nelenkov/cryptfs-password-manager

Doesn't work with Android 9

jfeise opened this issue ยท 53 comments

Unfortunately, this app doesn't work with Android 9. Google has taken away the ability to use raw vdc cryptfs commands.

utack commented

Is there anything we can do?
Do I have to downgrade to Android 8, encrypt+vdc cryptfs, and then install Android 9 on top of that already encrypted data partition?

Is there anything we can do?
Do I have to downgrade to Android 8, encrypt+vdc cryptfs, and then install Android 9 on top of that already encrypted data partition?

I tried that, didn't work. The reason is that when you select a screen lock pin/password/pattern on first boot of Android 9, it sets it for the encryption as well (or, if you select not to use it for encryption, it clears the encryption password.)
I have tried this with LineageOS 16.0 on my OnePlus 3 phone.
Since I build the OS myself, I actually modified the code to not change the encryption key when setting the screen lock.
I believe it should be possible to call the function in the Android StorageManager from an app. Haven't tried that yet, though.
In the LineageOS 16.0/Android 9 code, this is in frameworks/base/services/core/java/com/android/server/StorageManagerService.java, the function is called changeEncryptionPassword(int type, String password)

As a workaround, you can do the following (on your own risk):

  1. set the desired password for the screen lock
  2. backup lockscreen files:
    1. all files under /data/system_de/0/spblob/
    2. files containing "_synthetic_password_" in /data/misc/keystore/user_0/
    3. /data/system/locksettings.db
  3. set the desired password for the device encryption
  4. restore / replace all lockscreen files

If something went wrong, sqlite into /data/system/locksettings.db and set the values of sp-handle and lockscreen.password_type to 0 to reset the screen lock.

As a workaround, you can do the following

Does not work with Pixel Expirience on my Redmi Note 4X, but I found a much easier method:

  1. set the desired password for the device encryption
  2. restart, check the encryption
  3. delete /data/system/locksettings.db from recovery (this removes the screen lock)
  4. set the desired password for the screen lock and reject the offer to use it for device encryption
utack commented
4. set the desired password for the screen lock and reject the offer to use it for device encryption

for me this resets the encryption password and it is disabled

Maybe it depends of firmware...

Just tested again (Redmi Note 4X with Pixel Experience):

  • installed the firmware (without setting the lock screen)
  • Settings โ†’ Security and Location โ†’ Screen lock โ†’ Password โ†’ Yes

Screenshot_20190310-190749

  • rebooted with my password
  • rebooted to recovery, decrypted /data
  • deleted /data/system/locksettings.db (also deleted locksettings.db-wal and locksettings.db-shm just in case)
  • rebooted to system with my password
  • Settings โ†’ Security and Location โ†’ Screen lock โ†’ PIN โ†’ No

Screenshot_20190310-190749

Rebooted to system with my password and unlocked screen with my PIN.

utack commented

@dartraiden exactly what I did, but then encryption was "disabled" (emtpy password) once I selected "no" on encrypted startup
Maybe they changed the behaviour

@dartraiden exactly what I did, but then encryption was "disabled" (emtpy password) once I selected "no" on encrypted startup

That's the behavior I see in the LineageOS 16.0 source code, I assume that came from AOSP. Maybe some manufacturers have changed it.

I performed the following steps with my Galaxy S5 SM-G900T:
Formatted data from recovery
Installed LineageOS 16, gapps pico, and Lineage SU
Booted into system
Set password and required on boot
Rebooted to system, entered password to boot
Enabled encryption
Rebooted to system, entered password to boot
Rebooted to recovery, entered password to decrypt data
Deleted /data/system/locksettings.db and associated files
Rebooted to system, entered password to boot
Set screen lock PIN and selected NO to require PIN on start
Rebooted to system, not prompted to enter password to boot.

What did I do wrong?

Note that the phone is still encrypted.

I performed the following steps with my Galaxy S5 SM-G900T:
Formatted data from recovery
Installed LineageOS 16, gapps pico, and Lineage SU
Booted into system
Set password and required on boot
Rebooted to system, entered password to boot
Enabled encryption
Rebooted to system, entered password to boot
Rebooted to recovery, entered password to decrypt data
Deleted /data/system/locksettings.db and associated files
Rebooted to system, entered password to boot
Set screen lock PIN and selected NO to require PIN on start
Rebooted to system, not prompted to enter password to boot.

What did I do wrong?

Note that the phone is still encrypted.

That's how LineageOS works. If you select NO to require pin or password on start LineageOS clears the password.

Yes, some firmware (LineageOS) remove encryption, some (PE) leave it on

I've added support for Android 9 on my fork and included an .apk for download, but in order for this to work, the app has to be systemized and privilege whitelisted (both of which can be done using the 'App Systemizer' module which can be downloaded directly through the Magisk Manager, though be sure to choose '/system/priv-app' when prompted for the install location) so it can be allowed the CRYPT_KEEPER permission in order for it to be able to access the StorageManager stuff and work its magic.

I had no luck with your fork on LOS 16, the CRYPT_KEEPER permission doesn't exist.

systemize -d cryptfs-app-debug.apk                                         
 Checking APK size - 1M
 Transfering cryptfs-app-debug.apk(org.nick.cryptfs.passwdmanager) to '/system/priv-app'...
 Granting Permissions
 org.nick.cryptfs.passwdmanager - Done
 android.permission.CRYPT_KEEPER doesn't exist!

I had no luck with your fork on LOS 16, the CRYPT_KEEPER permission doesn't exist.

systemize -d cryptfs-app-debug.apk                                         
 Checking APK size - 1M
 Transfering cryptfs-app-debug.apk(org.nick.cryptfs.passwdmanager) to '/system/priv-app'...
 Granting Permissions
 org.nick.cryptfs.passwdmanager - Done
 android.permission.CRYPT_KEEPER doesn't exist!

Yeah I don't know why it complains about the permission with the -d option, but the way I did it is by installing as a regular app first, then I ran systemize in prompt mode (no args) and chose the Systemize Installed Apps (Listed) option.

It's also worth to check that there's a /system/etc/permissions/privapp-permissions-org.nick.cryptfs.passwdmanager.xml after the script runs, with something like:

<?xml version="1.0" encoding="utf-8"?>
<!--
        Generated by App Systemizer (Terminal Emulator) by veez21
-->
<permissions>
    <privapp-permissions package="org.nick.cryptfs.passwdmanager">
        <permission name="android.permission.CRYPT_KEEPER"/>
    </privapp-permissions>
</permissions>

I was able to install cryptfs-password-manager on LOS 16.0 as @thedroidgeek suggested. The privapp-permissions-org.nick.cryptfs.passwdmanager.xml is also were it should be.

but when i try to change the password using the app, i just got an error "Password change error. Failed to change device encryption password."

Any idea?

I would need a logcat to find out what happened.

I would need a logcat to find out what happened.

05-03 19:29:29.273 3207 12932 W s.passwdmanage: Accessing hidden method Landroid/os/storage/IStorageManager$Stub$Proxy;->changeEncryptionPassword(ILjava/lang/String;)I (dark greylist, reflection) 05-03 19:29:29.273 3207 12932 W s.passwdmanage: Accessing hidden method Landroid/os/storage/IStorageManager;->changeEncryptionPassword(ILjava/lang/String;)I (dark greylist, reflection) 05-03 19:29:29.273 3207 12932 W System.err: java.lang.NoSuchMethodException: changeEncryptionPassword [int, class java.lang.String] 05-03 19:29:29.278 3207 12932 W System.err: at java.lang.Class.getMethod(Class.java:2068) 05-03 19:29:29.278 3207 12932 W System.err: at java.lang.Class.getMethod(Class.java:1690) 05-03 19:29:29.285 3207 12932 W System.err: at org.nick.cryptfs.passwdmanager.CryptfsCommands.changePasswordNoVerifyPie(CryptfsCommands.java:268) 05-03 19:29:29.286 3207 12932 W System.err: at org.nick.cryptfs.passwdmanager.CryptfsCommands.changeCryptfsPasswordPie(CryptfsCommands.java:236) 05-03 19:29:29.288 3207 12932 W System.err: at org.nick.cryptfs.passwdmanager.MainActivity$ChangePasswdTask.doInBackground(MainActivity.java:264) 05-03 19:29:29.290 3207 12932 W System.err: at org.nick.cryptfs.passwdmanager.MainActivity$ChangePasswdTask.doInBackground(MainActivity.java:212) 05-03 19:29:29.295 3207 12932 W System.err: at android.os.AsyncTask$2.call(AsyncTask.java:333) 05-03 19:29:29.295 3207 12932 W System.err: at java.util.concurrent.FutureTask.run(FutureTask.java:266) 05-03 19:29:29.300 3207 12932 W System.err: at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:245) 05-03 19:29:29.304 3207 12932 W System.err: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167) 05-03 19:29:29.304 3207 12932 W System.err: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641) 05-03 19:29:29.304 3207 12932 W System.err: at java.lang.Thread.run(Thread.java:764)

Lol, I didn't even realize they also added reflection restrictions on Pie ๐Ÿ˜ฎ
I also don't know why my device running on official LineageOS 16 nightlies didn't have this greylist...
Oh well, here's a build targeting API 27 which should hopefully cause these checks to be bypassed, let me know if it works.
Oh, and make sure to unsystemize the old app, reboot, install the new one, systemize and reboot.

seems to work, thanks a lot...

@thedroidgeek, it works, thank you!

Worked for me as well! ๐Ÿ‘

LevN0 commented

The latest version of the fork linked above does not seem to work on Pixel 3. Obtain "Password change error. Failed to change device encryption password"

07-24 14:06:34.078 639 661 D SurfaceFlinger: duplicate layer name: changing org.nick.cryptfs.passwdmanager/org.nick.cryptfs.passwdmanager.MainActivity to org.nick.cryptfs.passwdmanager/org.nick.cryptfs.passwdmanager.MainActivity#1
07-24 14:06:34.865 4159 7983 W s.passwdmanage: Accessing hidden method Landroid/os/ServiceManager;->getService(Ljava/lang/String;)Landroid/os/IBinder; (light greylist, reflection)
07-24 14:06:34.865 4159 7983 W s.passwdmanage: Accessing hidden method Landroid/os/storage/IStorageManager$Stub;->asInterface(Landroid/os/IBinder;)Landroid/os/storage/IStorageManager; (light greylist, reflection)
07-24 14:06:34.865 4159 7983 W s.passwdmanage: Accessing hidden method Landroid/os/storage/IStorageManager$Stub$Proxy;->changeEncryptionPassword(ILjava/lang/String;)I (dark greylist, reflection)
07-24 14:06:34.928 639 1970 D SurfaceFlinger: duplicate layer name: changing org.nick.cryptfs.passwdmanager/org.nick.cryptfs.passwdmanager.MainActivity to org.nick.cryptfs.passwdmanager/org.nick.cryptfs.passwdmanager.MainActivity#2
07-24 14:06:34.942 639 660 D SurfaceFlinger: duplicate layer name: changing Dim Layer for - Task=10530 to Dim Layer for - Task=10530#1
07-24 14:06:35.106 639 1970 W SurfaceFlinger: Attempting to set client state on removed layer: org.nick.cryptfs.passwdmanager/org.nick.cryptfs.passwdmanager.MainActivity#1
07-24 14:06:35.106 639 1970 W SurfaceFlinger: Attempting to destroy on removed layer: org.nick.cryptfs.passwdmanager/ org.nick.cryptfs.passwdmanager.MainActivity#1
07-24 14:06:35.122 639 1970 W SurfaceFlinger: Attempting to set client state on removed layer: Dim Layer for - Task=1 0530#0
07-24 14:06:35.122 639 1970 W SurfaceFlinger: Attempting to destroy on removed layer: Dim Layer for - Task=10530#0

Do not see any errors in logcat yet still does not work.

@LevN0 Your device does not use Full-Disk Encryption (#24).

LevN0 commented

Learn something new every day. Seems like it fundamentally means the device is insecure when bootloader is unlocked unless your lock screen is a very long password?

@LevN0
According to https://source.android.com/security/encryption/file-based#dependencies it seems file encryption keys are still derived from a combination of user's key and a key stored in H/W protected buffer and derivation process is handled by a "gatekeeper" ( https://source.android.com/security/authentication/gatekeeper), which have "throttling" built in to resist brute force attacks.
The question is: Is the gatekeeper a software-only solution and can be attacked/replaced by altering OS with an unlocked bootloader? I really hope the gatekeeper is somehow H/W dependent.

Hopefully, someone more competent will chime in.

innir commented

@thedroidgeek Thanks for your fork, worked flawlessly for me!

BTW: I didn't need this Magisk stuff, just installing as system app via adb worked for me:

adb root
adb remount
adb push app-debug.apk /system/priv-app/
adb shell chmod 644 /system/priv-app/app-debug.apk
adb reboot

And uninstalling it afterwards with
adb shell pm uninstall -k --user 0 org.nick.cryptfs.passwdmanager
should be fine, right?

Edit: I'm on LineageOS 16.0 [unofficial build though]

Looks like at least for LineageOS 16 they are putting the changepw functionality back in:
https://review.lineageos.org/c/LineageOS/android_system_vold/+/254062

gcvl commented

I've added support for Android 9 on my fork and included an .apk for download, but in order for this to work, the app has to be systemized and privilege whitelisted (both of which can be done using the 'App Systemizer' module which can be downloaded directly through the Magisk Manager, though be sure to choose '/system/priv-app' when prompted for the install location) so it can be allowed the CRYPT_KEEPER permission in order for it to be able to access the StorageManager stuff and work its magic.

@thedroidgeek
Your fork works wonders on LineageOS 16 and Galaxy S5, thank you!

Lol, I didn't even realize they also added reflection restrictions on Pie open_mouth
I also don't know why my device running on official LineageOS 16 nightlies didn't have this greylist...
Oh well, here's a build targeting API 27 which should hopefully cause these checks to be bypassed, let me know if it works.
Oh, and make sure to unsystemize the old app, reboot, install the new one, systemize and reboot.

@thedroidgeek
Thanks for providing a fork that apparently solved the issue for some users. I am happy that someone is working on the issue.

1.) My Problem: I am using a Fairphone 2 with LineageOS 16 , rooted via AddonSU (see https://download.lineageos.org/extras ). I presume for this case any Magisk-based solution to be not suitable to make the app privileged and systemized. Is there any idea, how I still can make use of it?

I tried the workaround of innir (see #25 (comment) ), but this rendered LineageOS unbootable for me. (Hangs in the boot animation, then...)

2.) If the change mentioned by jfeise above ( #25 (comment) ) is now part of LineageOS, shouldn't the original app work again for any recent LineageOS version? I am wondering -- I tried (as far as i can remember: with lineage-16.0-20200120) but apparently failed: It states that my existing password -- which I believe to have entered correctly -- was wrong...

Looks like at least for LineageOS 16 they are putting the changepw functionality back in:
https://review.lineageos.org/c/LineageOS/android_system_vold/+/254062

Does this means that this app works again since last August?
I am thinking if I should move to lineageOS 16

I could not verify that the issue is solved with the patch from https://review.lineageos.org/c/LineageOS/android_system_vold/+/254062 on my LineageOS version 16.0-20200627-microG-ktle.
"adb shell vdc cryptfs verifypw " still gives:

vdc V 08-19 18:00:52 13632 13632 vdc.cpp:52] Waited 0ms for vold
vdc E 08-19 18:00:52 13632 13632 vdc.cpp:128] Raw commands are no longer supported

and Cryptfs Password App says "Invalid password" when I try to change the disk encryption password with the correct current password and some test New password.

@PaCaBa Thank you for checking

For reference this is the change for lineage 17
https://review.lineageos.org/c/LineageOS/android_system_vold/+/258179

I inspected the code and they seem to include the command changepw but no verifypw like you are trying to run.

Now that microg builds are running again I will update soon and if I remember to do it, I'll report back here

Success!

I don't think is documented anywhere the syntax but looking at the code I linked in my previous comment I was able to set a different password.
Initially I used a PIN for unlocking, so the command to run on a terminal on lineageos 17.1 as root is:

vdc cryptfs changepw TYPEOFNEWPASSWORD OLDPASSWORD NEWPASSWORD

Where type of password can be:

  • password
  • pin
  • pattern

I also had to deal with the issue of the phone not encrypting due to the partition size. Fixed following the instructions here:
https://gitlab.com/LineageOS/issues/android/-/issues/1027

So basically the code of this app needs to be updated to reflect the changes made on android 9 and above either by calling vdc changepw or fdeChangePassword directly.
Although I feel it doesn't have maintenance. Myself from now on I am going to use the command as it saves from installing an app.

Pull requests are always welcome. If the change only works on LineageOS or some other custom build/ROM, not sure if it makes sense to release on Play Store though. Could live on separate lineage-os branch or some such.

@nelenkov Thanks. I just realized the syntax I described is on the readme file for CM13 and implemented in the code.
The verifypw is not implemented on LOS17 so I guess that is why it fails to change the password.

Maybe what can be done is to run the changepw command directly and check for the output for when the current password is wrong.

I'll leave the PR for someone with more knowledge about android.

I tried the solution of rodrigoaguilera (vdc cryptfs changepw TYPEOFNEWPASSWORD OLDPASSWORD NEWPASSWORD)
on a device with LOS 17.1 and Magisk.
Unfortunately, it doesn't work:
vdc V 11-29 11:44:22 3701 3701 vdc.cpp:52] Waited 0ms for vold
vdc E 11-29 11:44:22 3701 3701 vdc.cpp:62] Failed: Status(-8, EX_SERVICE_SPECIFIC): '-1: '
Does anybody know what this means? Or where can I look for it? Or other solutions?

No idea, sorry

I inspected the code and they seem to include the command changepw but no verifypw like you are trying to run.

Where did you find the code? (sorry it's all new for me...)

@rodrigoaguilera May I ask which device you have used?

Both star2lte and jfltexx

Success!

I don't think is documented anywhere the syntax but looking at the code I linked in my previous comment I was able to set a different password.
Initially I used a PIN for unlocking, so the command to run on a terminal on lineageos 17.1 as root is:

vdc cryptfs changepw TYPEOFNEWPASSWORD OLDPASSWORD NEWPASSWORD

Where type of password can be:

* `password`

* `pin`

* `pattern`

I also had to deal with the issue of the phone not encrypting due to the partition size. Fixed following the instructions here:
https://gitlab.com/LineageOS/issues/android/-/issues/1027

So basically the code of this app needs to be updated to reflect the changes made on android 9 and above either by calling vdc changepw or fdeChangePassword directly.
Although I feel it doesn't have maintenance. Myself from now on I am going to use the command as it saves from installing an app.

Hi this might be a stupid question... I installed termux and inside termux the tsu package for using it as root. But the command vdc does not exist...

I have a Fairphone 2 with LineageOS for MicroG and Magisk installed.

Thank you!

Edit: I ran it with adb root and afterwards adb shell and got:

vdc V 02-09 10:51:46 13601 13601 vdc.cpp:52] Waited 0ms for vold
vdc E 02-09 10:51:46 13601 13601 vdc.cpp:168] Raw commands are no longer supported

I used termux too but I don't remember installing any tsu package. Just used su and then gave permission on magisk. Once I have a root shell with su the vdc is available.
I have the same setup except my devices are star2lte and jfltexx

I used termux too but I don't remember installing any tsu package. Just used su and then gave permission on magisk. Once I have a root shell with su the vdc is available.
I have the same setup except my devices are star2lte and jfltexx

Thanks, vdc is available by running it with su. But I get the same error as I mentioned in my post above:

vdc V 02-09 10:51:46 13601 13601 vdc.cpp:52] Waited 0ms for vold
vdc E 02-09 10:51:46 13601 13601 vdc.cpp:168] Raw commands are no longer supported

Thank you for your help!

Edit: It worked with the cryptfs app as suggested here:
#25 (comment)
Thank you all!
Note: This method did not work for me. I could still enter the encryption password after the reboot and then it took quite a long time until finally TWRP was started...
#25 (comment)

I tried the solution of rodrigoaguilera (vdc cryptfs changepw TYPEOFNEWPASSWORD OLDPASSWORD NEWPASSWORD)
on a device with LOS 17.1 and Magisk.
Unfortunately, it doesn't work:
vdc V 11-29 11:44:22 3701 3701 vdc.cpp:52] Waited 0ms for vold
vdc E 11-29 11:44:22 3701 3701 vdc.cpp:62] Failed: Status(-8, EX_SERVICE_SPECIFIC): '-1: '
Does anybody know what this means? Or where can I look for it? Or other solutions?

I get this error. rodrigoaguilera, bniddl, do you use File Based Encryption or Full Disk Encryption? It can be determined as described here without root privileges. I use File Based Encryption since I installed LineageOS 17.1 from scratch.

[Update. Since the changepw command calls vold->fdeChangePassword, I believe it will work only for Full Disk Encryption. Since File Based Encryption is required in Android 10 and higher, we are screwed.]

I think I use Full disk encryption as TWRP is not able to even mount it.
LOS 17.1 is android 10 so maybe File Based Encryption is required but not mandatory.
Can you point to some info about this changing in android? I am worried about LineageOS 18

Can you point to some info about this changing in android? I am worried about LineageOS 18

Yes, a Google search shows the source at the top: โ€œFile Based Encryption is required in Android 10โ€.

LOS 17.1 is android 10 so maybe File Based Encryption is required but not mandatory.

I heard that Android keeps Full Disk Encryption if it was used before Android was updated. I can't find the source.

I think I use Full disk encryption as TWRP is not able to even mount it.

You will know for sure by using the method described by the link I gave. It is just one command in termux without root privileges.

[Update. Since the changepw command calls vold->fdeChangePassword, I believe it will work only for Full Disk Encryption. Since File Based Encryption is required in Android 10 and higher, we are screwed.]

beroal, you are right. My device uses File Based Encryption (FBE). bgcngm (maintainer of LOS 17.1 gts4lv) told me, that it is not possible to have a separate disk encryption password on a FBE-device.

OK this sucks terribly, today I learned about FBE and I don't like it at all. Is there any way for a newer device on rooted Android 11 (specifically: beyond0lte with Lineage 18 + Magisk) which is FBE encrypted to have a boot password different from the screen unlock password?

OK this sucks terribly, today I learned about FBE and I don't like it at all. Is there any way for a newer device on rooted Android 11 (specifically: beyond0lte with Lineage 18 + Magisk) which is FBE encrypted to have a boot password different from the screen unlock password?

Unfortunatly this is not supported. Maybe a custom ROM could implement such a feature, but AOSP does not support it. However AOSP supports something else that protects against the same threats. This is hardware backed encryption key storage. If your device supports a Trusted Executrion Environment(TEE) or HSM (Hardware Security Module) your encryption key is saved there with extraction prevention and brute force protection, as the TEE/HSM only accepts password guesses every n second.
You can read about it here:
https://source.android.com/security/encryption/file-based
Or in this paper:
https://securephones.io/

Thank you @besendorf for the quick reply. Yes, I was reading in the meantime about hardware backed key storage, I have still to make up my mind about it. One thing I do not like is that it requires you to trust the hardware, i.e. the TPM, while with a strong FDE password, if your phone is powered off it's basically a brick. I understand your threat model may vary, but I personally don't like the idea that Android decided that somehow users do not need to manage their own security policy. Bah!

These concerns are along the lines of achieving nation-state security, which is practicably impossible.

The bigger concern is all the other criminals who are busy hacking into video surveillance systems so they can capture someone entering their phone's encryption password in broad daylight. (I would like to point out that not even Microsoft requires such a stupid policy - gives you an idea of what these "developers" think of your security.)

For all of the devices I've owned, LineageOS does not allow me to enforce fingerprint attempt limit or password attempt limit. So anyone who is kind of close can attempt enough retries to have a realistic chance at succeeding, making the over-the-shoulder attack the most likely vector.

My current choice is my phone is exclusively a selective email device and maybe some shopping/restaurant apps, audio books, etc. Nothing of consequence. The only secure option is nothing of value on the device.

I just installed a LOS 19.1 and as a workaround I used multiple accounts.
You can set the long password for the owner and as soon as the device boots, swap to a secondary user with a more simple pattern