I'm new to the 6 and I haven't really read too much into the whole encryption thing, so I don't know the pros/cons of having it that way, or not.
During my first boot of this thing, I started the unlock/root process, then I quickly remembered about encryption...and what the whole thing was about. Well I'm curious, are these custom ROM's built without the encryption? In the security menu of Chroma, encryption is enabled. In another ROM which specifically stated encryption was off...it was actually on.
So I'm confused.
Thanks.
Some ROMs do not force encryption. They can still be encrypted. It depends on the kernel. You will need to perform a wipe to unencrypt
stevew84 said:
I'm new to the 6 and I haven't really read too much into the whole encryption thing, so I don't know the pros/cons of having it that way, or not.
During my first boot of this thing, I started the unlock/root process, then I quickly remembered about encryption...and what the whole thing was about. Well I'm curious, are these custom ROM's built without the encryption? In the security menu of Chroma, encryption is enabled. In another ROM which specifically stated encryption was off...it was actually on.
So I'm confused.
Thanks.
Click to expand...
Click to collapse
It depends on the state of your device before you flash the ROM. If you are unencrypted prior to flashing the ROM, you will stay unencrypted. And if encrypted, you will stay encrypted. For most ROMs. Read the fine print in the OP.
cam30era said:
It depends on the state of your device before you flash the ROM. If you are unencrypted prior to flashing the ROM, you will stay unencrypted. And if encrypted, you will stay encrypted. For most ROMs. Read the fine print in the OP.
Click to expand...
Click to collapse
I've also read about long "encrypting now" screens during first boot of fresh ROM's, I've never seen those.
Encryption depends on the kernel or more accurately the fstab, so it depends what kernel is supplied with the ROM or which kernel you plan on flashing with the ROM.
There are 2 types of ROM. Stock based and AOSP based. I find it hard to believe any AOSP ROM dev would turn on force encryption, but with a stock ROM, it could be on or off - depending. Read each thread to find out.
All ROMs and kernels are encryption enabled by the way. Turning off force encryption inky prevents first boot from encrypting your data partition. You can still turn on encryption yourself in settings and if you're already encrypted, turning off force encryption will not unencrypt your data, so it will still be on. Once force encryption has been turned off, you must then format /userdata to remove encryption
stevew84 said:
I've also read about long "encrypting now" screens during first boot of fresh ROM's, I've never seen those.
Click to expand...
Click to collapse
Correct. If you are unsure of your kernel status go to Settings/Security/Encryption. If it says "Encrypt phone", then you are unencrypted.
cam30era said:
Correct. If you are unsure of your kernel status go to Settings/Security/Encryption. If it says "Encrypt phone", then you are unencrypted.
Click to expand...
Click to collapse
Ah alright, well each and every time I flash something new, I'm encrypted. I'm interested in getting rid of that, but not sure exactly how to do it.
stevew84 said:
Ah alright, well each and every time I flash something new, I'm encrypted. I'm interested in getting rid of that, but not sure exactly how to do it.
Click to expand...
Click to collapse
It says in my post
Encryption will stay on unless you completely wipe the device and have a kernel installed that doesn't force you to encrypt. So you'll never see an option for decrypting your device. This comes with a huge warning that ANYTHING on the internal storage will be lost, that goes for the ROM and your files, including your ROM zip files for flashing. If you want to decrypt the device I suggest you first practice by flashing a ROM that you copy into your phone while in recovery so you know you can do it.
Guide: http://forum.xda-developers.com/nexus-6/development/disable-forced-encryption-gain-root-t2946715
This will get you to a clean slate, make sure you test MTP (file transfer over usb from computer) in recovery and verify that you can move files over to your device in recovery. You should already have a custom recovery installed such as TWRP. If you are considering disabling make sure you know exactly what is going on first, its not as straight forward as it seems. Goodluck
stevew84 said:
Ah alright, well each and every time I flash something new, I'm encrypted. I'm interested in getting rid of that, but not sure exactly how to do it.
Click to expand...
Click to collapse
If you are on stock, rooted, or a non-CM12 based ROM, one way is to go here > http://forum.xda-developers.com/nexus-6/development/disable-forced-encryption-gain-root-t2946715
Remember, after flashing the boot.img, you need to "fastboot format userdata" to unencrypt. This will wipe your SDcard.
rootSU said:
It says in my post
Click to expand...
Click to collapse
Sorry, I didn't see you posted.
Right now with Chroma + Vindicator kernel...Encryption states Enabled in the security menu.
stevew84 said:
Sorry, I didn't see you posted.
Right now with Chroma + Vindicator kernel...Encryption states Enabled in the security menu.
Click to expand...
Click to collapse
Because you were already encrypted.
stevew84 said:
I don't know the pros/cons of having it that way, or not.
Click to expand...
Click to collapse
Pros for encryption;
- security. This is pretty obvious, if somebody hostile gets their hands on your phone, your data will not be obtained by them.
Cons;
- performance and battery life. There is indication in AOSP that google *intends* to activate hardware crypto, but as of yet, have not. That means that the crypto function is done on your main CPU, which is (a) not as fast as the hwcrypto block, and (b) takes up valuable CPU cycles from other software that is running, and (c) anything that uses CPU heavily will consume battery.
Another con with encryption that I have (which I admit is extremely unlikely - but has happened in the past) is that files that are backed up off the device may not get decrypted correctly, leaving them corrupt. That is my main hate of encryption. That and the fact that I cannot automate my TWRP backups
rootSU said:
Another con with encryption that I have (which I admit is extremely unlikely - but has happened in the past) is that files that are backed up off the device may not get decrypted correctly, leaving them corrupt. That is my main hate of encryption. That and the fact that I cannot automate my TWRP backups
Click to expand...
Click to collapse
That isn't a con of encryption. That's a con of using broken software to perform your backup.
doitright said:
That isn't a con of encryption. That's a con of using broken software to perform your backup.
Click to expand...
Click to collapse
The con of encrypting data is that it may not always decrypt-able. Regardless of the root cause being Android, Windows, Linux or "broken software". If doing something to your data leads to it being useless via whatever means, then there is a negative effect of doing that something to your data
Related
Good morning droids,
I was looking around for info on the "phone storage encryption" option which requires a PIN when the phone is first powered on. This sounds nice conseridering the amount of information contained on our devices these days.
I think this is a stock HTC feature but I wasn't finding much in other forums. I'm currently running viper rom which has me wondering a few things:
Where in the boot process does it prompt for decrypt? Would you still be able to mount images from storage-- like does it prompt before the bootloader starts? would you still be able to use/nandroid/mount roms in a custom bootloader? Are there any recovery options? if it all goes to hell would I still beable to flash back to stock? Can encryption be undone after? My main concern has to do with when in the boot the storage is decrypted and how it affects the use/flashing of roms.
With all these questions I think the resounding common sense answer is "its just not worth the potential fallout." but I'll ask anyway...
Thoughts?
CarbolDroid said:
Good morning droids,
I was looking around for info on the "phone storage encryption" option which requires a PIN when the phone is first powered on. This sounds nice conseridering the amount of information contained on our devices these days.
I think this is a stock HTC feature but I wasn't finding much in other forums. I'm currently running viper rom which has me wondering a few things:
Where in the boot process does it prompt for decrypt? Would you still be able to mount images from storage-- like does it prompt before the bootloader starts? would you still be able to use/nandroid/mount roms in a custom bootloader? Are there any recovery options? if it all goes to hell would I still beable to flash back to stock? Can encryption be undone after? My main concern has to do with when in the boot the storage is decrypted and how it affects the use/flashing of roms.
With all these questions I think the resounding common sense answer is "its just not worth the potential fallout." but I'll ask anyway...
Thoughts?
Click to expand...
Click to collapse
I don't believe that recoveries are able to update a phone with an encrypted data partition unless you're using stock. I do believe you can flash back to stock if something goes wrong, although you would certainly have to format /data to get back into it. However, the actual login process (if I remember correctly, it's been a while) is that the bootloader starts you in a "dummy" environment of sorts that just asks you for your password. If it checks out, the system reboots, passing that key on to the "real" operating system which decrypts the data volume.
I'd echo though that it's really not something you should fool around with.
As we know google is going to pre enable the Data encryption on Android L and we already have it as an optional extra security ..
So before anyone rushes to enable it to feel more Secured . First let's learn about it ..
As this option is available in Security .
If you enable it you have to enter password/PIN(compulsory) ..
80% minimum battery + plugged in for charging is necessary .
Once the encryption starts it will take about 15 minutes to complete the process ..
Once it's complete , it will automatically reboot the phone . booting will be in 2 stages.. On first stage it will ask for password/PIN to decrypt the phone/phone storage
And then the second boot process will be the normal one ..
And now comes the warning part ..
Once you encrypt the data , you have to decrypt it on every boot and you can't disable this .. You have to factory reset the phone to remove this .
And here at XDA we flash mods and zips etc almost every day/week ..
So if you encrypt your phone and then you flash anything via bootloader ..IT WILL FORMAT EVERYTHING ..(including internal storage, basically factory reset)
So if you are an advanced user with custom rom/recovery etc i suggest you to first do a complete backup If you really want to try the data encryption .
So i hope this information be helpful for those who are unaware and don't know what can happen , and i suggest you to read about it before you enable it ..
For most of us, we already know that encryption causes issues, always. Maybe not immediately, but always at some point.
Its the new people that go "oh encryption, sounds good, must use", when they don't have any data that's actually important enough to justify the need for encryption.
Lethargy said:
For most of us, we already know that encryption causes issues, always. Maybe not immediately, but always at some point.
Its the new people that go "oh encryption, sounds good, must use", when they don't have any data that's actually important enough to justify the need for encryption.
Click to expand...
Click to collapse
That's why i created a new thread specially for those who are inexperienced .
Not everyone are born developers/pro
Everyone learns with making mistakes
And our Job is to help them at XDA .
IMO this is what XDA is for at the first place ..
I'll rely on custom ROMs as always, that certainly have it disabled by default.
I think it's insane google would try to force this on us. Shame on them. ?
How does android L handle staying unlocked in trusted areas if encryption is enabled?
Despite the warning, we will see how the encryption will work in Android L. It might not be the same process as described from Kitkat/JB of encryption.
Who know if the process of encryption will be changed in Android L, so that you don't have to do each step to encrypt/decry pt and the flashing/modding issues.
I see many bricks coming from this as well, from unknowing flashers.
inferol said:
Despite the warning, we will see how the encryption will work in Android L. It might not be the same process as described from Kitkat/JB of encryption.
Who know if the process of encryption will be changed in Android L, so that you don't have to do each step to encrypt/decry pt and the flashing/modding issues.
Click to expand...
Click to collapse
Probably they are going to change the way it works .. , because they haven't updated it since it first came out with ICS ..
The inability to use pattern lock is enough to turn me off Android encryption. All the other problems just makes it a no brainer.
May be they have overcome these issues and thus made it default....
I find no sense in making some hectic procedure as default
wow. wonder who will have access to the encryption keys.. or more likely supplied the encryption technique in the first place?
cough... nsa, feds, gchq, ect...... cough
don't believe the security services fake crying about encrytion... just a fairy story to pacify the sheep
meangreenie said:
wow. wonder who will have access to the encryption keys.. or more likely supplied the encryption technique in the first place?
cough... nsa, feds, gchq, ect...... cough
don't believe the security services fake crying about encrytion... just a fairy story to pacify the sheep
Click to expand...
Click to collapse
When NSA forced TrueCrypt to hand over their keys, they essentially and purposely updated their product to be broken to ensure no one used it. Wonder what Google would do?
Sent from my Nexus 5 using Tapatalk
Wakamatsu said:
The inability to use pattern lock is enough to turn me off Android encryption. All the other problems just makes it a no brainer.
Click to expand...
Click to collapse
You can't do it out of the box, but you can make it work fairly easy with twrp and a backup. The quick version is:
before encryption, setup your pattern lock, do a nandroid backup in twrp. Reboot, change to a PIN/password to allow encryption, perform encryption process. Boot back into twrp, it will prompt you to enter your pin/password, since it can decrypt and then function inside of the encrypted volume (and therefore restore an unencrypted backup inside of the encrypted envelope in essence). Restore your backup that has pattern unlock and reboot. It should prompt you for your strong pin/password on each initial boot, but once booted, it will use your pattern unlock. Downside is you can't change your pattern after that, so pick what you want the first time. You can change your pin/password if you want, I use EncPassChanger myself. I also use bootunlocker to relock the bootloader after I'm done, just have to make sure to unlock before flashing any updates.
I use this process on both my N5 and 2013 N7.
rootSU said:
When NSA forced TrueCrypt to hand over their keys, they essentially and purposely updated their product to be broken to ensure no one used it. Wonder what Google would do?
Sent from my Nexus 5 using Tapatalk
Click to expand...
Click to collapse
Source for this?
markassbuster said:
Source for this?
Click to expand...
Click to collapse
Action speaks louder than words sometimes all u need is to observe
markassbuster said:
Source for this?
Click to expand...
Click to collapse
They can't really openly say that buy the industry "knows".
But the opening paragraph of this page hints at it.
http://truecrypt.sourceforge.net
rootSU said:
They can't really openly say that buy the industry "knows".
But the opening paragraph of this page hints at it.
http://truecrypt.sourceforge.net
Click to expand...
Click to collapse
AH OK thanks. I thought there was some recent, concrete news about what went down.
Thing is, now what will we gotta do to still be able to flash zips with encrypted device? XD
So I recently encrypted my phone....because I read it only encrypts the data partition...so if I wanted to update my CM11 version (m9 to m10 for example) I wouldn't be able to?
I should have read into it more I guess...
edit: TWRP saved my ass. Just looked at it and it decrypts the data partition.
I encrypted my phone, but now wish I hadn't. I'm pretty sure it is the cause of some small issues I have had flashing different ROMs.
fml :crying:
So I heard someone mention something about TWRP not working on Android N if the device is encrypted. I haven't been able to test this myself yet. but details on that? Does it just hang and freeze? Is there an error message of some sort? Does flashing stuff just always fail? Thanks!
H4X0R46 said:
So I heard someone mention something about TWRP not working on Android N if the device is encrypted. I haven't been able to test this myself yet. but details on that? Does it just hang and freeze? Is there an error message of some sort? Does flashing stuff just always fail? Thanks!
Click to expand...
Click to collapse
stop listening to "rumors".. twrp works just fine on N, just like its supposed to.
simms22 said:
stop listening to "rumors".. twrp works just fine on N, just like its supposed to.
Click to expand...
Click to collapse
Thanks! Just have to be sure when working with an expensive device such as the shamu. Glad that's a rumor, cuz it would be yet another thing to worry about in the future lol Thanks again!
There are issues with flashing if the device is encrypted. Also (not a worry on shamu) things like lock passwords and FP scans. To be honest the encryption is not even worth it. This is why most disable it by default.
zelendel said:
There are issues with flashing if the device is encrypted. Also (not a worry on shamu) things like lock passwords and FP scans. To be honest the encryption is not even worth it. This is why most disable it by default.
Click to expand...
Click to collapse
most people disable encryption because they falsely believe that itll improve their devices performance. but guess what, it does not! i just leave my device encrypted, it makes everything much easier.
simms22 said:
most people disable encryption because they falsely believe that itll improve their devices performance. but guess what, it does not! i just leave my device encrypted, it makes everything much easier.
Click to expand...
Click to collapse
That is open for debate as I see a huge increase in performance with it disabled. To me encryption is pointless and useless so disabling it was not a big deal.
simms22 said:
stop listening to "rumors".. twrp works just fine on N, just like its supposed to.
Click to expand...
Click to collapse
TWRP 3.0.2-0 hangs at start... on Android N... if your device is encrypted. I'm going to assume your device isn't encrypted.
Edit: more clarity for the lazy reader.
deepdvd said:
TWRP hangs at start if your device is encrypted. I'm going to assume your device isn't encrypted.
Click to expand...
Click to collapse
im encrypted, since nov 2014, never unencrypted. ive never had an issue with twrp. now being encrypted, i dont really use it(excpt for special occasions), so i dont use a password.
simms22 said:
im encrypted, since nov 2014, never unencrypted. ive never had an issue with twrp. now being encrypted, i dont really use it(excpt for special occasions), so i dont use a password.
Click to expand...
Click to collapse
This post is about Android N Developer Preview. You must not have that.
I've got N preview (always been encrypted) but can't update OTA because I have TWPR, guess I need to flash back to stock.
deepdvd said:
This post is about Android N Developer Preview. You must not have that.
Click to expand...
Click to collapse
um.. ive been going back and forth from pure nexus rom to N, then back to pure nexus, for the 5th time now. and ive been using twrp recovery to do it :angel:
I thought that while encrypting my phone, the result would be that my data is preserved, just encrypted. So I went through the encryption process only to find that all my data is wiped, so that I have to restore everything from backups, as far as I have them.
Did I overlook something, or is this a bug? I have LineageOS 14.1, installed yesterday, official.
Found that after a reboot, the data was again gone. (after I spent considerable time setting the phone up yet again), now factory reset, running unencrypted, until I know what has been going wrong here. Sigh. Custom roms and encryption continue to be a toxic mix for me.
yahya69 said:
Found that after a reboot, the data was again gone. (after I spent considerable time setting the phone up yet again), now factory reset, running unencrypted, until I know what has been going wrong here. Sigh. Custom roms and encryption continue to be a toxic mix for me.
Click to expand...
Click to collapse
When I first started playing around with encryption (Samsung Note 3) I discovered that to get encryption to work properly I had to format /data (you lose everything, including internal shared storage) and that it worked better on stock ROM rather than custom ROMs.
Sent from my OnePlus3T using XDA Labs
BillGoss said:
When I first started playing around with encryption (Samsung Note 3) I discovered that to get encryption to work properly I had to format /data (you lose everything, including internal shared storage) and that it worked better on stock ROM rather than custom ROMs.
Sent from my OnePlus3T using XDA Labs
Click to expand...
Click to collapse
which I kind of accepted after learning it the hard way, but the problem was that after encrypting the device, all data was wiped each time the phone was rebooted, so something is buggy here.
yahya69 said:
which I kind of accepted after learning it the hard way, but the problem was that after encrypting the device, all data was wiped each time the phone was rebooted, so something is buggy here.
Click to expand...
Click to collapse
I resolve this problem using latest official twrp.
dimon2242 said:
I resolve this problem using latest official twrp.
Click to expand...
Click to collapse
How did you? (What version of TWRP did you install) After all, it is not TWRP that does the encryption, or is it? So I don't see how this could be the cause.
With TWRP, I had the additional issue that it kept asking me for a password to mount /data, but it wouldn't accept the PIN that I had set in Android. I have no idea what other password it might want.
Oh, well, there is just too much fumbling in the dark in this whole mobile devices business. I have been a Linux user for some 20 years, and there, if things go wrong, you can actually view what is happening. On android, this is so much more difficult, even with logcat.
yahya69 said:
How did you? (What version of TWRP did you install) After all, it is not TWRP that does the encryption, or is it? So I don't see how this could be the cause.
With TWRP, I had the additional issue that it kept asking me for a password to mount /data, but it wouldn't accept the PIN that I had set in Android. I have no idea what other password it might want.
Oh, well, there is just too much fumbling in the dark in this whole mobile devices business. I have been a Linux user for some 20 years, and there, if things go wrong, you can actually view what is happening. On android, this is so much more difficult, even with logcat.
Click to expand...
Click to collapse
Have you tried default_password as the password in TWRP?
Also, if you can actual log into your system normally, then you can set the password again and require it on boot.
BillGoss said:
Have you tried default_password as the password in TWRP?
Click to expand...
Click to collapse
What "default password"? You mean, literally typing "default_password"? No I did not. What would that have done?
After all, again, it required a password for the /data partition, hence a password with whom it is encrypted. But I had used no password other than the PIN. And again, I can't see how my problem of data disappearing on each boot would be caused by TWRP.
Also, if you can actual log into your system normally, then you can set the password again and require it on boot.
Click to expand...
Click to collapse
Again, what password do you have in mind? The PIN? Yes, the system asked for the PIN at boot, but nonetheless, all data was wiped on each boot.
For the time being,I run the system without encryption, because I have had enough of setting is up again and again anew (had to do this three or four times.)
Again, it looks like this is a bug. Because after initially encrypting the phone, my data should still have been there. But it was gone. The phone was now encrypted, but there was nothing on it. That's something that I am pretty sure is not supposed to happen.
just had the same using Samsung S5 Duos with latest lineage-os (20180427): this is a cluster-f**k, I cannot believe it. I advocate using Lineage-OS whereever I go. Of course, it's my fault, I did trust Lineage-OS too much so I didn't think of backing-up. I didn't believe something like this could happen.
chaos_prevails said:
I did trust Lineage-OS too much so I didn't think of backing-up. I didn't believe something like this could happen.
Click to expand...
Click to collapse
You probably already realize this, at this point. But there is no such thing as an OS (on any device) that is so secure or stable, that backing up your data is not necessary. Even regardless of OS, memory corruption and data loss can happen for any number of reasons. Golden rule: If your data is important to you, back it up.
Of course, I know.
I took the loss of all data as opportunity to flash newest modem, CSC, and PDA firmware via latest stock-rom, and then re-flashed latest Lineage OS again. This time, it didn't factory reset my phone with encryption. Don't know if that had anything to do with my old firmware (I had G900FDXXS1CPK2 installed when factory reset-with-encryption happened).
Beside, I was lucky as no other migration method to my new phone worked out except going via a old-school micro-sd card copy. I could undelete almost all pictures on it
Title says it all. Is there any known way to have root and device encryption still possible?
Thanks a lot.
plop12345 said:
Title says it all. Is there any known way to have root and device encryption still possible?
Thanks a lot.
Click to expand...
Click to collapse
Not currently. Unless you can trick the device into thinking it's fully charged and plugged in at the same time??
Jammol said:
Not currently. Unless you can trick the device into thinking it's fully charged and plugged in at the same time??
Click to expand...
Click to collapse
I never thought of this question, but good question. So root trips knox to stop encryption? Kinda lame if so.
Jammol said:
Not currently. Unless you can trick the device into thinking it's fully charged and plugged in at the same time??
Click to expand...
Click to collapse
Got it working with the stock ROM in the mean time. Just don't use TWRP to flash Magisk. Keep the stock recovery, Use Magisk Manager to patch boot.img (check tar format in settings) , then flash back via Odin, boot and factory reset. Done.
No luck with any custom ROM yet. Desperately looking for help. Would also pay quite a bit to have someone skilled looking into this. I don't want to keep the Korean ROM of my N950N
Nick216ohio said:
I never thought of this question, but good question. So root trips knox to stop encryption? Kinda lame if so.
Click to expand...
Click to collapse
No, flashing with TWRP requires to format data. That step loses encryption.
For some reason it's then impossible with Magisk or pph root to just reencrypt the phone from a custom ROM. It dies with invalid encryption and looses all your data when you try.
It's a bit different with SuperSU. Here it thinks encryption went well and tries to mount it on next boot, but then fails.
From my current knowledge it seems it needs stock recovery to recreate an encrypted data partition that actually works. That's the bit I'm stuck now...
plop12345 said:
No, flashing with TWRP requires to format data. That step loses encryption.
For some reason it's then impossible with Magisk or pph root to just reencrypt the phone from a custom ROM. It dies with invalid encryption and looses all your data when you try.
It's a bit different with SuperSU. Here it thinks encryption went well and tries to mount it on next boot, but then fails.
From my current knowledge it seems it needs stock recovery to recreate an encrypted data partition that actually works. That's the bit I'm stuck now...
Click to expand...
Click to collapse
On the Snap version, using SamFail gets rid of encryption. There's no way to encrypt for us with root because of the 80% short coming.
Jammol said:
On the Snap version, using SamFail gets rid of encryption. There's no way to encrypt for us with root because of the 80% short coming.
Click to expand...
Click to collapse
Ah crap, didn't even think of that issue
Anyway, at least to me a phone without reliable encryption is not usable as daily driver. I wonder why this gets so little attention. I spend some days now trying to resolve this, but there is not much information out there or I'm not capable to dig it up.
I couldn't even find a clear statement, what it actually is that prevents TWRP to mount encrypted /data on modern Samsung phones.
I known they do their own SOC based hardware encryption, but what is it that TWRP can't get? Does the trusted zone not release the key if a custom binary boots? I really like to understand a bit more on how this actually works.
Thanks
Figured it out: https://forum.xda-developers.com/galaxy-note-8/how-to/guide-how-to-root-device-encryption-t3742493