Under Android Ver 10 Can You Encrypt Phone?

persistentone · Apr 9, 2021

I have a Samsung tablet A7 SM-T500 running Android 10. Under "Security" settings, there is an option to "Encrypt or Decrypt SD Card" but I no longer see any option to "Encrypt Phone". I want to encrypt the user data on the tablet's built-in storage. Has this feature been removed from Android 10? If it is still there, where do I find it?

Hadron · Apr 9, 2021

The internal storage has been encrypted by default for many years - I think it might even have been for devices originally released with Android 5, or perhaps 6. Certainly a device released in the last few years will be encrypted automatically.

persistentone · Apr 9, 2021

But with the original Encrypt Phone feature, you could not boot the device without supplying the decryption PIN. That feature prevented the phone from even loading the OS. What good is the current encryption feature if to break into the phone the thief just needs to iterate through 1000 PIN codes?

Hadron · Apr 9, 2021

If you only use a 4-digit PIN that's actually 10,000 codes (and you can use longer). But phones usually have mechanisms to frustrate such iteration (timeouts of increasing length or factory resets when too many incorrect attempts are made).

I assume you mean the original "encrypt phone" option though, since "encrypt SD" could surely be subverted by just removing the SD card, granting access to the phone itself? Encrypting internal storage is more like encrypting a laptop's drive: it stops anyone accessing the storage without the credentials to unlock the device (admittedly with a phone's storage removing the chip and reading it with another device is in a different league of difficulty from removing a laptop's SSD and plugging it into another computer), and prevents data from being recovered after a factory reset (including one triggered remotely if you have such anti-theft software enabled). And the auto-generated encryption key will be much stronger than a short encryption PIN that you have to remember, so that aspect of the protection will be stronger.

persistentone · Apr 9, 2021

Hadron said:
I assume you mean the original "encrypt phone" option though, since "encrypt SD" could surely be subverted by just removing the SD card, granting access to the phone itself?

Yes, I mean the original Encrypt Phone feature and I corrected the original text sorry.

So why did Google or Samsung remove "Encrypt Phone" from Android 10?

mikedt · Apr 9, 2021

persistentone said:
Yes, I mean the original Encrypt Phone feature and I corrected the original text sorry.

So why did Google or Samsung remove "Encrypt Phone" from Android 10?

AFAIK that was a feature of older versions of Android, where the devices didn't usually have encrypted internal storage. I believe default encrypted storage for devices was introduced with Android 5 or 6, and so "Encrypt phone" is superfluous. How securely you lock your phone is up to you, like using longer PINs or passwords, or more complex pattern unlocks, that's in addition to things like time-outs, and unlock attempt limits.

Some manufacturers offer a vault type feature in their systems, which is basically a password or PIN locked folder, that operates in addition to a device's own encrypted internal storage and locks. and And there are third-party apps that can do it as well.

Hadron · Apr 22, 2021

I genuinely see no advantage in a decryption key you have to remember and enter yourself over a PIN or password of the same length. Both do the same thing: enter them and you have access to the device.

Now you might argue that you are happier setting up a longer decryption PIN than a lockscreen PIN or password because you only have to enter that once when you boot the phone. But (a) if the thief steals the phone when it's powered on there is no difference at all, because it's only your (presumably short) lockscreen PIN that is preventing them from gaining access, and (b) if you use a fingerprint instead you will only have to enter the PIN/password on startup and occasionally when the phone wants to confirm your ID (every few days in my case), so the extra inconvenience of that is not large.

But as Mike says, there would be no point in keeping an "encrypt phone" option once all phones were encrypted anyway, so it probably died around Android 5 or 6.

persistentone · Apr 26, 2021

mikedt said:
AFAIK that was a feature of older versions of Android, where the devices didn't usually have encrypted internal storage. I believe default encrypted storage for devices was introduced with Android 5 or 6, and so "Encrypt phone" is superfluous. How securely you lock your phone is up to you, like using longer PINs or passwords, or more complex pattern unlocks, that's in addition to things like time-outs, and unlock attempt limits.

So how is Android implementing that default encrypted storage? Is some private key created at the factory when the OS is loaded? And this private key is itself encrypted by some key shared by all users and known only to Android? At some point, there must be a key that is well known within a small community that could unlock the data? It is fine to have such encryption, but it would never substitute for encryption that uses a key only known to me (forgetting for a second that Android intentionally crippled the feature by allowing the PIN to be only four characters, a password length that could be brute-forced in less than a millisecond by any computer).

Davdi · Apr 27, 2021

NO, the key is generated by the phone, initially when it's first powered on, and then each time there's a Factory Data Reset. Each phone's generated key is unique to that device. It's aloo a new unique key generated with each Factory Data Reset. AFAIK only government agencies have the resources to break these keys, and then only after (probably) months of computing effort.

persistentone · Apr 27, 2021

Davdi said:
NO, the key is generated by the phone, initially when it's first powered on, and then each time there's a Factory Data Reset. Each phone's generated key is unique to that device. It's aloo a new unique key generated with each Factory Data Reset. AFAIK only government agencies have the resources to break these keys, and then only after (probably) months of computing effort.

How the private key gets created is not the important detail. What's important is how is that key protected from someone who gets the device, assuming they have a way to read the file system. Normally you would expect the private key to itself be encrypted. But encrypted by what? How could that additional encryption key be made unique to each tablet?

Davdi · Apr 28, 2021

Because the device itself generates a new key each time it's Factory Data Reset. I don 't know what it uses for entropy (Randomness) when generating a key, someone with more knowledge of Android would probably be able to say.

persistentone · Apr 28, 2021

Davdi said:
Because the device itself generates a new key each time it's Factory Data Reset. I don 't know what it uses for entropy (Randomness) when generating a key, someone with more knowledge of Android would probably be able to say.

Is that key stored on the file system in the clear? If yes, anyone who reads the file system has the key needed to read the user data.

I assume the key is not stored in the clear, which is why I ask how is it being protected?

Hadron · Apr 30, 2021

It absolutely is not stored in the clear. Does this answer your question: https://source.android.com/security/encryption/full-disk

LineageOSdev · Aug 9, 2021

Android's force-encrypt feature is executed from the /vendor fstab file, which includes a specific flag set to 1 within the mountpoint line for the /userdata partition. The encryption key in Android 9, 10 and 11 is created by /vbmeta within the /tee (trusted execution environment), where the key is also isolated from the Android OS and stored in a manner similar to application sandboxing -- but with an encrypted isolation barrier to prevent malicious code from intercepting or tampering with the key. With root access, or with a TWRP installed script, the fstab file can be edited to set the flag from 1 to 0, which enables the legacy opt-encrypt feature. Opt-encrypt gives the user the option to encrypt userdata instead of forcing encryption by default. This option was typically found under device Settings>Security>Encrypt SD Card.

Deleted User · Jan 26, 2022

can i recover the data after doing factory reset to my android 10 , if i have the password for the last lock screen ?

mikedt · Jan 27, 2022

kimouu said:
can i recover the data after doing factory reset to my android 10 , if i have the password for the last lock screen ?

Nope.

Deleted User · Jan 27, 2022

Davdi said:
NO, the key is generated by the phone, initially when it's first powered on, and then each time there's a Factory Data Reset. Each phone's generated key is unique to that device. It's aloo a new unique key generated with each Factory Data Reset. AFAIK only government agencies have the resources to break these keys, and then only after (probably) months of computing effort.

What if you know your password of the lock screen and typed it again in order to recover data after doing a factory reset, is this acceptable for decryption again? on fbe ( file based encryption ) Because I see this, what Android says (can be unlocked independently)

Deleted User · Jan 27, 2022

Hadron said:
It absolutely is not stored in the clear. Does this answer your question: https://source.android.com/security/encryption/full-disk

its fbe ( file based encryption ) from Android 7.0 and higher.. not fde ( full disk encryption) cheack for that here its defferent

https://source.android.com/security/encryption/file-based

What I understood from reading on the site is that the password of lock screen is generated as well, but it can also be decrypted if I put the password for the lock screen first again .. ( I think it protects you from hacking and cracking the password, but it does not protect you if someone else knows your first password for the lock screen )

Deleted User · Jan 27, 2022

mikedt said:
Nope.

from Android 7.0 and higher.. not fde its fbe ( file based encryption)

https://source.android.com/security/encryption/file-based

What I understood from reading on the site is that the password of lock screen is generated as well, but it can also be decrypted if I put the password for the lock screen first again .. ( I think it protects you from hacking and cracking the password, but it does not protect you if someone else knows your first password for the lock screen )

Hadron · Jan 27, 2022

FBE vs FDE doesn't change the important principle: the data are encrypted, the phone will decrypt them if it is unlocked (you wouldn't want to have to enter a password for every single file), but your lockscreen password is not the encryption key in either system. In FDE it's used as part of the hashing of the key, but the key and the other part of the hash, the "salt", are random, so knowing the lockscreen password is not enough to recover encrypted data. FBE is stronger and more flexible, but has in common that there is a lot more to the key than just your lockscreen password (indeed I don't find any evidence that the lockscreen password is anything to do with the key). So going back to the question that concerns you, while the lockscreen password gives you access to the data before a reset, it won't allow you to recover them afterwards.

Deleted User · Jan 27, 2022

ok i get it thank you

Under Android Ver 10 Can You Encrypt Phone?

Well-Known Member

Spacecorp test pilot

Well-Known Member

Spacecorp test pilot

Well-Known Member

你好

Spacecorp test pilot

Well-Known Member

Android Expert

Well-Known Member

Android Expert

Well-Known Member

Spacecorp test pilot

Lurker

Deleted User

Guest

你好

Deleted User

Guest

Attachments

Deleted User

Guest

Deleted User

Guest

Spacecorp test pilot

Deleted User

Guest

BEST TECH IN 2023

Smartphones

Best Android Phones

Upcoming

Best iPhones

Upcoming

Tablets

Best Tablets

Upcoming

Laptops

Best Laptops

Upcoming

Televisions

Best TVs

Upcoming

Game Consoles

Best Game Consoles

Upcoming

Wearables

Best Wearables

Upcoming

Smart Home

Smart Home Tech

Upcoming

Similar threads