Under Android Ver 10 Can You Encrypt Phone?

The internal storage has been encrypted by default for many years - I think it might even have been for devices originally released with Android 5, or perhaps 6. Certainly a device released in the last few years will be encrypted automatically.

 

If you only use a 4-digit PIN that's actually 10,000 codes (and you can use longer). But phones usually have mechanisms to frustrate such iteration (timeouts of increasing length or factory resets when too many incorrect attempts are made).

I assume you mean the original "encrypt phone" option though, since "encrypt SD" could surely be subverted by just removing the SD card, granting access to the phone itself? Encrypting internal storage is more like encrypting a laptop's drive: it stops anyone accessing the storage without the credentials to unlock the device (admittedly with a phone's storage removing the chip and reading it with another device is in a different league of difficulty from removing a laptop's SSD and plugging it into another computer), and prevents data from being recovered after a factory reset (including one triggered remotely if you have such anti-theft software enabled). And the auto-generated encryption key will be much stronger than a short encryption PIN that you have to remember, so that aspect of the protection will be stronger.

 

AFAIK that was a feature of older versions of Android, where the devices didn't usually have encrypted internal storage. I believe default encrypted storage for devices was introduced with Android 5 or 6, and so "Encrypt phone" is superfluous. How securely you lock your phone is up to you, like using longer PINs or passwords, or more complex pattern unlocks, that's in addition to things like time-outs, and unlock attempt limits.

Some manufacturers offer a vault type feature in their systems, which is basically a password or PIN locked folder, that operates in addition to a device's own encrypted internal storage and locks. and And there are third-party apps that can do it as well.

 

I genuinely see no advantage in a decryption key you have to remember and enter yourself over a PIN or password of the same length. Both do the same thing: enter them and you have access to the device.

Now you might argue that you are happier setting up a longer decryption PIN than a lockscreen PIN or password because you only have to enter that once when you boot the phone. But (a) if the thief steals the phone when it's powered on there is no difference at all, because it's only your (presumably short) lockscreen PIN that is preventing them from gaining access, and (b) if you use a fingerprint instead you will only have to enter the PIN/password on startup and occasionally when the phone wants to confirm your ID (every few days in my case), so the extra inconvenience of that is not large.

But as Mike says, there would be no point in keeping an "encrypt phone" option once all phones were encrypted anyway, so it probably died around Android 5 or 6.

 

NO, the key is generated by the phone, initially when it's first powered on, and then each time there's a Factory Data Reset. Each phone's generated key is unique to that device. It's aloo a new unique key generated with each Factory Data Reset. AFAIK only government agencies have the resources to break these keys, and then only after (probably) months of computing effort.

 

Because the device itself generates a new key each time it's Factory Data Reset. I don 't know what it uses for entropy (Randomness) when generating a key, someone with more knowledge of Android would probably be able to say.

 

It absolutely is not stored in the clear. Does this answer your question: https://source.android.com/security/encryption/full-disk

 

Android's force-encrypt feature is executed from the /vendor fstab file, which includes a specific flag set to 1 within the mountpoint line for the /userdata partition. The encryption key in Android 9, 10 and 11 is created by /vbmeta within the /tee (trusted execution environment), where the key is also isolated from the Android OS and stored in a manner similar to application sandboxing -- but with an encrypted isolation barrier to prevent malicious code from intercepting or tampering with the key. With root access, or with a TWRP installed script, the fstab file can be edited to set the flag from 1 to 0, which enables the legacy opt-encrypt feature. Opt-encrypt gives the user the option to encrypt userdata instead of forcing encryption by default. This option was typically found under device Settings>Security>Encrypt SD Card.

 

can i recover the data after doing factory reset to my android 10 , if i have the password for the last lock screen ?

 

Nope.

 

What if you know your password of the lock screen and typed it again in order to recover data after doing a factory reset, is this acceptable for decryption again? on fbe ( file based encryption ) Because I see this, what Android says (can be unlocked independently)

 

its fbe ( file based encryption ) from Android 7.0 and higher.. not fde ( full disk encryption) cheack for that here its defferent

https://source.android.com/security/encryption/file-based

What I understood from reading on the site is that the password of lock screen is generated as well, but it can also be decrypted if I put the password for the lock screen first again .. ( I think it protects you from hacking and cracking the password, but it does not protect you if someone else knows your first password for the lock screen )

 

from Android 7.0 and higher.. not fde its fbe ( file based encryption)

https://source.android.com/security/encryption/file-based

What I understood from reading on the site is that the password of lock screen is generated as well, but it can also be decrypted if I put the password for the lock screen first again .. ( I think it protects you from hacking and cracking the password, but it does not protect you if someone else knows your first password for the lock screen )

 

FBE vs FDE doesn't change the important principle: the data are encrypted, the phone will decrypt them if it is unlocked (you wouldn't want to have to enter a password for every single file), but your lockscreen password is not the encryption key in either system. In FDE it's used as part of the hashing of the key, but the key and the other part of the hash, the "salt", are random, so knowing the lockscreen password is not enough to recover encrypted data. FBE is stronger and more flexible, but has in common that there is a lot more to the key than just your lockscreen password (indeed I don't find any evidence that the lockscreen password is anything to do with the key). So going back to the question that concerns you, while the lockscreen password gives you access to the data before a reset, it won't allow you to recover them afterwards.

 

ok i get it thank you