Changing the encryption password on CyanogenMod 13 (Android Marshmallow)

In order for your phone to be secure, you need a strong encryption password. Unfortunately, the default is to use the lock screen password and having a strong password on the lock screen makes it way too difficult to access the phone. You really want to use two different passwords: a strong one for encryption that is only required when you boot the phone, and a shorter one for the lock screen. Then you protect the lock screen by throttling unlock attempts and possibly limiting the number of attempts before the phone reboots (thus requiring the stronger password to decrypt). Apps like Cryptfs Password previously made this easy, but unfortunately on CM13 nightlies (Android Marshmallow), this no longer works as the interface has changed. In fact, using one of these apps, or the old command-line syntax can cause data loss! If you are coming here after attempting to change your password and finding that you can longer decrypt your phone, I’m sorry, I don’t know how to recover data in this case.

I do not know of an app that can change the encryption password on these devices yet, but you can still change it from the command-line. This must be done as root, so you will need to enable root in the developer options, then use su in the terminal. Note, however, that the syntax has changed. Previously, the command was:

vdc cryptfs changepw password newpassword

Now the command expects an additional parameter, the old password:

vdc cryptfs changepw password default_password newpassword

Currently, the old password parameter is not used (it doesn’t actually have to be the old password, it can be anything), but it must be present for the new password to be interpreted correctly. The command should indicate success by printing:

200 0 0

Yea, it would be nice if it gave helpful error messages, but all you get is cryptic numerical codes. You can verify that the password was set correctly with:

vdc cryptfs verifypw newpassword

If the new password is correct, this command will also print:

200 0 0

In order to set the encryption password correctly and separately from the lock screen, you will want to encrypt the phone, then set your lock screen with a password (opting to require the password at start up), then change the encryption password with the command above. Now the lock screen will be the password you originally selected when you set the lock screen password, but the stronger password will be required to decrypt the device on boot.

Hopefully some of you got here in time to avoid data loss. Thanks for reading!

Setting up root SSH login on CyanogenMod

I did this with the latest CyanogenMod 11 snapshots on a Nexus 4 and a Nexus 5. I recommend buying a device with an unlockable bootloader, like the Google Nexus devices, because it makes rooting and installing custom ROMs, etc, much more straightforward. Besides, if you buy a device you ought to own it, so why give your money to a company that tries to lock you out of your own devices, as if they still own it even after you have bought and paid for it? If you already have a device that is locked down, you may have to search the web to find a hack to get access to it (Good luck!), but I won’t be covering that here. What I found to be difficult to find and poorly documented elsewhere was how to configure your device for root login via ssh, after installing CyanogenMod. This can be useful for a variety of reasons, for instance, you can easily make a full back up of the phone securely over your wireless network. But as always, exercise caution when using root!

Before you begin, make sure you have a few options set on the Android device. Under “Developer options” make sure that “Android debugging” is enabled, “Root access” is set to “Apps and ADB”, and while you are here, set “Device hostname” to something memorable. (You should have learned to access the hidden “Developer options” menu while install CyanogenMod.) Now, with phone connected by USB, login from your computer with:

adb shell

then start setting up ssh by copying over the template configuration file:

cp /system/etc/ssh/sshd_config /data/ssh
vim /data/ssh/sshd_config

and add the line:

PermitRootLogin without-password

This does not do what it sounds like. It will not allow you to login without authenticating, rather, it disables authentication with a password and requires you to use public key authentication which we will set up in a minute. Next:

mkdir /data/local/userinit.d
cd /data/local/userinit.d
cp /system/bin/start-ssh 90sshd
vim 90sshd

and change:

   # don't daemonize - otherwise we can't stop the sshd service
   /system/bin/sshd -f /system/etc/ssh/sshd_config -D

to:

   # don't daemonize - otherwise we can't stop the sshd service
   ## Actually, yes, do daemonize (remove -D option)
   /system/bin/sshd -f /system/etc/ssh/sshd_config

Now, if you don’t already have one, you will need to generate an RSA key for ssh. On your computer (not the adb shell that is already logged into your Android device) run:

ssh-keygen

and with the default options you will get a ~/.ssh containing id_rsa and id_rsa.pub. You will need to copy id_rsa.pub to your Android device in order to be able to login. Still working from your computer:

adb push ~/.ssh/id_rsa.pub /sdcard/

Now, on the Android device:

cd /data/.ssh
touch authorized_keys
cat /sdcard/id_rsa.pub >> authorized_keys
chmod 600 authorized_keys

Note that the authorized keys file must not be readable by anyone else or ssh will refuse to use it and authentication will fail. Now, you should be able to reboot and login to your Android device:

ssh root@AndroidHostname

If you set a password for the RSA key you generated for ssh, it will prompt you for that password, but it will not prompt for a password for root on the Android device (because it is using the key instead). If you want to login from other devices, make sure you have an authorized key on that device as well. To add more authorized keys, simply concatenate them onto the authorized_keys file, the same way we did the first one. Now you can remotely access your Android device via ssh.