Hello,
let me summarize what I believe to have understood.
PLEASE DO CORRECT ME IF I AM WRONG :-)
First of all you must distinguish between the lock screen password/PIN/pattern and a boot/decryption password/PIN/patttern.
The lock screen does not physically protect your data on the flash chips. Skilled attackers would still be able to extract data from your device.
The android image for the Gemini uses a default encryption key to encrypt the /data partition ( Am I correct
).
As far as I have understood the password is either acquired from some specially implemented hardware feature.
If there is no such feature, then the default encryption password is simply "default_password".
Using adb you can verify if /data is encrypted :
[div class=\'codetop\']CODE[/div][div class=\'codemain\' style=\'height:200px;white-space:pre;overflow:auto\']adb shell getprop ro.crypto.state[/div]
I hope yours says it's encrypted.
However, this does not mean that a totally secret password is necessary to unlock the /data partition!!!
Because the actual key to unlock /data is still encrypted with the default password.
When you set a PIN/pattern and select the option "require pin to start device", the encryption key is encrypted with your own private password/pin/pattern and you can no longer start android without typing your password/PIN/pattern.
Android now depends on you to unlock the /data partition.
If your device restarts, you won't even receive phone calls until you enter your decryption secret. (Anyone verify that for me?)
A 4 digit pin can easily be cracked. Same for an easy unlock pattern. For better security you should choose a longer and more complex password.
But who wants to type a 10 character password to unlock his smartphone?
So how about implementing two different methods? A long password to unlock the phone storage and an unlock pattern to quickly unlock the phone screen during daily use
?? :-)
WARNING: Try at your own risk. Backup all data before tampering with device encryption.
First set up your desired unlock pattern/PIN choosing "require PIN/pattern to start the phone".
After this change the actual encryption password on command line:
[div class=\'codetop\']CODE[/div][div class=\'codemain\' style=\'height:200px;white-space:pre;overflow:auto\']adb shell
Planet:/ $ whoami
shell
Planet:/ $ su
Planet:/ # whoami
root
Planet:/ # vdc cryptfs verifypw MyPassword123
200 9679 0
Planet:/ # vdc cryptfs verifypw WRONGPassword666
200 9680 1
Planet:/ #
Planet:/ # vdc cryptfs changepw MyNewPW
500 9979 Usage: cryptfs changepw default|password|pin|pattern [newpasswd]
244|Planet:/ # vdc cryptfs changepw password MyNewPW
200 9983 0
[/div]
The vdc command required root permission, which is why we entered su to acquire root permissions.
The 1 at the end of the returned code means the previous command exited with an error.
The 0 return code after our last command means our encryption password was successfully changed.
WARNING:
Be careful when using special characters in your password!! VERIFY YOU PASSWORD ONCE MORE AFTER SETTING IT AND BEFORE YOU REBOOT!!! Maybe you would need to put difficult strings into quotes or whatever, but I haven't tried it yet and so I'm leaving this for some other person to figure out.
WARNING:
Some applications such as tasker etc. install services (accessibility services) to be able to bypass the lockscreen. In this case android may reset the encryption password back to the default password so that this service can work even without your secret password.
If your device is no longer asking for your password at boot the you know something is very wrong!
Please use these instructions at your own risk.
Could someone verify the above and let me know if I made any mistakes?
I'm using the rooted image on my gemini. Your mileage may vary.
Regards,
DrW
Show Posts