Help Separating Android Encryption Password from PIN?

[persistentone]

Is there any version of Android where the OS disk encryption password can be different than the screen PIN?

 

[lunatic59]

I don't think so. The reason why you have to enter the PIN when viewing encryption options is to verify you are the owner of the phone with the phones security policy, so pin or password, you'd need to enter it. (I don't think you can use fingerprints).

 

[persistentone]

Entering a PIN when you encrypt the drive initially is a totally different issue. I want to be able to supply a different password for decryption each time the phone is rebooted. The default scheme uses the PIN for the decryption on each reboot, and there are numerous ways the PIN can be brute forced or stolen. It's MUCH harder for someone to get at your phone if the decryption password is a dedicated and separate password from the PIN.

 

[chanchan05]

You can't because the entire phone is encrypted. Meaning the OS can't read the phone without you entering the decryption password on boot.

 

[persistentone]

You can't because the entire phone is encrypted. Meaning the OS can't read the phone without you entering the decryption password on boot.

Well this I understand and it is the reason I ask the question. To do what I am asking to do, you would need to enter a decryption password as part of the bootup process.

There is no logical reason why this would need to be the same password as your PIN. Only when the timeout occurs would you then need to know a PIN to get back into interaction with the OS.

 

[lunatic59]

There is no logical reason why this would need to be the same password as your PIN.

I get what you're asking and I don't really see a technical problem having a different password for encryption that the password to unlock the device, but your average user would have a difficult time with two passwords (or a password and a PIN) and most likely wouldn't understand the difference.

If you are concerned about a brute force attack then you can switch to a more complex password for your device rather than a PIN.

 

[persistentone]

@lunatic59 I think maybe we are talking past each other's points. I was reading that Android does not LET YOU select a different password for encrypt/decrypt than the PIN. Maybe later versions of Android DO allow it? If yes, I am trying to find at which major Android release did that behavior change.

I know Android derivatives like CopperheadOS fix this problem and add other security features as well. But the problem with CopperheadOS is that it is only prebuilt for two specific cell phones.

 

[Brian706]

I am on the latest version of Android and this is still not a standard feature.

However, I did find a couple things you might find of interest. One is an article over at XDA developers:
https://www.xda-developers.com/how-to-manually-change-your-android-encryption-password/amp/

The other is an app that provides a graphical interface to implement this method:
https://play.google.com/store/apps/details?id=org.nick.cryptfs.passwdmanager


The app requires a rooted device and the command terminal method requires a rooted shell. So root is a requirement for such a feat.

 

[persistentone]

@Brian706 Since I have never rooted an Android phone, is there a way to enable a temporary shell root access in a way that does not load any installed apps into the boot? I would want a basic configuration that minimizes the chance that malware on the phone has been sitting there waiting for the first root event to do its thing....

 

[Brian706]

In regards to apps running with administrative access, my experience with a rooted device has always been that an app that asks for root privileges will do just that. It literally asks when you open the app. Then using (generally SuperSU) I choose whether or not to grant an app that privilege.

As for temporary root it really depends on the device. Rooting methods are different for different devices. Some of the reason is because Android is open source and most manufacturers provide their own version of Android with modifications to the source code. Root can also be dependent on what version of Android you are running, what version your bootloader is on, etc. The list goes on. In short it comes down to which device you have and what rooting methods are available for your device.

Also note, that many rooting methods will wipe the device as a safety precaution. This is generally when unlocking the bootloader is a requirement to root.

Most of my experience rooting has been with stock Android devices (Nexus/Pixel). These are easy. Google allows you to unlock the Bootloader and the process is basically this:
1. Unlock bootloader (wipes device)
2. Install a custom recovery that was built specifically for your model
3. Use the custom recovery to flash the root binaries to your phone and install SuperSU or equivalent.

So I guess, what device are you using? Why don't we start there and then see what options your device has for root.

Keep in mind I'm no Android expert. I have been rooting my devices for many years now but I'm not a developer. I can follow directions and understand the rooting process but I don't know code or how to explain all of the internal workings of a device