[HOW-TO] [GUIDE] Encrypt device with custom rom, knox 1, twrp installed, rooted

[Tkkg1994]

This Guide will work on S7 and S7 Edge Variants, probably also on other Samsung Phones. It doesn't matter if you have xposed and/or supersu installed

I did lately try to encrypt my device after installing my rom. So I tried to search on xda but I couldn't find anything useful until now.

After quit some time I finally managed it to get a working encryption, even with custom rom installed (which contains root and xposed). I will present the following steps here to help you folks to get an encrypted device.
Root will work as always after encryption :highfive:

Attention, TWRP can't read /data partition after this guide, that's because twrp doesn't support samsungs encryption at all

Pre requests:
- A working pc with adb installed
- Enough battery (at least 80%)
- Charger in your near field
- Working internet connection

Steps:
1. Go to SuperSU application on your device
2. Head over to the settings Tab
3. Scroll down and hit Full unroot
4. Click continue, when it asks you to install stock boot.img say NO, also NO on restoring stock recovery
5. SuperSU app should disappear
6. Make one full reboot
7. Head over to settings, lock screen and security, set a password
8. Plug in your charger and start encryption
9. Wait until your phone has fully encrypted (this can take quit some time)
10. After your device has successfully encrypted, we want to gain root access again
11. Boot into TWRP recovery
12. You now need a pc with working adb connection
13. Click adb sideload on twrp
14. Download latest super su to your PC, you can get that from here: Beta Thread
15. Open a terminal on your PC
16. Put the supersu.zip in the same direction as your terminal is opened (example: user/home)
17. Type into terminal: adb sideload *supersu_name*.zip
18. Reboot your phone and you have a working, encrypted phone with root installed!

If this guide helped you, please share it and hit thanks as well! :good:

 

[jesec]

@Tkkg1994
I don't think it could protect your data.
Here is a simple way to steal data from a encrypted phone with unlocked FRP.
Just add this script to ramdisk of kernel.

#!/system/bin/sh
rm -rf /data/system/lock*
rm -rf /data/system/gatekeep*

And this script will automaticlly remove any screen locks after the data partition is already unlocked by the system after boot.

You may ask:
Could I prevent unauthorized kernel from booting? (by re-enable FRP lock)
No, you can't because systemless install of SuperSU already modify the kernel and you can't boot modified kernel with FRP on.

Could I restore to stock kernel after finish this and then enable FRP?
You will lose your root.

And this way cannot prevent theft from reset your phone and then use it.

So, in a word, any tries to keep your phone safely after root are stupid.
It could only stop those low-IQ theft but it could not stop someone who really concern your data.

 

[Tkkg1994]

@Tkkg1994
I don't think it could protect your data.
Here is a simple way to steal data from a encrypted phone with unlocked FRP.
Just add this script to ramdisk of kernel.

#!/system/bin/sh
rm -rf /data/system/lock*
rm -rf /data/system/gatekeep*

And this script will automaticlly remove any screen locks after the data partition is already unlocked by the system after boot.

You may ask:
Could I prevent unauthorized kernel from booting? (by re-enable FRP lock)
No, you can't because systemless install of SuperSU already modify the kernel and you can't boot modified kernel with FRP on.

Could I restore to stock kernel after finish this and then enable FRP?
You will lose your root.

And this way cannot prevent theft from reset your phone and then use it.

So, in a word, any tries to keep your phone safely after root are stupid.
It could only stop those low-IQ theft but it could not stop someone who really concern your data.

Some guys need encrypted phones for their work (as some exchange server or email clients only work on encrypted devices)

I know that it is pretty much useless (since we have root access and can pretty much do anything with it)

So basically it brings you some more security but mainly gives those guys who need an encrypted phone for work a chance to have root and encryption together

Sent with my SM-G930F powered by SuperMan

 

[remixtech]

Maybe my remark is stupid but with lollipop the user had to enter the decryption key just before loading the system... So even if the system was rooted, without the key it was impossible to recover the data...

You are saying me that now, in marshmallow Android is storing the key directly in the device ? And if one day there is a small flaw in the kernel all the data could be decrypt...

Thanks for you answer, i'am not an expert in security but i'am really interested in.

 

[MrFr1day]

Hi,

I installed SuperMan rom without root/xposed and I can't get it to encrypt. It just restart the phone.

is there something else I need to do?

 

[cridtohs]

@Tkkg1994
I don't think it could protect your data.
Here is a simple way to steal data from a encrypted phone with unlocked FRP.
Just add this script to ramdisk of kernel.

#!/system/bin/sh
rm -rf /data/system/lock*
rm -rf /data/system/gatekeep*

And this script will automaticlly remove any screen locks after the data partition is already unlocked by the system after boot.

You may ask:
Could I prevent unauthorized kernel from booting? (by re-enable FRP lock)
No, you can't because systemless install of SuperSU already modify the kernel and you can't boot modified kernel with FRP on.

Could I restore to stock kernel after finish this and then enable FRP?
You will lose your root.

And this way cannot prevent theft from reset your phone and then use it.

So, in a word, any tries to keep your phone safely after root are stupid.
It could only stop those low-IQ theft but it could not stop someone who really concern your data.

Even with a locked FRP=1 I have been able to defeat it and gain access to the phone to USE, but never the data. Your script will only remove the locks once the data partition has beenunlocked, you still have not successfully recovered the data.

Maybe my remark is stupid but with lollipop the user had to enter the decryption key just before loading the system... So even if the system was rooted, without the key it was impossible to recover the data...

You are saying me that now, in marshmallow Android is storing the key directly in the device ? And if one day there is a small flaw in the kernel all the data could be decrypt...

Thanks for you answer, i'am not an expert in security but i'am really interested in.

The key is ofc stored on the device, but it is in an encrypted state. ofc if there is a flaw in the kernel, unreported, this can be exploited to remove encryption somehow. Also you could remove the system rom chips and virtual simulate them and try to unlock thousands/millions of times defeating any format on bad password, etc. IF someone wants to access your data, they will. Just like the FBI iphones were opened. Its only a matter of money and time, no encryption is safe forever.

 

[jesec]

Even with a locked FRP=1 I have been able to defeat it and gain access to the phone to USE, but never the data. Your script will only remove the locks once the data partition has beenunlocked, you still have not successfully recovered the data.



The key is ofc stored on the device, but it is in an encrypted state. ofc if there is a flaw in the kernel, unreported, this can be exploited to remove encryption somehow. Also you could remove the system rom chips and virtual simulate them and try to unlock thousands/millions of times defeating any format on bad password, etc. IF someone wants to access your data, they will. Just like the FBI iphones were opened. Its only a matter of money and time, no encryption is safe forever.

Admittedly, yes.
It could only remove screen lock AFTER data partition is unlocked.
But in most situations, it could recover data because most people didn't set password as startup password.(What means data partition is already unlocked automatically before UI appear)

 

[|mickey]

Admittedly, yes.
It could only remove screen lock AFTER data partition is unlocked.
But in most situations, it could recover data because most people didn't set password as startup password.(What means data partition is already unlocked automatically before UI appear)

how do we make sure that we set a "start up" password then? Is it the same if you use a long pin instead of a password?

 

[cridtohs]

how do we make sure that we set a "start up" password then? Is it the same if you use a long pin instead of a password?

in security Lock screen and security there is an option for set pin on startup.

Also as an update to this method, if you had Xposed and magisk root, or if you had supersu and suhide, they need to all be reinstalled. This is the same method as flashing a stock bootloader then re-rooting afterwards. With new TWRP though you do not need to sideload because it has password to decrypt /data and allow flashing of the ramdisk, so you dont HAVE to sideload the supersu, but I suggest following TKK's tutorial exactly for sucess

 

[|mickey]

in security Lock screen and security there is an option for set pin on startup.

Also as an update to this method, if you had Xposed and magisk root, or if you had supersu and suhide, they need to all be reinstalled. This is the same method as flashing a stock bootloader then re-rooting afterwards. With new TWRP though you do not need to sideload because it has password to decrypt /data and allow flashing of the ramdisk, so you dont HAVE to sideload the supersu, but I suggest following TKK's tutorial exactly for sucess

When you press encrypt you have to set such a password anyway so I don't see your point... You have to set a password, that is requested whenever you start your device... Is that not the same thing your describing?

 

[unique730]

Can't get encryption to work. The process starts and after a few seconds my phone just reboots.
Tested on several ROMs and Kernels, same result.

Anybody got an idea? I'm clueless...

 

[darkman088]

Can't get encryption to work. The process starts and after a few seconds my phone just reboots.
Tested on several ROMs and Kernels, same result.

Anybody got an idea? I'm clueless...

Same problem here - one more scream for HELP

 

[Tkkg1994]

Can't get encryption to work. The process starts and after a few seconds my phone just reboots.
Tested on several ROMs and Kernels, same result.

Anybody got an idea? I'm clueless...

Same problem here - one more scream for HELP

When I tested this I had similar issues due to root. You made both a full unroot and followed all steps?

Sent from my SuperMan powered SM-G930F

 

[darkman088]

When I tested this I had similar issues due to root. You made both a full unroot and followed all steps?

Sent from my SuperMan powered SM-G930F

Hello and thanks for replying.
No, I didn't do a full unroot, because when I was testing this, I hadn't come across this thread And now I am not willing to invest that much time again, just to find out, that it's not working, once again
But I've tried many other strategies, which are very similar, but didn't work:
1) Disable SuperSU from the Application manager
2) Disable SuperSU from the settings of the app
3) Install busybox, boot in safe mode, connect the phone to my laptop, launche adb and enter there pkill -KILL daemonsu - this must be equivalent, as ps | grep daemonsu was not showing anything...
4) Tilting my phone in landscape mode
5) Repeating the attempt to encrypt several times after eachother
6) Many many more useless tips, which I found on the internet

Please kindly advise. Many thanks!

P. S.: HOW COME only the ROM of artas182x has encryption working PERFECTLY and I couldn't manage to encrypt my phone with no other ROM ? For example, I tried Slim ROM, which (if I'm not wrong) is not rooted and again - encryption didn't work, it hung somewhere along the process This is really terrible. Please excuse my total frustration

 

[Tkkg1994]

Hello and thanks for replying.
No, I didn't do a full unroot, because when I was testing this, I hadn't come across this thread And now I am not willing to invest that much time again, just to find out, that it's not working, once again
But I've tried many other strategies, which are very similar, but didn't work:
1) Disable SuperSU from the Application manager
2) Disable SuperSU from the settings of the app
3) Install busybox, boot in safe mode, connect the phone to my laptop, launche adb and enter there pkill -KILL daemonsu - this must be equivalent, as ps | grep daemonsu was not showing anything...
4) Tilting my phone in landscape mode
5) Repeating the attempt to encrypt several times after eachother
6) Many many more useless tips, which I found on the internet

Please kindly advise. Many thanks!

P. S.: HOW COME only the ROM of artas182x has encryption working PERFECTLY and I couldn't manage to encrypt my phone with no other ROM ? For example, I tried Slim ROM, which (if I'm not wrong) is not rooted and again - encryption didn't work, it hung somewhere along the process This is really terrible. Please excuse my total frustration

Ehm what is artas182x rom? or slim rom? we don't have that on our s7 as far as I know.
This guide may needs some adaptions to work on other devices

 

[darkman088]

Ehm what is artas182x rom? or slim rom? we don't have that on our s7 as far as I know.
This guide may needs some adaptions to work on other devices

It's a Marshmallow port from Galaxy S5 made by artas182x. I didn't like Slim ROM - it doesn't even have a file maanger
installed with it and when I tried encryption with it, it didn't work

Thank you!

 

[modaifallah]

We need someone xposed module to emulate knox 0x0 so that we can use knox again.

 

[jimmod]

Tried with King Nougat V5 custom tom
After encryption finish and boot it keep showing "system ui has closed" error
I cannot type my password
Now doing full wipe

 

[Tkkg1994]

Tried with King Nougat V5 custom tom
After encryption finish and boot it keep showing "system ui has closed" error
I cannot type my password
Now doing full wipe

I assume you have a modded systemUI. Try it with a stock one

Sent from my SuperMan powered SM-G930F

 

[steven1a]

data encryption and root and TWRP toegether - is that working in android nougat ?

I really, really want encyption on my rooted S7 (930FD) incl. TWRP - but before I try this method here I have two questions:

- you are using the "terminal" - means you are using Linux? Or can I do this with windows powershell as well?

- encryption and root incl. TWRP works with Marshmallow MM only or will this work in Nougat as well?