Sunday, March 13, 2016

Changing the encryption password on CyanogenMod 13 (Android Marshmallow)

In order for your phone to be secure, you need a strong encryption password. Unfortunately, the default is to use the lock screen password and having a strong password on the lock screen makes it way too difficult to access the phone. You really want to use two different passwords: a strong one for encryption that is only required when you boot the phone, and a shorter one for the lock screen. Then you protect the lock screen by throttling unlock attempts and possibly limiting the number of attempts before the phone reboots (thus requiring the stronger password to decrypt). Apps like Cryptfs Password previously made this easy, but unfortunately on CM13 nightlies (Android Marshmallow), this no longer works as the interface has changed. In fact, using one of these apps, or the old command-line syntax can cause data loss! If you are coming here after attempting to change your password and finding that you can longer decrypt your phone, I’m sorry, I don’t know how to recover data in this case.

I do not know of an app that can change the encryption password on these devices yet, but you can still change it from the command-line. This must be done as root, so you will need to enable root in the developer options, then use su in the terminal. Note, however, that the syntax has changed. Previously, the command was:

vdc cryptfs changepw password newpassword

Now the command expects an additional parameter, the old password:

vdc cryptfs changepw password default_password newpassword

Currently, the old password parameter is not used (it doesn’t actually have to be the old password, it can be anything), but it must be present for the new password to be interpreted correctly. The command should indicate success by printing:

200 0 0

Yea, it would be nice if it gave helpful error messages, but all you get is cryptic numerical codes. You can verify that the password was set correctly with:

vdc cryptfs verifypw newpassword

If the new password is correct, this command will also print:

200 0 0

In order to set the encryption password correctly and separately from the lock screen, you will want to encrypt the phone, then set your lock screen with a password (opting to require the password at start up), then change the encryption password with the command above. Now the lock screen will be the password you originally selected when you set the lock screen password, but the stronger password will be required to decrypt the device on boot.

Hopefully some of you got here in time to avoid data loss. Thanks for reading!

No comments:

Post a Comment