, I have to type my PW when booting into TWRP.
Click to expand...
Click to collapse
Oops. I figured it out. No lock screen password, no boot password.
It appears you have had success where others have not. Were you successful in having TWRP decrypt your data, in order to load CF's ROM?
I've downgraded to 4.4.4 stock, encrypted the phone, loaded TWRP through ADB, and cannot get TWRP to decrypt, no matter the password I use.
Any help would be appreciated.
can you give downgraded 4.4.4 file for my turbo
P_6 said:
It appears you have had success where others have not. Were you successful in having TWRP decrypt your data, in order to load CF's ROM?
I've downgraded to 4.4.4 stock, encrypted the phone, loaded TWRP through ADB, and cannot get TWRP to decrypt, no matter the password I use.
Any help would be appreciated.
Click to expand...
Click to collapse
Yes, I was. See this thread for details: http://forum.xda-developers.com/droid-turbo/help/cm-encryption-t3263971/page3
---------- Post added at 10:43 AM ---------- Previous post was at 10:42 AM ----------
fidi7861 said:
can you give downgraded 4.4.4 file for my turbo
Click to expand...
Click to collapse
http://rootjunkysdl.com/getdownload.php?file=Droid Turbo/Firmware/VRZ_XT1254_SU2-12_12_CFC.xml.zip
I thought that while encrypting my phone, the result would be that my data is preserved, just encrypted. So I went through the encryption process only to find that all my data is wiped, so that I have to restore everything from backups, as far as I have them.
Did I overlook something, or is this a bug? I have LineageOS 14.1, installed yesterday, official.
Found that after a reboot, the data was again gone. (after I spent considerable time setting the phone up yet again), now factory reset, running unencrypted, until I know what has been going wrong here. Sigh. Custom roms and encryption continue to be a toxic mix for me.
yahya69 said:
Found that after a reboot, the data was again gone. (after I spent considerable time setting the phone up yet again), now factory reset, running unencrypted, until I know what has been going wrong here. Sigh. Custom roms and encryption continue to be a toxic mix for me.
Click to expand...
Click to collapse
When I first started playing around with encryption (Samsung Note 3) I discovered that to get encryption to work properly I had to format /data (you lose everything, including internal shared storage) and that it worked better on stock ROM rather than custom ROMs.
Sent from my OnePlus3T using XDA Labs
BillGoss said:
When I first started playing around with encryption (Samsung Note 3) I discovered that to get encryption to work properly I had to format /data (you lose everything, including internal shared storage) and that it worked better on stock ROM rather than custom ROMs.
Sent from my OnePlus3T using XDA Labs
Click to expand...
Click to collapse
which I kind of accepted after learning it the hard way, but the problem was that after encrypting the device, all data was wiped each time the phone was rebooted, so something is buggy here.
yahya69 said:
which I kind of accepted after learning it the hard way, but the problem was that after encrypting the device, all data was wiped each time the phone was rebooted, so something is buggy here.
Click to expand...
Click to collapse
I resolve this problem using latest official twrp.
dimon2242 said:
I resolve this problem using latest official twrp.
Click to expand...
Click to collapse
How did you? (What version of TWRP did you install) After all, it is not TWRP that does the encryption, or is it? So I don't see how this could be the cause.
With TWRP, I had the additional issue that it kept asking me for a password to mount /data, but it wouldn't accept the PIN that I had set in Android. I have no idea what other password it might want.
Oh, well, there is just too much fumbling in the dark in this whole mobile devices business. I have been a Linux user for some 20 years, and there, if things go wrong, you can actually view what is happening. On android, this is so much more difficult, even with logcat.
yahya69 said:
How did you? (What version of TWRP did you install) After all, it is not TWRP that does the encryption, or is it? So I don't see how this could be the cause.
With TWRP, I had the additional issue that it kept asking me for a password to mount /data, but it wouldn't accept the PIN that I had set in Android. I have no idea what other password it might want.
Oh, well, there is just too much fumbling in the dark in this whole mobile devices business. I have been a Linux user for some 20 years, and there, if things go wrong, you can actually view what is happening. On android, this is so much more difficult, even with logcat.
Click to expand...
Click to collapse
Have you tried default_password as the password in TWRP?
Also, if you can actual log into your system normally, then you can set the password again and require it on boot.
BillGoss said:
Have you tried default_password as the password in TWRP?
Click to expand...
Click to collapse
What "default password"? You mean, literally typing "default_password"? No I did not. What would that have done?
After all, again, it required a password for the /data partition, hence a password with whom it is encrypted. But I had used no password other than the PIN. And again, I can't see how my problem of data disappearing on each boot would be caused by TWRP.
Also, if you can actual log into your system normally, then you can set the password again and require it on boot.
Click to expand...
Click to collapse
Again, what password do you have in mind? The PIN? Yes, the system asked for the PIN at boot, but nonetheless, all data was wiped on each boot.
For the time being,I run the system without encryption, because I have had enough of setting is up again and again anew (had to do this three or four times.)
Again, it looks like this is a bug. Because after initially encrypting the phone, my data should still have been there. But it was gone. The phone was now encrypted, but there was nothing on it. That's something that I am pretty sure is not supposed to happen.
just had the same using Samsung S5 Duos with latest lineage-os (20180427): this is a cluster-f**k, I cannot believe it. I advocate using Lineage-OS whereever I go. Of course, it's my fault, I did trust Lineage-OS too much so I didn't think of backing-up. I didn't believe something like this could happen.
chaos_prevails said:
I did trust Lineage-OS too much so I didn't think of backing-up. I didn't believe something like this could happen.
Click to expand...
Click to collapse
You probably already realize this, at this point. But there is no such thing as an OS (on any device) that is so secure or stable, that backing up your data is not necessary. Even regardless of OS, memory corruption and data loss can happen for any number of reasons. Golden rule: If your data is important to you, back it up.
Of course, I know.
I took the loss of all data as opportunity to flash newest modem, CSC, and PDA firmware via latest stock-rom, and then re-flashed latest Lineage OS again. This time, it didn't factory reset my phone with encryption. Don't know if that had anything to do with my old firmware (I had G900FDXXS1CPK2 installed when factory reset-with-encryption happened).
Beside, I was lucky as no other migration method to my new phone worked out except going via a old-school micro-sd card copy. I could undelete almost all pictures on it