Alfred's New Ramblings

Android Encryption

The corporate mobile mail policy requires the device storage to be encrypted.  This is to prevent the loss information in the event the phone or device is lost.  Tough but doable, I thought.

What is Android Encryption?  It uses dm-crypt subsystem that is part of the Linux kernel.  It encrypts the storage using a 128 bit master key.  The master key is protected by the hash of the user’s unlock PIN and a random salt.  The encrypted master and other version information are kept in a clear file stored at the end of the disk volume.  This setup enables easy change of password, the master is re-encrypted with the new PIN and fast device wiping, the last block of the storage is deleted. More info here. link  Dev Doc

There are some trade-offs.  If a separate encryption password for the storage, the user might forget it, especially if the device is not restarted regularly.  Therefore Android Encryption is based on the user phone unlock PIN.  For the ease of use, this PIN is usually kept simple.  Who wants to enter a complex password just to get into a device many many times a day? For the security conscious, a security developer has come up with an app that will enable you to set a different password for the storage and it can be long and complex.  Exercise caution as there is no undo button.  link

I was flashing a new nightly, when the irony of the situation hit me.  If the storage is encrypted, it will not be readable in Recovery mode.  That means the new nightly will be stuck in the encrypted and not mounted storage.  Do I need to decrypt just flash a new nightly?  Hmm back to the search engines.

Somebody on XDA-Developers suggested using an SD card.  Shutdown the phone, insert SD card, flash, shutdown again to pull out SD card and power on.  The steps sound easy and clean, except on the Samsung S2, the back panel is piece of flimsy plastic.  All this disassembly and assembly is going to crack something.  In comparison, Nokia’s E71 is built like a tank.

Some nifty keyboard work reveals someone else has another solution to the same problem.  Put the phone in Recovery mode, use Android Debug Bridge (ADB) to mount a ram disk, copy the new nightly in and flash using that ram disk to as a source location.  Neat!  link

I was monitoring the progress of CM10.2 or Android 4.3 development on XDA-Developers when I noticed a trend. Some users have encrypted the storage, upgraded from cm 10.1 to 10.2; thereafter access to storage was lost.  In both cases, normal operations were resumed by wiping and restoring data from backup.  link link

In summary, Android encryption is easy to use, if you are flashing CM nightly, you might not want to cross a version number.

Update 7 Sep

I was poking around the nightly source files to shed some light on the missing encrypted storage problem.  I noticed that the vold.fstab file seems to be missing for Android 4.3.  That doesn’t seems to right, as it is one of the key config files.  Some more digging reveals that there has been some changes in the storage subsystem.  The fstab.device config file is now in root, probably part of boot.img.  I wonder if this is the cause of those upgrade problems. link




One thought on “Android Encryption

  1. Carlo Piana

    Even easier, if you have a recent Clockwork recovery, you can sideload

    Once it’s enabled on the recovery, you just open your terminal and do

    adb sideload newimage.zip

    And off you go, without mounting a ram disk.

Leave a Reply

Your email address will not be published.