[Guide] Separate Passwords in Encrypted Lollipop

[optimumpro]

Here is how to have separate passwords for boot and screen in Lollipop encrypted devices.

There are two apps available to change encryption password in Android with encrypted data partition. Unfortunately neither works in Lollipop. Cryptfs fails to obtain root permission, although granted and another one returns errors. That leaves only adb shell commands:

1. Encrypt your lollipop with a password or pin you can live with. The phone will restart and prompt for password/pin
2. Enable USB debugging in Developer Options.
3. Allow Root access to apps and ADB.
4. Connect your device to a PC (Linux)
5. Start terminal and enter: adb shell
6. Next, enter: su
7. Pick a long password for boot, then convert it into a hex by using many online converters. Lollipop won't accept straight password.
8. Enter the following on computer terminal: vdc cryptfs changepw password "here paste your hexed password without quotes." You need the word password in the command before the hexed password
9. In about 10 seconds you should have a response 200 0 0, which means success. Any 1s in the last two digits would mean error. Your phone won't reboot during this operation, you will still have your original screen lock pin/password/pattern, but when you reboot, you would enter the new actual password (not the hexed one)

That's it. Now you have a long password for your boot and shorter one for your screen lock.

 

[ultrasound1991]

Info

Can i use Windows 7?

 

[CHEF-KOCH]

This guide is more or less exactly the same what was already written down on the official page over here.

You should better note that this was only tested on CyanogenMod based OS, on STock or AOKP roms that may not works or can fail/damage the data. See this comment.

Can i use Windows 7?

Yes, see point 4.

 

[optimumpro]

"This guide is more or less exactly the same what was already written down on the official page over here.

You should better note that this was only tested on CyanogenMod based OS, on STock or AOKP roms that may not works or can fail/damage the data. See this comment."

"already written down here"

Except that his app can only change password, as opposed to do encryption from scratch; and it does not work on lollipop for 3 reasons: it does not see the phone as rooted; it requires straight password, as opposed to the hexed one; and his command, while valid for kitkat, won't work on lollipop where you need to put cryptfs enablecrypto inplace password <hexed password>..

"You should better note that this was only tested on CyanogenMod based OS, on STock or AOKP roms"

Everything posted on XDA may not work or inflict damage. And by the way, do you know of any roms other than those you listed? AOSP? This will also work on AOSP, because those commands are hardcoded in Lollipop source...

 

[ultrasound1991]

It works for me, but i think that in 10 seconds only password needed to boot can change, not disk level encryption.

 

[optimumpro]

It works for me, but i think that in 10 seconds only password needed to boot can change, not disk level encryption.

That's how it works. You only change the password. If you want to use long password from scratch, there is a different procedure:

1. Install your favorite lp rom
2. Set a short screen password
3. Repeat steps 2-7 in the OP
4. Then type this on your computer terminal: vdc cryptfs enablecrypto inplace password <hexed password> and press Enter

Your phone will start encrypting and in a few reboots you will get a prompt to enter your actual password.

 

[ultrasound1991]

That's how it works. You only change the password. If you want to use long password from scratch, there is a different procedure:

1. Install your favorite lp rom
2. Set a short screen password
3. Repeat steps 2-7 in the OP
4. Then type this on your computer terminal: vdc cryptfs enablecrypto inplace password <hexed password> and press Enter

Your phone will start encrypting and in a few reboots you will get a prompt to enter your actual password.

I did this. Now i have unlock pattern to unlock screen, and long password at boot.
Bu are you sure that this metod change disk encryption?

 

[optimumpro]

I did this. Now i have unlock pattern to unlock screen, and long password at boot.
Bu are you sure that this metod change disk encryption?

If you did that on already encrypted phone, that won't change the encryption. The procedure in post #6 was for unencrypted device.

So, if you want to do everything from scratch and you alaready have encryption, you should go into recovery (TWRP) and when you are prompted for password, press cancel, then wipe system only; then wipe data only, then wipe cache. Then restore your rom. At that point, your data will be unencrypted. Then follow #6...

 

[optimumpro]

If you did that on already encrypted phone, that won't change the encryption. The procedure in post #6 was for unencrypted device.

So, if you want to do everything from scratch and you alaready have encryption, you should go into recovery (TWRP) and when you are prompted for password, press cancel, then wipe system only; then wipe data only, then wipe cache. Then restore your rom. At that point, your data will be unencrypted. Then follow #6...

Also, keep in mind that if you ever change your screen pin/paswr/pattern, that will automatically change your boot password. So after changing screen things, don't reboot and do change password via adb (that won't change the encryption, but only the boot password).

 

[CHEF-KOCH]

Except that his app can only change password, as opposed to do encryption from scratch; and it does not work on lollipop for 3 reasons: it does not see the phone as rooted; it requires straight password, as opposed to the hexed one; and his command, while valid for kitkat, won't work on lollipop where you need to put cryptfs enablecrypto inplace password <hexed password>..

Seems you not looked at this given readme/project, it is also explained for lollipop only systems and mentioned how to deal with the supolicy problem, but okay. But nice try.

Everything posted on XDA may not work or inflict damage. And by the way, do you know of any roms other than those you listed? AOSP? This will also work on AOSP, because those commands are hardcoded in Lollipop source...

Wrong, AOSP != STOCK, or not always but okay if you want to hold on your wrong statements, okay. Show me proof that an old S2 use the same AOSP source, you can't because there are some changes made by OEM, and not only because of the driver. But okay.

 

[optimumpro]

Seems you not looked at this given readme/project, it is also explained for lollipop only systems and mentioned how to deal with the supolicy problem, but okay. But nice try.



Wrong, AOSP != STOCK, or not always but okay if you want to hold on your wrong statements, okay. Show me proof that an old S2 use the same AOSP source, you can't because there are some changes made by OEM, and not only because of the driver. But okay.

This is just another example of facts disconnected from arguments and arguments not related to the subject of the thread. What are you trying to argue here? That my guide is wrong? That it is not working, but it is and not only for me. Just look at other posts in this thread. Are you not happy that I didn't warn that people's devices can be bricked? But everyone knows that whatever is posted on XDA is risky and can break your device. What does old S2 have to do with the guide for encrypting data on Lollipop?

I will tell you what the purpose of your argument is: you just want to show again and again what a fine expert you are, that you are better than other fine experts (who say things now that you figured out many years ago) and how stupid and ignorant the rest of the crowd here is. LOL.

This is why I say our communication is not productive. I stop here...

 

[ultrasound1991]

Thanks @optimumpro.
I encrypted nine different devices with AOSP Based ROM and encryption works.
Devices cannot be bricked during encryption process.
A device is bricked when bootloader is damaged.
Encryption process doesn't encrypt bootloader.
This guide isn't dangerous.
Each person is responsible for his actions.

 

[azoom1]

...
7. Enter the following on computer terminal: vdc cryptfs changepw password "here paste your hexed password without quotes." You need the word password in the command before the hexed password
8. In about 10 seconds you should have a response 200 0 0, which means success. Any 1s in the last two digits would mean error. Your phone won't reboot during this operation, you will still have your original screen lock pin/password/pattern, but when you reboot, you would enter the new actual password (not the hexed one)
...

I can confirm that this process works on the Moto E (2nd Gen) GSM Global (XT1505) running 5.0.2. I was able to successfully set a different encryption password than screen lock. Here are a couple notes about my experience:

1) When I executed the cryptfs command, I did not receive any response in the adb shell. I didn't get the 200 0 0 - I didn't get anything. However, the change was successfully made and the device booted fine using the new password.

2) I had trouble getting the device to do the initial encryption. As part of my setup process I had unlocked the bootloader, rooted, then added SU. My next step was to encrypt. However, when I used the Settings -> Security -> Encrypt Phone option, the device would briefly flash the "android gear" icon, then the screen would go blank and the phone would hang. A reboot would bring the device back to life, but it would not be encrypted. I tried doing it via command line, again without success.

After quite a bit of time spent troubleshooting, the solution was to unroot the phone. I used the unroot option in the SU app. Once unrooted, the standard encryption process worked. After encryption, I re-rooted and added SU, and everything worked fine. Though I don't know the cause, it seems that having root/SU interferes with the encryption process.

Many thanks to the OP. :good:

 

[CHEF-KOCH]

What are you trying to argue here? That my guide is wrong? That it is not working, but it is and not only for me. Just look at other posts in this thread. Are you not happy that I didn't warn that people's devices can be bricked? But everyone knows that whatever is posted on XDA is risky and can break your device. What does old S2 have to do with the guide for encrypting data on Lollipop?

You have better just posted the url from the original source. I did that for you now.

This is why I say our communication is not productive. I stop here...

Yep, but re-quoting the same stuff what was written now 1 year in an GitHub is more productive.

 

[libove]

OnePlus One CM12S YNG1TAS17L?

I have a OnePlus one now running the YNG1TAS17L build of CyanogenMod 12S.
I attempted to change the (boot encryption) password via the vdc cryptfs changepw password... method, to no effect.
Then I tried the cryptfs app (which has been updated with experimental Lollipop support) and it broke the encryption. (Wipe, restore from Titaniumbackup, clean up the mess, pick up the pieces...)

Does anyone have experience specifically with OnePlus One YNG1TAS17L successfully changing the (boot encryption) password, please?
I'd really rather avoid another half-day long wipe, rebuild, restore, clean up cycle... :-}

thanks,

 

[optimumpro]

I have a OnePlus one now running the YNG1TAS17L build of CyanogenMod 12S.
I attempted to change the (boot encryption) password via the vdc cryptfs changepw password... method, to no effect.
Then I tried the cryptfs app (which has been updated with experimental Lollipop support) and it broke the encryption. (Wipe, restore from Titaniumbackup, clean up the mess, pick up the pieces...)

Does anyone have experience specifically with OnePlus One YNG1TAS17L successfully changing the (boot encryption) password, please?
I'd really rather avoid another half-day long wipe, rebuild, restore, clean up cycle... :-}

thanks,

Try to do encryption from scratch via adb. Also, you might want to untick deny root during boot in Supersu just while you are encrypting.

 

[libove]

Try to do encryption from scratch via adb. Also, you might want to untick deny root during boot in Supersu just while you are encrypting.

Double-negatives, ho! "Untick deny root" -> "Tick Enable su during boot", yes? What process exactly might be requesting root during boot, when SuperSU might not be able to interactively prompt the user and so even though root would not be summarily denied, it's quite likely that the user wouldn't respond in time to grant root? We'd need to run that process ahead of time so that the user could reliably grant that permission and SuperSU could remember it.

Aside, it's kind of hard to do encryption from scratch when it's already encrypted the conventional way, since Google in its infinite wisdom has never implemented a way to decrypt storage....
So I really do need a tried, proven, true way to change the encryption boot password please - channeling Yoda, I must do or do not, there is no try

thanks,

 

[optimumpro]

Double-negatives, ho! "Untick deny root" -> "Tick Enable su during boot", yes? What process exactly might be requesting root during boot, when SuperSU might not be able to interactively prompt the user and so even though root would not be summarily denied, it's quite likely that the user wouldn't respond in time to grant root? We'd need to run that process ahead of time so that the user could reliably grant that permission and SuperSU could remember it.

Aside, it's kind of hard to do encryption from scratch when it's already encrypted the conventional way, since Google in its infinite wisdom has never implemented a way to decrypt storage....
So I really do need a tried, proven, true way to change the encryption boot password please - channeling Yoda, I must do or do not, there is no try

thanks,

Let's start from the end: this is a proven to work way to encrypt data or change password on lollipop. Just look up the thread for multiple confirmations of success. You just haven't succeeded for various reasons (could be tens of them). You could have missed/messed a step; your root app may have interfered. Did you read a post here where another user said he had to unroot the phone to encrypt it. There is no user interaction during boot, hence Supersu offers you an option to deny all root requests. That may prevent adb access or the normal operation of vold (utility that does encryption).

If you were talking about external sd card, Google has nothing to do (no support whatsoever) with encryption. If your external card is encrypted, this was implemented by the device manufacturer. If your Oneplus was encrypted during manufacturing, you are out of luck as to disabling encryption. Also, a word of caution on using hardware crypto modules: they are all closed source and done by known "cooperators/volunteers" with three letter agencies. On all my roms I disable hardware crypto modules and hardware based key generation in kernel. I also throw out Selinux: just don't trust the bank to bank robbers.

It is not hard at all to do encryption from scratch. In fact, it is a more preferable way for security reasons (encryption with a short screen pin is weak, even if you later change the boot password, since encryption won't change, just the password).

Cryptfs app has never worked for me and nothing has been updated on authors Github since December 2014. That version positively does NOT work on lollipop. In addition, the author, I think, has an inflated view of his expertise in Android.

To sum up, you have to try again. You also need to run logcat or better dmesg during encryption, as there is no other way to find out what goes wrong there.

 

[yhvo2gt9]

vdc command not found

Hi there, I just tried to follow the steps in the first post (Nexus 4 running CM12) and I got this result:

# vdc cryptfs changepw password [redacted]
No command 'vdc' found, did you mean:
Command 'tdc' from package 'tdc' (universe)
Command 'gdc' from package 'gdc' (universe)
Command 'vdr' from package 'vdr' (universe)
Command 'vlc' from package 'vlc-nox' (universe)
Command 'sdc' from package 'hpsockd' (universe)
Command 'vdu' from package 'util-vserver' (universe)
Command 'dc' from package 'dc' (main)
vdc: command not found​

Is there a package I'm missing? I'm running the latest version of Linux Mint but I'm very far from being an expert.

thanks!

 

[optimumpro]

Hi there, I just tried to follow the steps in the first post (Nexus 4 running CM12) and I got this result:

# vdc cryptfs changepw password [redacted]
No command 'vdc' found, did you mean:
Command 'tdc' from package 'tdc' (universe)
Command 'gdc' from package 'gdc' (universe)
Command 'vdr' from package 'vdr' (universe)
Command 'vlc' from package 'vlc-nox' (universe)
Command 'sdc' from package 'hpsockd' (universe)
Command 'vdu' from package 'util-vserver' (universe)
Command 'dc' from package 'dc' (main)
vdc: command not found​

Is there a package I'm missing? I'm running the latest version of Linux Mint but I'm very far from being an expert.

thanks!

The above indicates that your computer has no connection to your phone and you are getting responses from your Linux Mint, which obviously has no idea what vdc is. Follow your terminal screen when you do adb shell and su. After adb, your prompt should change if it works. And after su, you should get su rights on the phone and not on the computer. If after su, you get a prompt to enter your administrative password, that's a sure indication you are communicating with Linux, as opposed to Android.

Go to package manager on your PC and search for adb, install it. Then on the phone, you must enable usb debugging and allow root access to adb.