Switching to file based encryption (FBE) on old devices with custom ROM

Search This thread

devilhopper

Member
Mar 10, 2017
45
3
Hi all,

I'm using a Samsung Galaxy S5 which is now >8 years out and was officially shipped with Android versions 4-6. Luckily, in the age of custom ROMs, you can use such devices for much longer than the manufacturer had intended.

I recently upgraded my phone to an Android 11 based ROM (in my case LineageOS 18.1, but I guess the question applies to other ROMs as well). I wiped the phone completely and expected that, after flashing the ROM and encrypting, I would end up with FBE. To my surprise, however, encryption was FDE instead.

I then spent a lot of time trying to dig down to fstab.qcom, forcing FBE, trying to retrieve a valid contexts file and repackaging the whole thing (which may seem trivial to some, but if you've never done it before felt like a rather complicated operation). I guess I never succeeded - the repackaged ROM always ended up smaller than the original and wouldn't flash - but after several hours, it dawned upon me that I've probably been misunderstanding the problem in the first place.

Android 11 (and any ROMs based on it) will default to FBE anyway, so if encryption takes the path of FDE instead, I suppose there's a really good reason for this (in a sense that you're not facing a choice but a necessity). I tried to find some definitive answers on the Net, but most of the info I found seems misleading. I keep reading that older phones which came out with earlier versions of Android (versions <7 respectively <9) are ALLOWED to retain FDE is that's what they were originally encrypted with. The information of what you can do if you don't want this "privilege" are rather scarce, however.

So is my hunch correct that the actual reason why I can't get FBE isn't some tweakable configuration setting, but something more fundamental, like the kernel being unable to handle it, or maybe hardware limitations? Or am I getting it wrong again?
 

KemikalElite

Senior Member
Jan 28, 2011
650
224
This might seem like a really obvious solution but have you tried this?:

Make sure the phone is encrypted normally first (Settings > Security)

Then make sure developer options are enabled.

Settings > System > Developer Options > Convert to file encryption > Wipe and convert

It shows a page that reads:

"Convert data partition to file based encryption !!Warning!! This will erase all your data. This feature is alpha and may not work correctly. Press 'wipe and convert' to continue."

I see that on both my LG Nexus 5X and my Lenovo Tab M10 FHD Plus, both running stock ROM, both using FDE by default, both messages look exactly the same on both devices and this option was also present on Lineage and AOSP based ROMs too so this should be in any ROM.
 

devilhopper

Member
Mar 10, 2017
45
3
It's actually one of the first things I tried, but oddly, that function doesn't exist in my developer options. Originally, I misinterpreted this assuming that LineageOS might be configured this way, but after doing a bit of homework I 100% agree that this option should be in any such ROM (including Lineage).

So at this point I'm taking it as another hint that my phone may just not be capable of FBE - but if that's indeed the case, I would be happy to understand why.

The fact that the LG Nexus 5X has this option doesn't contradict my assumptions, because it's a newer phone ("only" 7 years old and shipped with Android 6-8, which is already in the range of FBE-capable Android versions).
 

devilhopper

Member
Mar 10, 2017
45
3
I came across that thread as well, but don't think it answers the question. If you omit the irrelevant (restoring userdata, which doesn't apply to me), what he basically did is started with a clean device and set fileencrypt=ice in fstab.qcom to make sure he gets FBE instead of FDE.

According to Google's Android documentation (https://source.android.com/security/encryption/file-based), however, fileencrypt=ice has been deprecated with Android 11, because FBE is the only choice now (if you can't opt out, there's no need to opt in).