OK. So, I've done some reading on the new FBE in Nougat...
https://source.android.com/security/encryption/file-based
https://blog.compass-security.com/2016/10/android-7-0-security-features-direct-boot/
http://www.delaat.net/rp/2016-2017/p45/report.pdf
Based on the above, FBE _should_ only directly affect /data,
(i.e. other partitions _may_ be implicated if the TEE uses them,
but I'm not convinced that matters, since the TEE is consulted
only if FBE is turned on, which is indicated in the filesystem).
On the other hand, the ext4 filesystem needs to be reformatted
to get rid of the FBE flags. I suspect that TWRP does NOT do this.
At least, the feedback it gives (I've just done a _complete_ wipe
of my test Thor, checking _ALL_ available checkboxes) only says
"wiping" for both /data and /data/media, but it says "formatting"
for cache and system...
I'd suggest testing the following **after** making a backup:
Code:
adb shell su -c "make_ext4fs /dev/block/mmcblk0p23"
This should not have any adverse effects (beyond obliterating
*all* data on /data *including* /data/media), since Android will
set this up properly again. I've just tested this after verifying
that 'wipe' still left (or re-created) some files on /data...
I sideloaded AEX (since data was pristine, I couldn't push the
ZIP anywhere...) and everything worked as expected.
NB: I have *not* verified that this solves the encryption issue,
only that it won't make things worse...