4

In Android 6, you could change the disk encryption key using the vdc command with

vdc cryptfs changepw NEWPW

In Android 9, you get a message, that raw commands are no longer supported.

During rooting and installing Lineage OS 16 and installing different stuff, I got different PIN and encryption keys. This means, that when I change the lockscreen PIN, the encryption key is no longer changed.

In principle, this is what I wanted to achieve, but the problem is that I currently do not know how to change the encryption key at all. I would like to have a rather short lockscreen pin and a longer encryption key, that I can change from time to time. On Android 6 this was no problem on the shell and with different Apps, but the Apps seem to depend on the vdc command as well.

I already tried to change the lockscreen PIN back to the current encryption password in the hope, that the next change of the PIN then would change the encryption as well, because I thought maybe the encryption was not changed because the new API needs a correct old password before changing the key to the new password. But this did not work as well.

Is there any App, command line tool or function in Lineage OS 16, that can change the encryption key?

allo
  • 395
  • 5
  • 16

2 Answers2

2

I don't think is documented anywhere the syntax but looking at this code https://review.lineageos.org/c/LineageOS/android_system_vold/+/258179 I was able to set a different password. Initially I used a PIN for unlocking, so the command to run on a terminal on lineageos 17.1 as root is:

vdc cryptfs changepw TYPEOFNEWPASSWORD OLDPASSWORD NEWPASSWORD

Where type of password can be:

  • password
  • pin
  • pattern
rodrigoaguilera
  • 21
  • 2
  • This looks good, but probably is LineageOS specific? But it looks like it would have solved my problem, when it were in my LineageOS build. So other people having the problem may be able to solve it using a vdc binary from LineageOS 17.0 builds that contain this patch. – allo Aug 23 '20 at 19:20
1

I was able to set an encryption password again, be removing the lockscreen by removing some files related to the lockscreen and then setting a new passphrase. To use a different lockscreen password then, you need to restore the original files.

Source on XDA: https://forum.xda-developers.com/showpost.php?p=78699812&postcount=58

As a workaround on Android Pie, you can do the following (on your own risk):

  1. set the desired password for the screen lock
  2. backup lockscreen files:
    1. all files under /data/system_de/0/spblob/
    2. files containing "_synthetic_password_" in /data/misc/keystore/user_0/
    3. /data/system/locksettings.db
  3. set the desired password for the device encryption
  4. restore / replace all lockscreen files

If something went wrong, sqlite into /data/system/locksettings.db and set the values of sp-handle and lockscreen.password_type to 0 to reset the screen lock.

Afterwards I enabled the lockscreen using the settings app and used the current boot password as password. When changing the lockscreen, the boot password was changed as well.

To have separate lockscreen and boot passwords again, you can either restore the previous files, or remove the new ones and set a fresh lockscreen password, that does not overwrite the encryption key.

allo
  • 395
  • 5
  • 16