Android Device Encryption
Finally, Android 3 introduced the Device Encryption feature which is implemented ineffectually: The device PIN is linked to the encryption password:
- A short pin renders the encryption useless but the device useable
- A strong password renders the device unuseable (because it needs to be entered any time the device is used!)
It is inconceivable why Google implemented the protection in such a bad, even unuseable way.
Even worse, some phones (at least the Samsung Galaxy S3 from AT&T (I747)) do not even allow PINs but require a full-blown pass phrase. Even the greatest security enthusiast won't accept entering a 10-character password everytime when the device is turned on.
Fortunately, there is a hack to decouple the PIN with the encryption password. It requires root and a terminal emulator such as ConnectBot. This text setups the device as follows:
- Use a PIN code to protect the device while it is running. I use a 4-digit PIN code
- A secure, alpha numeric passphrase for encryption (super-secure-long-password) which is resistant against brute force attacks and only needs to be entered during device boot.
Setting up encryption
First, set the Pin which should be used for the device. In my case, it was not possible to enable device encryption at all because it required an alpha numeric password. The device can be encrypted manually using the following command:
su vdc cryptfs enablecrypto inplace super-secure-long-password
Changing the PIN
It is not possible to change the PIN any more in the settings because everything except the alpha numeric password is greyed out. The solution is Tasker together with Secure Settings:
Create a task "ChangePin", add an Action "Plugin", "Secure Settings" and choose "Password/Pin" under "Dev Admin Actions" as Action. Choose "Enabled", "Pin Code" and enter the new Pin code, then run the task.
This action will also change the encryption password to the weak PIN, so proceed to the next section.
Changing the encryption password
The encryption password can be changed with the following command:
su vdc cryptfs changepw super-secure-long-password