Device Encryption and Root

Search This thread

bruzzy

Member
Jun 21, 2014
24
20
Hi everyone,

it's my first post on the xda-developers forum, so if the kind of my posting mismatches any rules, please let me know!

I'm using this forum for quite long time now, but so far all of my questions were answered by search & read... Some weeks ago I had another question, for which I colun't find an explicit answer yet. So based on some hints from different sources (thanks to google!) I did some experiments aka try and error and would like to share my experience with you (to give something back to the comunity, who helped me a lot in the past) and see whether I finally found the answere to my question... So please let me know, whether it worked for you as well or whether you know a different / better way to solve this kind of problem.

As usual: Use this guide at your own risk!


Problem statement:
I wanted to have my SM-P900 (stock rom) both rooted and encrypted (using device encryption). I've already done this for GT-I9100 (Galaxy S II) and GT-I9192 (Galaxy S4 Duo) in the past and it worked like a charme. But for some reason I couldn't get it working on the SM-P900... :confused:


Trial log (for short version see below):
I have successfully rooted this device via the CF-Auto-Root method by Chainfire (many thanks for the greate job!). When I later tried to activate the device entcryption, it first looked like the process has started (I got a black screen with a green android manikin), but after some time (~1min) the device just re-started and booted in normal mode. I tried it several times with the same end of story - no success, no harm either. :(

After some time of googling I found a hint, that on KitKat devices Superuser should be temporarily de-activated in order to get the device encryption starting properly and activate it after the encryption process has finished. So I tried that and indeed, this time the encryption process started after the reboot. I let it finish and after a reboot it looked like I was where I wanted to be at. But then I realized that I wasn't able to activate the Superuser back (SuperSU said "Can't find the su binary... You need to restore it manually" or something similar). Damned! I thought "OK, let's try CF-Auto-Root again". The root process itself seemed to work, but after that the device just hang at boot... Soft-brick... :crying:

Taking a more deeper look at the script source of an Update-Super-SU package from Chainfire I realized that it also does some writes to the /data partition. Well, I guess this broke the partition, since it was encrypted... (If anyone has a better explanation for this, please let me know!)

So everything back to the start: I flashed the stock rom, did a factory reset and re-ran CF-Auto-Root... Now the device was operating properly and was rooted, but no encryption. Before starting another try of encryption, I wanted verify that the temoprary un-root wasn't broken by the encryption. So I did a temorary un-root (by removing the tick at the option "Activate Superuser" in SuperSu settings) and then activated it back right away. This worked fine. I rebooted (just to confirm everything is still working) and Superuser still worked as expected. Then (to try one more thing) I "de-activated" su again and rebooted. Trying to activate it back after the reboot, I realized that I now was at the same situation as just after the encryption, but without the encryption. I.e. the problem was not the encryption itself, but kind of a bug in SuperSU - it was not able to activate su back after a reboot (I'll try to check it via a bug report to Chainfire). :confused:

So I digged a bit deeper into this and realized that SuperSU was simply deleting the su binary in /system/xbin on de-activation and writing it back on activation. And it looked like it wasn't able to write it back after a reboot (probably because of missing permission).

Knowing that, I decided to go a step further: I flashed the TWRP (many thanks to the TeamWin guys!), booted into recovery, mounted /system and copied the su binary manually to /system/xbin. After a reboot I tried once again open SuperSU, but it still said, it couldn't find the su binary. Hmmm... There must be something more... Having another look at the script source of the Update-Super-SU package I found that at the end it was calling the su binary with the option "-install". So I booted back to recovery and tried that as well... Hurra!!! After a reboot SuperSU was finally starting and the root-apps were able to get su access... So this seemed to be the desired solution. :)

I deactivated su again, rebooted and started the encryption. It ran and finished successfully, as expected. After that I booted to recovery and installed su manually, as I've done it before... Reboot... finger crossed... Tadaa!!! System is back, encrypted and root is working! :good:


Solution approach:
  1. Device is not rooted and not encypted (if already rooted, scip 2; if already encrypted, decrypt or do a factory-reset - don't try CF-Auto-Root on an encrypted device, it'll soft-brick)
  2. Root the device (e.g. using Auto-Root-CF by Chainfire (it'll trigger the Knox-counter)
  3. Temporarily un-root the device (when using SuperSU: go to Settings and remove the tick at the option "Activate Superuser")
  4. Reboot
  5. Activate the device encryption (the battery must be at least at 80% and the device must be plugged in the wall charger)
  6. The device will restart after a short period of time and start the encryption (this will take some time, but you should see a progress bar indicating how far it is)
  7. After the encryption is finished the device will reboot and ask for the password, just log in
  8. If not yet done, flash a custom recovery where you have a console access or can use ADB as root (I used TWRP)
  9. Boot into recovery
  10. Mount /system (it's not mounted automatically, at least not in the version I used - TWRP 2.7.1.0).
  11. Open the console or ADB shell
  12. Copy the su binary (if you use SuperSU: cp /system/xbin/daemonsu /system/xbin/su)
  13. Execute the installation (if you use SuperSU: /system/xbin/su --install)
  14. Reboot
  15. You should be done
 

Gatsrom

Senior Member
Oct 5, 2010
148
103
Thank you for the info and the simple steps. I was considering something similar to what you wanted with your device.
 

EndlessAdventurer

New member
Jul 13, 2014
1
0
Hello Bruzzy,
Thanks so much for the awesome post!
I am just having difficulty with the final steps. I am a complete newbie in regards to rooting and using these android tools.
Everything else was quite clear in your post except for these final steps.

Could you please simply a bit more step by step how I proceed to do the final steps listed below?

[*]Mount /system (it's not mounted automatically, at least not in the version I used - TWRP 2.7.1.0).
[*]Open the console or ADB shell
[*]Copy the su binary (if you use SuperSU: cp /system/xbin/daemonsu /system/xbin/su)
[*]Execute the installation (if you use SuperSU: /system/xbin/su --install)
[*]Reboot

Thanks so much!

EndlessAdventurer


Hi everyone,

it's my first post on the xda-developers forum, so if the kind of my posting mismatches any rules, please let me know!

I'm using this forum for quite long time now, but so far all of my questions were answered by search & read... Some weeks ago I had another question, for which I colun't find an explicit answer yet. So based on some hints from different sources (thanks to google!) I did some experiments aka try and error and would like to share my experience with you (to give something back to the comunity, who helped me a lot in the past) and see whether I finally found the answere to my question... So please let me know, whether it worked for you as well or whether you know a different / better way to solve this kind of problem.

As usual: Use this guide at your own risk!


Problem statement:
I wanted to have my SM-P900 (stock rom) both rooted and encrypted (using device encryption). I've already done this for GT-I9100 (Galaxy S II) and GT-I9192 (Galaxy S4 Duo) in the past and it worked like a charme. But for some reason I couldn't get it working on the SM-P900... :confused:


Trial log (for short version see below):
I have successfully rooted this device via the CF-Auto-Root method by Chainfire (many thanks for the greate job!). When I later tried to activate the device entcryption, it first looked like the process has started (I got a black screen with a green android manikin), but after some time (~1min) the device just re-started and booted in normal mode. I tried it several times with the same end of story - no success, no harm either. :(

After some time of googling I found a hint, that on KitKat devices Superuser should be temporarily de-activated in order to get the device encryption starting properly and activate it after the encryption process has finished. So I tried that and indeed, this time the encryption process started after the reboot. I let it finish and after a reboot it looked like I was where I wanted to be at. But then I realized that I wasn't able to activate the Superuser back (SuperSU said "Can't find the su binary... You need to restore it manually" or something similar). Damned! I thought "OK, let's try CF-Auto-Root again". The root process itself seemed to work, but after that the device just hang at boot... Soft-brick... :crying:

Taking a more deeper look at the script source of an Update-Super-SU package from Chainfire I realized that it also does some writes to the /data partition. Well, I guess this broke the partition, since it was encrypted... (If anyone has a better explanation for this, please let me know!)

So everything back to the start: I flashed the stock rom, did a factory reset and re-ran CF-Auto-Root... Now the device was operating properly and was rooted, but no encryption. Before starting another try of encryption, I wanted verify that the temoprary un-root wasn't broken by the encryption. So I did a temorary un-root (by removing the tick at the option "Activate Superuser" in SuperSu settings) and then activated it back right away. This worked fine. I rebooted (just to confirm everything is still working) and Superuser still worked as expected. Then (to try one more thing) I "de-activated" su again and rebooted. Trying to activate it back after the reboot, I realized that I now was at the same situation as just after the encryption, but without the encryption. I.e. the problem was not the encryption itself, but kind of a bug in SuperSU - it was not able to activate su back after a reboot (I'll try to check it via a bug report to Chainfire). :confused:

So I digged a bit deeper into this and realized that SuperSU was simply deleting the su binary in /system/xbin on de-activation and writing it back on activation. And it looked like it wasn't able to write it back after a reboot (probably because of missing permission).

Knowing that, I decided to go a step further: I flashed the TWRP (many thanks to the TeamWin guys!), booted into recovery, mounted /system and copied the su binary manually to /system/xbin. After a reboot I tried once again open SuperSU, but it still said, it couldn't find the su binary. Hmmm... There must be something more... Having another look at the script source of the Update-Super-SU package I found that at the end it was calling the su binary with the option "-install". So I booted back to recovery and tried that as well... Hurra!!! After a reboot SuperSU was finally starting and the root-apps were able to get su access... So this seemed to be the desired solution. :)

I deactivated su again, rebooted and started the encryption. It ran and finished successfully, as expected. After that I booted to recovery and installed su manually, as I've done it before... Reboot... finger crossed... Tadaa!!! System is back, encrypted and root is working! :good:


Solution approach:
  1. Device is not rooted and not encypted (if already rooted, scip 2; if already encrypted, decrypt or do a factory-reset - don't try CF-Auto-Root on an encrypted device, it'll soft-brick)
  2. Root the device (e.g. using Auto-Root-CF by Chainfire (it'll trigger the Knox-counter)
  3. Temporarily un-root the device (when using SuperSU: go to Settings and remove the tick at the option "Activate Superuser")
  4. Reboot
  5. Activate the device encryption (the battery must be at least at 80% and the device must be plugged in the wall charger)
  6. The device will restart after a short period of time and start the encryption (this will take some time, but you should see a progress bar indicating how far it is)
  7. After the encryption is finished the device will reboot and ask for the password, just log in
  8. If not yet done, flash a custom recovery where you have a console access or can use ADB as root (I used TWRP)
  9. Boot into recovery
  10. Mount /system (it's not mounted automatically, at least not in the version I used - TWRP 2.7.1.0).
  11. Open the console or ADB shell
  12. Copy the su binary (if you use SuperSU: cp /system/xbin/daemonsu /system/xbin/su)
  13. Execute the installation (if you use SuperSU: /system/xbin/su --install)
  14. Reboot
  15. You should be done
 

bruzzy

Member
Jun 21, 2014
24
20
@EndlessAdventurer,

I'm sorry, but I don't know, what you mean with "more step by step". There are no more steps in between, the steps are as granular as possible. If you use TWRP, there is a menu "Mount" (go there and tick /system) - you should have seen it already (if not, have a look at the TWRP documentation). But you could also mount your system from the console or ADB shell.

If you don't know, what "mount", "console" or "ADB" is and are not able to use google to lern it yourself, then you should really not use this guide and even avoid rooting your device...

Beeing a newbie is not an excuse, it's completely up to you to spend some time and change this!

Please avoid quoting the whole post! If you want to reference some part of a post, pick only the relevant part and quote that.
 

Nickfreedom

Member
Dec 7, 2011
12
5
Brasília
Alternative Method

Hi,

I have used another method that also works. It worked with my Galaxy S4, Note 10.1 and now with Note Pro. Hope this can help:

1-Root your device and install/update SuperSu;

2-Convert SuperSu to system app (there is an option in SU config). Reboot.
-OBS: If your root method has already installed SuperSu as a system app, this step can be skipped;

3-As SuperSu is now a system app, it can be deactivated through Applications Management in settings. Deactivate it;
-OBS: does NOT use deactivate in SU own config;

4- Reboot in Safe Mode. This can be done pressing both Volume Up/Down while rebooting;

5-Start encryption the normal way and wait until it finishes. Enter your password and wait device boot normally;

6-Go to Applications Management in settings and activate SuperSu;

7-Reboot one more time and your system is encrypted with SuperSu working normally.
 

m33rkat

Member
Jan 20, 2012
17
3
Harrisburg
I was able to follow all of the posted solutions through but for some reason my phone insists on just booting back into Android instead of actually encrypting my phone. Any ideas?

I have a SM-G900T, TWRP, SuperSU
 
Last edited:

Nickfreedom

Member
Dec 7, 2011
12
5
Brasília
I was able to follow all of the posted solutions through but for some reason my phone insists on just booting back into Android instead of actually encrypting my phone. Any ideas?

I have a SM-G900T, TWRP, SuperSU

There is some more things that you can try with the solution I´ve posted:

1-Put original recovery instead of TWRP. I have never tried to encrypt with custom recovery;
2-When you boot in "Safe Mode", go to Application Management, running applications and stop as much processes as you can (do not stop google services).

OBS: To ensure that you have booted in Safe Mode, look at the bottom left corner of the screen an see if it shows “Safe Mode”.
 

alibabano1

New member
Oct 9, 2014
1
0
rooting and encrpytion

The alternative method worked like charm....Thanks guys

NB:My tab got soft bricked after I did the factory reset and tried to root. I had to install a stock rom b4 proceeding with the guide.
 

SamuriHL

Senior Member
Aug 5, 2010
3,418
2,200
Sorry to resurrect this thread but I just ran into this issue for the first time. (Thanks for posting this, btw, it's encrypting as we speak). A couple questions....what happens if we apply an OTA update after doing this? Will that cause any problems when we try to re-root it? I'm guessing after doing this CF Auto root won't be much of an option without soft bricking, right? I can always install custom recovery and fix root manually after an OTA. I'm just wondering what happens when (you know, some year) we eventually get 5.0. Thanks again!
 
  • Like
Reactions: greogory

Nickfreedom

Member
Dec 7, 2011
12
5
Brasília
To be on the safe side, I always unencrypt my device before a FW update with ODIN or Kies or OTA, because I root again after the update.

If you use OTA or Kies you can do the update with the device encrypted, BUT, as you are going to root again, when you install CFAutoroot your device won´t boot, because of the difference in kernel. This is the reason that I unencrypt before FW updates and proceed with encryption again after I check that everything is working as expected.
 
  • Like
Reactions: SamuriHL

SamuriHL

Senior Member
Aug 5, 2010
3,418
2,200
I may just fully unroot it temporarily, install the update, and then root after with custom recovery. We shall see. I suspect since we're still on 4.4.2 on the Note 10.1 2014 I got quite some time before I have to worry about it. LOL

P.S. I asked because 5.0 is going to turn encryption on by default, so decrypting may not be an option going forward.
 

smrqdt

New member
Dec 24, 2014
1
0
Berlin
After hours of trying to get encryption an root at the same time for my Galaxy Note 10.1 (2014), temporary disabling SuperSU just worked. Thanks! :good: (I even could skip the part with copying the su binary, probably chainfire has fixed the bug. Just tried enabling SuperSU did it perfectly.)
 

sjau

Senior Member
Mar 11, 2012
82
5
Hi there

I'm facing a similar problem like you on my Samsung Galaxy Tab S 10.5 LTE.

I have my device:
- rooted
- twrp recovery installed
- run custom ROM

However even when I disable SuperSU and reboot the device and then start encrypting. I only see the Android Logo and no progress. AFter a while (10 minutes or so), it reboots the tab and I end ab at screen lock login and devices is not encrypted. Any ideas?
 

papperlapapp

Senior Member
Nov 23, 2013
161
9
Thank you for your great effort to help!

But, none of the methods, including the alternative from Nickfreedom did not help me...

I have a Sony Xperia Z1 with rooted Lollipop and SuperSU.

I tried to kill daemonsu with ADB before encrypting, I tried to disable the SuperSU app and I always booted into safe mode before starting encryption.

Nothing helped.

In previous times I had Xposed framework on my device, but as far as I can see, Xposed framework is no longer on my device, I installed a fresh, clean Sony ROM from scratch, I think this has erased Xposed.

Does anyone has a hint?
 

meast20

New member
Feb 4, 2008
4
1
Thanks to everyone for the posts on this topic. I too have struggled to get my Sprint Note 4 to encrypt after rooting. I was able to encrypt with the stock unrooted ROM but I flashed the Noterized ROM and was not able to get encryption to work. I have verified the following:

1) Busybox is installed and is the latest version
2) SuperSU is deactivated. I tried this through terminal emulator and also the process defined in this thread within the SuperSU app itself. I also verified through Root Checker that SU was not active.
3) Tried in normal and safe mode with the same result

I am getting the Android screen for a few minutes and then the phone reboots. Each time I was hoping to see the encryption start but it just reboots the phone and never works. I am at a total loss for what could be causing this as the reason is beyond my capability. If anyone has ideas let me know because I am willing to try anything.

As a longshot I tried to flash back to stock ROM and encrypt which worked fine. I then tried to flash the Noterized ROM back on the phone and that didn't work. I froze on the Sprint yellow screen of death for over 6 hours.
 

V3racious

Member
Sep 9, 2015
28
7
Simplified steps for rooting &encrypting your device.

Thanks Bruzzy, I took your instructions and applied them to the Note 4. I also simplified them. I will make a universal instructions set for pretty much ALL DEVICES! Will let you guys know here when i take the time to do that.

Here is the SIMPLIFIED INSTRUCTIONS:
http://forum.xda-developers.com/not...sk-encryption-root-easy-steps-how-to-t3197425

Solution approach:
  1. Device is not rooted and not encypted (if already rooted, scip 2; if already encrypted, decrypt or do a factory-reset - don't try CF-Auto-Root on an encrypted device, it'll soft-brick)
  2. Root the device (e.g. using Auto-Root-CF by Chainfire (it'll trigger the Knox-counter)
  3. Temporarily un-root the device (when using SuperSU: go to Settings and remove the tick at the option "Activate Superuser")
  4. Reboot
  5. Activate the device encryption (the battery must be at least at 80% and the device must be plugged in the wall charger)
  6. The device will restart after a short period of time and start the encryption (this will take some time, but you should see a progress bar indicating how far it is)
  7. After the encryption is finished the device will reboot and ask for the password, just log in
  8. If not yet done, flash a custom recovery where you have a console access or can use ADB as root (I used TWRP)
  9. Boot into recovery
  10. Mount /system (it's not mounted automatically, at least not in the version I used - TWRP 2.7.1.0).
  11. Open the console or ADB shell
  12. Copy the su binary (if you use SuperSU: cp /system/xbin/daemonsu /system/xbin/su)
  13. Execute the installation (if you use SuperSU: /system/xbin/su --install)
  14. Reboot
  15. You should be done
 

Vitaly_G

New member
Dec 26, 2015
1
0
Did you solve your problem whit encryption on t805 ?

Hi there

I'm facing a similar problem like you on my Samsung Galaxy Tab S 10.5 LTE.

I have my device:
- rooted
- twrp recovery installed
- run custom ROM

However even when I disable SuperSU and reboot the device and then start encrypting. I only see the Android Logo and no progress. AFter a while (10 minutes or so), it reboots the tab and I end ab at screen lock login and devices is not encrypted. Any ideas?


Did you solve your problem whit encryption on t805 ?
I have the same problem on T800 on 5.0.2.
On 4.4 encryption whit CFroot works good, but on 5.0.2 its not work
 

bruzzy

Member
Jun 21, 2014
24
20

tjmethod

Senior Member
Feb 20, 2012
217
35
Foxboro
Hey guys this is probably a dumb question but what is the advantage of encryption and does it matter if the knox is tripped since these notes are out of warranty or is it due to resale? I found a cf autoroot link that supposedly wont trip knox which is the odin method since towelroot wont work.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 17
    Hi everyone,

    it's my first post on the xda-developers forum, so if the kind of my posting mismatches any rules, please let me know!

    I'm using this forum for quite long time now, but so far all of my questions were answered by search & read... Some weeks ago I had another question, for which I colun't find an explicit answer yet. So based on some hints from different sources (thanks to google!) I did some experiments aka try and error and would like to share my experience with you (to give something back to the comunity, who helped me a lot in the past) and see whether I finally found the answere to my question... So please let me know, whether it worked for you as well or whether you know a different / better way to solve this kind of problem.

    As usual: Use this guide at your own risk!


    Problem statement:
    I wanted to have my SM-P900 (stock rom) both rooted and encrypted (using device encryption). I've already done this for GT-I9100 (Galaxy S II) and GT-I9192 (Galaxy S4 Duo) in the past and it worked like a charme. But for some reason I couldn't get it working on the SM-P900... :confused:


    Trial log (for short version see below):
    I have successfully rooted this device via the CF-Auto-Root method by Chainfire (many thanks for the greate job!). When I later tried to activate the device entcryption, it first looked like the process has started (I got a black screen with a green android manikin), but after some time (~1min) the device just re-started and booted in normal mode. I tried it several times with the same end of story - no success, no harm either. :(

    After some time of googling I found a hint, that on KitKat devices Superuser should be temporarily de-activated in order to get the device encryption starting properly and activate it after the encryption process has finished. So I tried that and indeed, this time the encryption process started after the reboot. I let it finish and after a reboot it looked like I was where I wanted to be at. But then I realized that I wasn't able to activate the Superuser back (SuperSU said "Can't find the su binary... You need to restore it manually" or something similar). Damned! I thought "OK, let's try CF-Auto-Root again". The root process itself seemed to work, but after that the device just hang at boot... Soft-brick... :crying:

    Taking a more deeper look at the script source of an Update-Super-SU package from Chainfire I realized that it also does some writes to the /data partition. Well, I guess this broke the partition, since it was encrypted... (If anyone has a better explanation for this, please let me know!)

    So everything back to the start: I flashed the stock rom, did a factory reset and re-ran CF-Auto-Root... Now the device was operating properly and was rooted, but no encryption. Before starting another try of encryption, I wanted verify that the temoprary un-root wasn't broken by the encryption. So I did a temorary un-root (by removing the tick at the option "Activate Superuser" in SuperSu settings) and then activated it back right away. This worked fine. I rebooted (just to confirm everything is still working) and Superuser still worked as expected. Then (to try one more thing) I "de-activated" su again and rebooted. Trying to activate it back after the reboot, I realized that I now was at the same situation as just after the encryption, but without the encryption. I.e. the problem was not the encryption itself, but kind of a bug in SuperSU - it was not able to activate su back after a reboot (I'll try to check it via a bug report to Chainfire). :confused:

    So I digged a bit deeper into this and realized that SuperSU was simply deleting the su binary in /system/xbin on de-activation and writing it back on activation. And it looked like it wasn't able to write it back after a reboot (probably because of missing permission).

    Knowing that, I decided to go a step further: I flashed the TWRP (many thanks to the TeamWin guys!), booted into recovery, mounted /system and copied the su binary manually to /system/xbin. After a reboot I tried once again open SuperSU, but it still said, it couldn't find the su binary. Hmmm... There must be something more... Having another look at the script source of the Update-Super-SU package I found that at the end it was calling the su binary with the option "-install". So I booted back to recovery and tried that as well... Hurra!!! After a reboot SuperSU was finally starting and the root-apps were able to get su access... So this seemed to be the desired solution. :)

    I deactivated su again, rebooted and started the encryption. It ran and finished successfully, as expected. After that I booted to recovery and installed su manually, as I've done it before... Reboot... finger crossed... Tadaa!!! System is back, encrypted and root is working! :good:


    Solution approach:
    1. Device is not rooted and not encypted (if already rooted, scip 2; if already encrypted, decrypt or do a factory-reset - don't try CF-Auto-Root on an encrypted device, it'll soft-brick)
    2. Root the device (e.g. using Auto-Root-CF by Chainfire (it'll trigger the Knox-counter)
    3. Temporarily un-root the device (when using SuperSU: go to Settings and remove the tick at the option "Activate Superuser")
    4. Reboot
    5. Activate the device encryption (the battery must be at least at 80% and the device must be plugged in the wall charger)
    6. The device will restart after a short period of time and start the encryption (this will take some time, but you should see a progress bar indicating how far it is)
    7. After the encryption is finished the device will reboot and ask for the password, just log in
    8. If not yet done, flash a custom recovery where you have a console access or can use ADB as root (I used TWRP)
    9. Boot into recovery
    10. Mount /system (it's not mounted automatically, at least not in the version I used - TWRP 2.7.1.0).
    11. Open the console or ADB shell
    12. Copy the su binary (if you use SuperSU: cp /system/xbin/daemonsu /system/xbin/su)
    13. Execute the installation (if you use SuperSU: /system/xbin/su --install)
    14. Reboot
    15. You should be done
    4
    Alternative Method

    Hi,

    I have used another method that also works. It worked with my Galaxy S4, Note 10.1 and now with Note Pro. Hope this can help:

    1-Root your device and install/update SuperSu;

    2-Convert SuperSu to system app (there is an option in SU config). Reboot.
    -OBS: If your root method has already installed SuperSu as a system app, this step can be skipped;

    3-As SuperSu is now a system app, it can be deactivated through Applications Management in settings. Deactivate it;
    -OBS: does NOT use deactivate in SU own config;

    4- Reboot in Safe Mode. This can be done pressing both Volume Up/Down while rebooting;

    5-Start encryption the normal way and wait until it finishes. Enter your password and wait device boot normally;

    6-Go to Applications Management in settings and activate SuperSu;

    7-Reboot one more time and your system is encrypted with SuperSu working normally.
    1
    bruzzy,

    I've followed your steps and managed to re-enable SuperSU after encryption! (used twrp)

    Thank you!!!!! :)
    1
    Sorry to resurrect this thread but I just ran into this issue for the first time. (Thanks for posting this, btw, it's encrypting as we speak). A couple questions....what happens if we apply an OTA update after doing this? Will that cause any problems when we try to re-root it? I'm guessing after doing this CF Auto root won't be much of an option without soft bricking, right? I can always install custom recovery and fix root manually after an OTA. I'm just wondering what happens when (you know, some year) we eventually get 5.0. Thanks again!
    1
    To be on the safe side, I always unencrypt my device before a FW update with ODIN or Kies or OTA, because I root again after the update.

    If you use OTA or Kies you can do the update with the device encrypted, BUT, as you are going to root again, when you install CFAutoroot your device won´t boot, because of the difference in kernel. This is the reason that I unencrypt before FW updates and proceed with encryption again after I check that everything is working as expected.