Author Topic: Device encryption not supported?  (Read 3228 times)

KF6GPE

  • Newbie
  • *
  • Posts: 31
    • View Profile
Device encryption not supported?
« on: June 01, 2018, 08:39:56 pm »
Does anyone know if full-device encryption was supposed to be supported? I was trying to set up my work domain account, which requires the Device Manager with its security policy, and my employer requires whole-device encryption with a startup password to set up a work account. Usually Device Manager sends an intent to Settings, which opens up the right preferences panel and you can set the bootup password, but on my Gemini it just starts Settings to the main settings page, and in rummaging around I can't find it.

Jeffers

  • Newbie
  • *
  • Posts: 24
    • View Profile
Device encryption not supported?
« Reply #1 on: June 01, 2018, 11:58:03 pm »
Quote from: KF6GPE
Does anyone know if full-device encryption was supposed to be supported? I was trying to set up my work domain account, which requires the Device Manager with its security policy, and my employer requires whole-device encryption with a startup password to set up a work account. Usually Device Manager sends an intent to Settings, which opens up the right preferences panel and you can set the bootup password, but on my Gemini it just starts Settings to the main settings page, and in rummaging around I can't find it.

I'm using the rooted image and can't find the encrypt option either.

Dr. Watson

  • Newbie
  • *
  • Posts: 13
    • View Profile
Device encryption not supported?
« Reply #2 on: June 27, 2018, 04:01:10 pm »
Hello,

let me summarize what I believe to have understood.
PLEASE DO CORRECT ME IF I AM WRONG :-)

First of all you must distinguish between the lock screen password/PIN/pattern and a boot/decryption  password/PIN/patttern.
The lock screen does not physically protect your data on the flash chips. Skilled attackers would still be able to extract data from your device.

The android image for the Gemini uses a default encryption key to encrypt the /data partition ( Am I correct ???).
As far as I have understood the password is either acquired from some specially implemented hardware feature.
If there is no such feature, then the default encryption password is simply "default_password".

Using adb you can verify if /data is encrypted :

[div class=\'codetop\']CODE[/div][div class=\'codemain\' style=\'height:200px;white-space:pre;overflow:auto\']adb shell getprop ro.crypto.state[/div]

I hope yours says it's encrypted.
However, this does not mean that a totally secret password is necessary to unlock the /data partition!!!
Because the actual key to unlock /data is still encrypted with the default password.

When you set a PIN/pattern and select the option "require pin to start device", the encryption key is encrypted with your own private password/pin/pattern and you can no longer start android without typing your password/PIN/pattern.
Android now depends on you to unlock the /data partition.
If your device restarts, you won't even receive phone calls until you enter your decryption secret. (Anyone verify that for me?)

A 4 digit pin can easily be cracked. Same for an easy unlock pattern. For better security you should choose a longer and more complex password.
But who wants to type a 10 character password to unlock his smartphone?

So how about implementing two different methods? A long password to unlock the phone storage and an unlock pattern to quickly unlock the phone screen during daily use ??????????? :-)

WARNING: Try at your own risk. Backup all data before tampering with device encryption.

First set up your desired unlock pattern/PIN choosing "require PIN/pattern to start the phone".
After this  change the actual encryption password on command line:

[div class=\'codetop\']CODE[/div][div class=\'codemain\' style=\'height:200px;white-space:pre;overflow:auto\']adb shell
Planet:/ $ whoami
shell
Planet:/ $ su
Planet:/ # whoami
root
Planet:/ # vdc cryptfs verifypw MyPassword123                                          
200 9679 0
Planet:/ # vdc cryptfs verifypw WRONGPassword666
200 9680 1
Planet:/ #
Planet:/ # vdc cryptfs changepw MyNewPW
500 9979 Usage: cryptfs changepw default|password|pin|pattern [newpasswd]
244|Planet:/ # vdc cryptfs changepw password MyNewPW
200 9983 0
 [/div]

The vdc command required root permission, which is why we entered su to acquire root permissions.
The 1 at the end of the returned code means the previous command exited with an error.
The 0 return code after our last command means our encryption password was successfully changed.
WARNING:
Be careful when using special characters in your password!!  VERIFY YOU PASSWORD ONCE MORE AFTER SETTING IT AND BEFORE YOU REBOOT!!!  Maybe you would need to put difficult strings into quotes or whatever, but I haven't tried it yet and so I'm leaving this for some other person to figure out.

WARNING:
Some applications such as tasker etc. install services (accessibility services) to be able to bypass the lockscreen. In this case android may reset the encryption password back to the default password so that this service can work even without your secret password.
If your device is no longer asking for your password at boot the you know something is very wrong!
 
Please use these instructions at your own risk.
Could someone verify the above and let me know if I made any mistakes?
I'm using the rooted image on my gemini. Your mileage may vary.

Regards,
DrW
« Last Edit: June 28, 2018, 05:23:31 am by Dr. Watson »

rubus-3.142

  • Jr. Member
  • **
  • Posts: 56
    • View Profile
Device encryption not supported?
« Reply #3 on: June 27, 2018, 04:52:26 pm »
I also not sure it's encrypted - I am asked for a password after booting, but this differs form my Samsung tablet that explicitly says it's encrypted and like others I can find no option to encrypt in settings.

Quote from: Dr. Watson
<snip>

[div class=\'codetop\']CODE[/div][div class=\'codemain\' style=\'height:200px;white-space:pre;overflow:auto\']getprop ro.crypto.state[/div]

I hope yours says it's encrypted.
</snip>

I try this in ADB but just get a "help" message i.e. it's not been understood?  

Other commands like adb devices work so I know the phone is connected?

graynada

  • Full Member
  • ***
  • Posts: 117
    • View Profile
Device encryption not supported?
« Reply #4 on: June 28, 2018, 03:10:51 am »
Quote from: rubus-3.142
I also not sure it's encrypted - I am asked for a password after booting, but this differs form my Samsung tablet that explicitly says it's encrypted and like others I can find no option to encrypt in settings.

I am also not sure.  For sure on all previous Android devices I have owned (including 7.1.1 devices) I have been asked during setup if I want to encrypt and there has been an option in (security?) settings to enable or disable encryption.  This is not evident on the Gemini.

Mithren Ithil

  • Newbie
  • *
  • Posts: 14
    • View Profile
Device encryption not supported?
« Reply #5 on: June 28, 2018, 04:55:34 am »
I've emailed PC asking about Full Disk Encryption (FDE), but I'm still waiting on a reply.

Just in addition to Dr Watson's great post Diskinfo does confirm that the data partition is indeed encrypted:

, but does appear to support the second type.

As posted by Dr Watson the device is initially encrypted using default_password, but then is changed to whatever pin/password you set, and that is saved to the TEE chip.  MediaTek is indeed licenced to use Tustonic TEE:

https://www.trustonic.com/news/company/medi...on-environment/

But I can't actually find an actual statement saying that the x25/x27 SoCs have them, but I'm assuming they do since /data is encrypted.

I would much prefer to choose FDE where I type the password on boot.  Even if I lose the auto shutdown/startup capabilities...

*** UPDATE ***

I just rebooted my phone as I wanted to check if if the boot loader showed a colour as per:

https://source.android.com/security/trusty/

No colour was shown, but my phone asked me to enter a password on boot.

The sequence was:

1. The PC logo appears
2. It asks me for a password
3. The PC logo animation pops
4. It asks for my SIM PIN
5. The finally it asks for my login password

I tried this with both restarting and power off.

Now when I was setting up my phone for the first time, I first installed a SD card which I setup as adopted storage and I switched off later to add a SIM.  I'm pretty sure it didn't ask me to enter my password to boot (but I was really jet lagged so could of just entered it without realising).
« Last Edit: June 28, 2018, 12:03:02 pm by Mithren Ithil »

Mithren Ithil

  • Newbie
  • *
  • Posts: 14
    • View Profile
Device encryption not supported?
« Reply #6 on: July 03, 2018, 12:14:18 pm »
PC have replied to my query with:

[!--quoteo(post=0:date=:name=Planet Computers)--][div class=\'quotetop\']QUOTE(Planet Computers)[/div][div class=\'quotemain\'][!--quotec--]Dear <REDACTED>,

Full Disk Encryption is actually already supported on the Gemini, moreover it is enforced at first boot, so your device is already encrypted.

Best regards,
Planet Team[/quote]
« Last Edit: July 03, 2018, 12:14:50 pm by Mithren Ithil »