Guide: How to have root and full device encryption at the same time with your Note 8

Search This thread

plop12345

Senior Member
Jun 23, 2014
55
20
The below works for Nougat ROMs. I didn't have a chance to try with Oreo yet, sorry.

The ability to encrypt a device doesn’t depend on the presence of the stock recovery nor no-verity-opt-encrypt being flashed or not. It simple needs an unrooted boot.img at the moment the encryption is attempt. You do however need no-verity-opt-encrypt flashed to allow a custom ROM to boot. So the desired state to allow encryption from within a custom ROM is to have the stock boot.img with only no-verity-opt-encrypt applied to it.

The simplest sequence to archive a fully encrypted device with a custom ROM is the following:

- Flash (I recommend Dr. Ketan) ROM as always, but DISABLE ANY ROOTING in the installer
- Encrypt the device from the settings menu
- Flash the ROM one more time, this time WITH MAGISK ROOT. It will display a warning about /data not being mountable as it is now encrypted. That is ok as everything we need is already in place

If you didn’t choose fast encryption (which I recommend for security), download Trimmer (fstrim) from Play Store, tick all partitions and click Trim Now. This will free up all the sectors overwritten by the encryption process on the flash controller and makes your device work super smooth like before encryption.

This obviously only works that simple with ROMs that offer the ability to initially flash without root and if you’ve been on stock or a rootless ROM before. If that’s not the case you have the following options:

- Flash Magisk Uninstaller after initial ROM flash. You may have to reflash no-verity-opt-encrypt in TWRP again, in case it fails to boot now.
- Flash the stock book.img back in Odin and apply no-verity-opt-encrypt in TWRP. Use 7-Zip to create a tar only containing the stock BOOT.IMG and flash it in Odin using the AP slot.
- Flash back a TWRP backup taken of the boot partition before installing a root ROM, but after flashing no-verity-opt-encrypt.

Updating your ROM works no different then usual also. Just dirty flash over if it's the same ROM unless the release notes explicitly mention to factory reset. You don't need /data writable for a ROM update.

Enjoy your fully encrypted and rooted device.
 
Last edited:

little-endian

Senior Member
Aug 23, 2016
69
15
Chainfire root & encryption [N950F]

Many thanks for this guide, plop12345. When it comes to the S7, Chainfire has been bit less optimitic in terms of encryption in conjunction with root, though. Maybe this is related to the weird case that on the S7, encryption seems to be enabled by default whereas it (once again) isn't on the Note 8 which doesn't make any sense to me as it was released after the S7.

Anyway, could you maybe elaborate on whether TWRP and Magisk are necessary or a stock rom with stock recovery and Chainfire's SuperSU only suffices as well?

So far I relinquish the encryption and only rooted by this method.

I would greatly appreciate your advice, thanks.
 

halloweltkk

Member
Dec 30, 2011
7
0
Encryption in oreo rom

Hi there,

nice guide to a encryped rooted rom :good:
I tried it with the new Dr.Ketan oreo rom o5, but it does not work. Is this guide also for the oreo update?
Everytime i hit the encryped button in settings, the phone only soft reboots. I also tried the stock boot.img from AP, without any luck.

Greez,
hallo
 

plop12345

Senior Member
Jun 23, 2014
55
20
Hi there,

nice guide to a encryped rooted rom :good:
I tried it with the new Dr.Ketan oreo rom o5, but it does not work. Is this guide also for the oreo update?
Everytime i hit the encryped button in settings, the phone only soft reboots. I also tried the stock boot.img from AP, without any luck.

Greez,
hallo

I haven't tried it with Oreo yet. But I'll probably give it a spin with Oreo within the next month. Sorry for that, will add a note to the guide.
 

plop12345

Senior Member
Jun 23, 2014
55
20
Many thanks for this guide, plop12345. When it comes to the S7, Chainfire has been bit less optimitic in terms of encryption in conjunction with root, though. Maybe this is related to the weird case that on the S7, encryption seems to be enabled by default whereas it (once again) isn't on the Note 8 which doesn't make any sense to me as it was released after the S7.

Anyway, could you maybe elaborate on whether TWRP and Magisk are necessary or a stock rom with stock recovery and Chainfire's SuperSU only suffices as well?

So far I relinquish the encryption and only rooted by this method.

I would greatly appreciate your advice, thanks.

Sorry for the late reply. I have no S7 to try, but believe using Magisk instead of SuperSu should work. Magisk has means to work with devices with forced encryption. AFAIK with an encrypted device it will put things to the cache partition first and on the next boot move things to the final location. I'm not aware of a similar mechanism in SuperSu.

I would try to unroot with Supersu, flash TWRP and give Magisk a spin. Keeping the stock ROM should be ok, however it will likely fail SafetyNet after plain Magisk Root. In that case try the universal SafetyNet fix also available as module within the Magisk app. If it fails to boot after Magisk root, try flashing the no verify opt encryption patch, but I don't think you need it.
 
Last edited:

JoeOIVOV

Senior Member
Dec 31, 2017
56
13
I tried it in O5 as well and cannot get it to work. Just soft reboot as mentioned. No magisk just the ROM with stock kernel and still fails. Any advice?
 

usuxx

Member
Oct 1, 2009
13
0
Worked for me on S9 (GF-960F)! Thanks!
Had to use the Magisk Uninstaller first though, as I've alrady rooted.
 

jscinoz

New member
Aug 24, 2018
2
0
Has anyone had any luck with this on Oreo? I've been trying to get my N960F simultaneously rooted and encrypted, but haven't had any luck with any method I've tried thus far. I can root it just fine, or encrypt it, but I've not found a way to do both at the same time without it resulting in "Verification failed" and a reset loop.
 

sllorent

New member
Dec 14, 2018
3
0
no-verity-opt-encrypt unable to find boot block location

I am having problems following these indications for rooting/encrypting an S2 tablet (nougat). The problem happens with the installation of no-verity-opt-encrypt from twrp, the script fails with "Unable to find boot block location". I have tried various versions of no-verity-... starting with 6.0 with same results. I wonder whether I have done something wrong in the process or if the S2 tablet behaves differently than the Note 8.

I started unrooting an earlier chainfire installation and reinstalling a stock boot image without problems, then comes the unsuccessful no-verity-opt-encrypt and if I carry on I end with an encrypted system that gets broken when I try to root with magisk.

I have also tried to use the no-verity-opt-encrypt features of magisk (KEEPVERITY=false and KEEPFORCEENCRYPT=false in /data/.magisk) without success.

The other thing that bothers me is that as soon as I have an encryted (but not rooted) system I am unable to mount /data from twrp. I have followed various threads with workarounds on the topic but my twrp (3.2.3) seems to behave differently.

Thanks for any hint that you may have.
 

shev100

Member
Jan 24, 2013
27
10
I am having problems following these indications for rooting/encrypting an S2 tablet (nougat). The problem happens with the installation of no-verity-opt-encrypt from twrp, the script fails with "Unable to find boot block location". I have tried various versions of no-verity-... starting with 6.0 with same results. I wonder whether I have done something wrong in the process or if the S2 tablet behaves differently than the Note 8.

I started unrooting an earlier chainfire installation and reinstalling a stock boot image without problems, then comes the unsuccessful no-verity-opt-encrypt and if I carry on I end with an encrypted system that gets broken when I try to root with magisk.

I have also tried to use the no-verity-opt-encrypt features of magisk (KEEPVERITY=false and KEEPFORCEENCRYPT=false in /data/.magisk) without success.

The other thing that bothers me is that as soon as I have an encryted (but not rooted) system I am unable to mount /data from twrp. I have followed various threads with workarounds on the topic but my twrp (3.2.3) seems to behave differently.

Thanks for any hint that you may have.

Maybe it's too late to answer to you, but this could be usefull for someone else.
I had same problem, "Unable to find boot block location", with same TWRP 3.2.3.
To solve this problem i downgrade TWRP 3.2.3 to TWRP 3.1.0-1 - Nougat that i found here https://forum.xda-developers.com/tab-s2/development/twrp-3-0-2-1-galaxy-tab-s22016-sm-t713-t3390627.
Than i followed the step to root, but i used Magisk 17.3 instaead SuperSu (Magisk 18.0 gave me some problem). Now i have root permissions with Magisk
 
  • Like
Reactions: sllorent

sllorent

New member
Dec 14, 2018
3
0
Thanks, it is interesting that that particular version of twrp works with the no-verity script. Did you also succeed in keeping the tablet encrypted while rooted with Magisk?
 

xdaparanoia

Member
May 29, 2018
8
0
Android root + encryption possible at all ???

According to TWRP root + encryption is not possible / working.

One could easily disable encryption / extract the password by having access to root and kernel files using TWRP recovery. There are also programs like "Oxygen OS" that can be flashed from the recovery and bypass the password prompt. That would make the whole procedure useless...

Any thoughts on this? And other ideas on Android / third party encryption apps? Encrypting containers with EDS would be an alternative (recommended by Veracrypt) since full disc encryption is still not available for Android (why btw.? nobody seems to care...) - but I am not sure if one could run / move apps into the container (like contacts, sms, e-mail-apps etc.)...

Cheers!
 

doggydog2

Senior Member
got these combinations working
Samsung_S7+Oreo+Magisk+Xposed+root+encryption
LG_V30+OreoAOSP+Magisk+Xposed+root+encryption(+BThandsfree)
also according to TWRP and the threads it was impossible. the TWPR might not be able to read files, i don't care as long as i have encrypted system. I can flash from the system.
Wouldn't like 3rd party solution as i want Secure Boot and type password during the boot.
Encryption and root is a must. But it's getting difficult more and more nowadays. ROM threads don't list limitations since KNOX was ever introduced, and that sucks. Instead of "knox will be tripped, warning boot screen will be showm, TWRP won't read filesystem, BT handsfree won't work, encryption won't work" you get "no limitations". Have to read full threads to discover the truth.
Hope Note9 and S10 will be ok.
 

J_O

Member
Mar 8, 2019
12
0
No encryption working on my N960FD

I tried to install it while updating to DrKetan p09 and it doesnt work.
Is it possible for somebody to help me ?
I ve done a clean install and unrooted the no-verity-encrypt flash (The phone didn't even unlocked with pin )
 

SGN3fan

Member
May 1, 2019
5
0
According to TWRP root + encryption is not possible / working.
One could easily disable encryption / extract the password by having access to root and kernel files using TWRP recovery. There are also programs like "Oxygen OS" that can be flashed from the recovery and bypass the password prompt. That would make the whole procedure useless...
Cheers!
Is this true??
 

Top Liked Posts

  • There are no posts matching your filters.
  • 9
    The below works for Nougat ROMs. I didn't have a chance to try with Oreo yet, sorry.

    The ability to encrypt a device doesn’t depend on the presence of the stock recovery nor no-verity-opt-encrypt being flashed or not. It simple needs an unrooted boot.img at the moment the encryption is attempt. You do however need no-verity-opt-encrypt flashed to allow a custom ROM to boot. So the desired state to allow encryption from within a custom ROM is to have the stock boot.img with only no-verity-opt-encrypt applied to it.

    The simplest sequence to archive a fully encrypted device with a custom ROM is the following:

    - Flash (I recommend Dr. Ketan) ROM as always, but DISABLE ANY ROOTING in the installer
    - Encrypt the device from the settings menu
    - Flash the ROM one more time, this time WITH MAGISK ROOT. It will display a warning about /data not being mountable as it is now encrypted. That is ok as everything we need is already in place

    If you didn’t choose fast encryption (which I recommend for security), download Trimmer (fstrim) from Play Store, tick all partitions and click Trim Now. This will free up all the sectors overwritten by the encryption process on the flash controller and makes your device work super smooth like before encryption.

    This obviously only works that simple with ROMs that offer the ability to initially flash without root and if you’ve been on stock or a rootless ROM before. If that’s not the case you have the following options:

    - Flash Magisk Uninstaller after initial ROM flash. You may have to reflash no-verity-opt-encrypt in TWRP again, in case it fails to boot now.
    - Flash the stock book.img back in Odin and apply no-verity-opt-encrypt in TWRP. Use 7-Zip to create a tar only containing the stock BOOT.IMG and flash it in Odin using the AP slot.
    - Flash back a TWRP backup taken of the boot partition before installing a root ROM, but after flashing no-verity-opt-encrypt.

    Updating your ROM works no different then usual also. Just dirty flash over if it's the same ROM unless the release notes explicitly mention to factory reset. You don't need /data writable for a ROM update.

    Enjoy your fully encrypted and rooted device.
    1
    I am having problems following these indications for rooting/encrypting an S2 tablet (nougat). The problem happens with the installation of no-verity-opt-encrypt from twrp, the script fails with "Unable to find boot block location". I have tried various versions of no-verity-... starting with 6.0 with same results. I wonder whether I have done something wrong in the process or if the S2 tablet behaves differently than the Note 8.

    I started unrooting an earlier chainfire installation and reinstalling a stock boot image without problems, then comes the unsuccessful no-verity-opt-encrypt and if I carry on I end with an encrypted system that gets broken when I try to root with magisk.

    I have also tried to use the no-verity-opt-encrypt features of magisk (KEEPVERITY=false and KEEPFORCEENCRYPT=false in /data/.magisk) without success.

    The other thing that bothers me is that as soon as I have an encryted (but not rooted) system I am unable to mount /data from twrp. I have followed various threads with workarounds on the topic but my twrp (3.2.3) seems to behave differently.

    Thanks for any hint that you may have.

    Maybe it's too late to answer to you, but this could be usefull for someone else.
    I had same problem, "Unable to find boot block location", with same TWRP 3.2.3.
    To solve this problem i downgrade TWRP 3.2.3 to TWRP 3.1.0-1 - Nougat that i found here https://forum.xda-developers.com/tab-s2/development/twrp-3-0-2-1-galaxy-tab-s22016-sm-t713-t3390627.
    Than i followed the step to root, but i used Magisk 17.3 instaead SuperSu (Magisk 18.0 gave me some problem). Now i have root permissions with Magisk