Hello,
is full device encryption available on this device? By that I mean the kind of encryption for which a password is needed in order to boot the phone into android. Haven't found anything in settings yet.
Or maybe a different question. Is the encryption key stored on the device or generated each time you put in your password?
Related
My brand new 3T just arrived and I see it's already encrypting it's contents.
The only point is that I don't know the encryption key.
I would like to unencrypted and re-crypt with my very password.
Any hint or suggestion on how to do it?
Tia.
[UPDATE] There seems to be no unencrypt option in the settings!
Hi,
When u configure your phone for the first time, configuration ask u to set your fingerprint reader and, for this, u have to enter a password... This password is your encryption password too... So, wipe your phone to factory default or try to configure your fingerprint reader, but in that way, i don't know if it will work...
Cheerz
Sent from my OnePlus3T using XDA Labs
I didn't put any fingerprint nor pin nor sequence.
Decrypting the device is available only by running the format data from fastboot or recovery twrp, encryption works from the phone settings
Sent from my Darkside of Oneplus 3T
OK. So, I how can I use my very own encryption password?
Uqbar said:
My brand new 3T just arrived and I see it's already encrypting it's contents.
The only point is that I don't know the encryption key.
I would like to unencrypted and re-crypt with my very password.
Any hint or suggestion on how to do it?
Tia.
[UPDATE] There seems to be no unencrypt option in the settings!
Click to expand...
Click to collapse
I also had that moment.. ; . It was solvable without changing much. I had been on fingerprint & pin entry from locked screen. I could get into TWRP because it wouldn't accept my PIN as password. I tried to change the PIN to a password, then rebooted and TWRP let me in with that password, worked fine, so I tested backup & restore.
The next boot, I changed the password back to my PIN, and from then on TWRP used my PIN for entry. Apparently their system needs a kick of some sort to rewrite the encryption header. Mine was encrypted throughout and I left it that way.
I am on stock system. No TWRP, no supersu.
Uqbar said:
I am on stock system. No TWRP, no supersu.
Click to expand...
Click to collapse
Doesn't matter, same way. Try to configure your fingerprint reader... Configuration will ask you to set in first a password or pin code or diagram...
Easy way to do it imao...
Sent from my OnePlus3T using XDA Labs
satanas17 said:
Doesn't matter, same way. Try to configure your fingerprint reader... Configuration will ask you to set in first a password or pin code or diagram...
Easy way to do it imao...
Click to expand...
Click to collapse
It didn't work like that.
The encryption was effective since the very first boot, according to the "Security" sub menu.
Then I configured a fingerprint and no PIN or password was asked.
Uqbar said:
It didn't work like that.
The encryption was effective since the very first boot, according to the "Security" sub menu.
Then I configured a fingerprint and no PIN or password was asked.
Click to expand...
Click to collapse
So your phone differently booted up first time then my...
Yes, encryption is effective immediately, and again imao, it's a great thing.
Have you tried to go in "security" to set a password?
Sent from my OnePlus3T using XDA Labs
satanas17 said:
So your phone differently booted up first time then my...
Yes, encryption is effective immediately, and again imao, it's a great thing.
Have you tried to go in "security" to set a password?
Click to expand...
Click to collapse
First, there's no such a thing like "set password" or "set encryption password".
There's only, in the very bottom of the menu, a "Encrypt the telephone" menu item. The current value is "Encrypted".
There's nothing else and neither tapping, nor long tapping nor double tapping gives any option.
It's just an informative item.
When my phone booted for the first time it took about one minute before giving me the home screen.
Then I skipped all the questions (GMail, etc.) in order to go to the firmware update.
Once rebooted in the updated version, I walked though all the menus (I am coming from 6+ years with CM) and found
that the storage was being already encrypted by default.
Then I configured my gmail account, updated all the apps and then added a fingerprint.
But still no PIN nor any password has been asked to me.
I am not arguing about encryption itself.
I am trying to gain control over it with my very own encryption key.
@Uqbar
Android is encrpted by default with a default password named "default_password". When you set a PIN or password for your lockscreen, you have an option to use this pin/password for device startup and the encryption is "active". This means android is now asking for password/PIN. When you only use the PIN/Password for your lockscreen, android never ask for it when the device starts. Without defining a password/PIN android uses the default password and no startuplockscreen is shown. That's the reason why android is telling you your phone is encrypted.
If you want to use a password different to the Lockscreen, you can set your own encryption password by using the "Cryptfs Password" app fom Playstore, but Oneplus has changed something on this and the app will not work at the moment. The app says that my currrent password is wrong, when i try to change it. There seems no way at this time, I guess.
* I hope my text was understandable, because english is not my native language *
This is an old thread, I know, but I just used it to find the answer to a similar problem. OxygenOS gives the option to use the PIN for startup. If you select that option the password will be required to boot into both the main system and recovery. To get there, in OxygenOS 5.0+ at least, go into the Security menu, select Screen Lock, and then the PIN option. This will give you a menu that enables requiring the PIN to start the device. Do that and your future boots will be protected by the same PIN you choose for screen unlock.
My OP3T has OOs 4.0.3 and I have set it up with fingerprint lock. However when I go into TWRP recovery and connect the phone I can see all the internal storage contents. Does this mean that the phone is un-encrypted?
I want to keep the contents safe so that no one can access them in case it is lost. Not even in recovery mode. Does TWRP also recognize fingerprints?
Should I encrypt the phone? Is it safe / recommended? Would it slow down the phone?
What is the best solution?
Are there any tracking features or apps which can be used in case the phone is lost?
You can check if your phone is encrypted by going into Settings > Security > (scroll to bottom of page).
The phone is encrypted out of the box and will remain so unless you format your /data partition after rooting.
The fingerprint itself is not the encryption key, the key is generated by the OS. While TWRP can find your encryption key and use it to access certain parts of your internal storage that it needs to function, it cannot mount User Storage (/data/media) and retrieve data other than zips/imgs.
TWRP itself cannot access user data, but ADB can. You can turn off USB debugging to prevent someone from pulling data.
Encryption is definitely useful if you want to keep your data safe, though it really depends on individual usage. I personally don't keep any important data on my phone and like to keep it decrypted. By decrypting, you experience fewer problems when flashing different ROMs. The phone also boots a bit faster as you don't have to decrypt each time.
There are services that you can use to track and remote access lost phones. Check out Cerberus Anti Theft, which has some unique features such as being able to install as a system app to avoid deletion via factory reset. For basic tracking, Google actually had built in tracking. As long as your phone is on and has network access, you can use Google Device Manager to locate your phone. You also have the option to remotely lock and erase your phone if needed, though keep in mind that this requires internet access. Services such as Cerberus allows you to send commands to your phone through texts and other means even when data is disabled.
Anova's Origin said:
You can check if your phone is encrypted by going into Settings > Security > (scroll to bottom of page).
The phone is encrypted out of the box and will remain so unless you format your /data partition after rooting.
The fingerprint itself is not the encryption key, the key is generated by the OS. While TWRP can find your encryption key and use it to access certain parts of your internal storage that it needs to function, it cannot mount User Storage (/data/media) and retrieve data other than zips/imgs.
TWRP itself cannot access user data, but ADB can. You can turn off USB debugging to prevent someone from pulling data.
Encryption is definitely useful if you want to keep your data safe, though it really depends on individual usage. I personally don't keep any important data on my phone and like to keep it decrypted. By decrypting, you experience fewer problems when flashing different ROMs. The phone also boots a bit faster as you don't have to decrypt each time.
There are services that you can use to track and remote access lost phones. Check out Cerberus Anti Theft, which has some unique features such as being able to install as a system app to avoid deletion via factory reset. For basic tracking, Google actually had built in tracking. As long as your phone is on and has network access, you can use Google Device Manager to locate your phone. You also have the option to remotely lock and erase your phone if needed, though keep in mind that this requires internet access. Services such as Cerberus allows you to send commands to your phone through texts and other means even when data is disabled.
Click to expand...
Click to collapse
When I go to Settings > Security > Encrypt it has a button to start the encryption so I guess that the phone is not encrypted. I also am not keeping very important data on the phone. However just in case it is lost I don't want people to see my Contacts, WhatsApp messages, photos etc. Will encryption encrypt all of these? If I press Encrypt, will it retain the data or should I take a backup first? If I encrypt the phone and have a fingerprint lock, does it mean that no one else can access my data? Not even through TWRP? How will I know the encryption key? Once encrypted, can I update the phone?
Thanks for the advice on Cerberus, If there are any other suggestions, I would like to know.
Encrypting the phone will not erase any data, just click the button and it does so automatically. You can't see the actual encryption key, it's maintained by the OS. I believe that if you set a password in addition to your fingerprint, TWRP may ask for the password on boot. I'm not too sure how this works exactly, there'll likely be more accurate sources online somewhere.
Encryption will encrypt all user data, including photos and most appdata. TWRP doesn't have access to user data by design, that's why nandroids can't backup Storage. TWRP itself also cannot see or access any user data in its built-in file explorer.
Keep in mind that while encryption works well, nothing is perfect. You never know when someone will find another exploit, especially if you leave your bootloader unlocked and modify your phone with root/custom ROMS/recoveries/etc.
As for Cerberus alternatives, I've got no idea. I've never really looked into these services and only know about Cerberus due to its popularity.
Hello,
are you able to understand if the filesystem is encrypted?
Best regards,
If FS is encrypted, you will have to provide a password in order to boot the phone. Without that password, phone cannot read the "disk".
Sent from my VTR-L09 using Tapatalk
I am afraid this does not need to be true anymore...:
Android 7 should come with File Based encryption in contrast to the android versions before...used exactly with the same reasoning (you cannot boot otherwise).
(https://source.android.com/security/encryption/file-based#enabling-file-based-encryption)
Does anybody know more?
Just bought this phone as I expected all Android 7 phones to be encrypted....would be curious to know!
To further add information/confusion here my today's tests:
- Moving the primary storage to SD card warns me that this (external) storage is not encrypted, while the internal storage is. Indicating the phone is encrypted.
- In AIDA64 you find the Device feature android.software.file_based_encryption. Indicating that the phone CAN do that, not sure if it DOES.
- Using the app Activity Launcher, you can start the (otherwise hidden) Encryption dialog. It attempts to reboot, but does nothing. Dialog shows it as un-encrypted though...
- In Settings you can search for options. If you search for " encr..." it will find the dialog "Convert to file encryption". However clicking on it does nothing.
- I could set up my companies exchange connection. This says it requires an encrypted 'application' storage. So some parts at least should be encrypted.
Oh, I am talking about the P10 lite. But I am sure, this also helps for the P10. If the lite has encryption, the P10 clearly should have.
This other thread seems to indicate that data is indeed encrypted on these phones.
https://forum.xda-developers.com/p10/help/twrp-strange-folder-names-crypted-t3615989
This because of force encryption in boot.img it can be disabled by flashing a zip which removes dm-varity and force encryption from boot.img
I've got a US T813 that updated to Nougat last week. I'm interested in turning on the Nougat Direct Boot / file based encryption option. But when I look through the settings, all I can find is Encrypt SD Card and Secure Startup, both under Lock Screen and Security. The description of Secure Startup sounds like the older full encryption since nothing will operate after a boot until the password/pattern is entered. And the is no choice under Developer options to turn on file encryption.
How do I turn on direct Boott?
Hello
As we all know whatever modification you do to the system it always have security drawback - you can either use custom exploits without touching bootloader but it will quickly be spotted by Google Safety Net or you do OEM unlock. After OEM unlock:
your data are protected 'at rest' - with strong password and no flaw in vendor implementation based on secure cryptoelement nobody can simply crack your lost phone
you are vulnerable to evil maid attack - if you leave your phone unattended even for a while(e.g if you used to sleep) somebody may prepare and flash boot image which will collect your password
you are vulnerable to cold boot attack - your turned on, even locked phone store some secret in RAM. You can prepare image to extract whole content of RAM , with unlocked bootloader and after forcibly reset the phone this image may collect all cryptographic primitives and send them over USB.
There is no forward secrecy - your system partition may be dumped at this time and dump decrypted with password collected later
So the aim if to create modification for security paranoids like owners of cryptocurrency exchanges which will allow to have full control over own device but without current security compromises. It need to modify boot/recovery partitions in way those will authenticate all sensitive operations with password.
There were always discussions with TWRP and ClockWorkMod recovery to add such password, but those were always closed with argument that if you can't control boot(flash new image) there is no sense to protect recovery. With current Magisk implementation even if we can't relock bootload by vendor mechanisms it may be easier now.
So aim of my project would be to:
Add code for password derrivation function - SCRYPT or PBKDF2 in boot
Add debug logic - diode red/green in boot.img to avoid status testing without chance to brick device
Implement logic which will need password to enter all vendor kinds of fastboot/recovery/download mode
Implement password storage logic - initially with PBKDF2/scrypt hash builtin into image itself, then on eMMC storage, then with vendor/model specific secure element implementation - initially for rate limiting password attempts, finally for actual cryptographic secret storage
@topjohnwu what you think, is is worth to build this on top of Magisk?