nelenkov / cryptfs-password-manager Goto Github PK

$$ and the like are expanded by the shell so escape properly when passing to vdc

It seems that the app currently only allows for changing the password on an encrypted device. Would it be possible to allow for the first encryption? I was hoping to integrate this app into a setup wizard on a secure version of cyanogenmod, and it would be nice to get this out of the way without requiring some two-step process after the first reboot (ie. the one after using the default PIN encryption method)

Also, I'm willing to work on this myself, but would like to ensure you're still accepting pull requests and willing to release to fdroid. Thanks!

I used this to change the password on my encrypted Moto X Pure 2015 and it said it was successful. But when I rebooted to test things out, it failed to boot and came up saying something along the lines of "The password entered is correct but the data has been corrupted" and it only gave the option to factory reset the device.

Unfortunately this was at 1am last night right before I went to bed so I was unable to grab anything useful off the phone like a logcat or anything along those lines.

This is more a warning to others that may attempt this on the same phone, be careful and do a nandroid backup first!(I was not careful and did not have a backup lol)

When I start the app, it request superuser permissions.
But after that, it just exits saying "Cannot get superuser access, exiting".
More detailed information would be nice.

Superuser access is there, using su via a terminal app or via adb works fine.

Other people seem to have the same issue.

After the password change, the app displays the password in a dialog. It defeats the purpose of using "hidden" EditTexts for typing the password, because later it's fully visible on screen, making it dangerous to use in "crowded" environment. :P

It should be at least like "click this button if you want to see the password [again]".

Hi Nikolay,

I would like to kindly request to make the code compatible with Phh's superuser as it's used with systemless root and bundled with Magisk which is a rising superuser method in the Android world.

References:
https://github.com/phhusson/Superuser
(Phh's Superuser)

Using:
https://github.com/topjohnwu/Superuser
(This is forked from phhusson and comes bundled with the latest Magisk to have a systemless root solution that is able to bypass SafetyNet etc.)

Sadly the Manager just opens and closes, without asking for superuser access.
(I use Mikos SnooperStopper, which asks for superuser until the part that uses the password manager code)

Thanks for considering making it compatible.

Edit: If you would like me to fetch you logcat, or anything else, let me know and i'll provide them.

Hello,

you can get rid of dependency on Chainfire's closedsource supolicy by using sepolicy-inject instead of it.

I have fixed and extended Joshua Brindle's sepolicy-inject and made it buildable with Android NDK (by combining it with setools-android). You can find my repository here: https://github.com/xmikos/setools-android

Btw. I am working on Android device admin app which would monitor unlock attempts and after 3 failed attemts (or other number set by user) would reboot device. I want to include your app in it (with only some design changes) and ask user to change encryption password again if he changes unlock password/pin/gesture. It will be opensource and published on GitHub. Are you OK with it?

i used the app on my onplusone after upgrading to cm 12 / android 5.0.2 with twrp (rooted) yesterday, so i am still in "experimental mode" and have up to date backups (no panic).
after sucessfully changing the encryption password and rebooting, i get the following error: "decryption unsucessful - the password you entered is correct, but unfortunately your data is corrupt. to resume using your phone, you need to perform a factory reset..." and the only thing i can do is click "reset phone".
i suppose i cannot get more information about what went wrong so i will do the reset now and start over... and try again when the app is stable for cm12.
cheers :-)

Hello,

on Google Play, you wrote: "For Android <= 4.4 (does not work on 5.0 due to changes in disk encryption)"

Why is that so? I have found that syntax of vdc cryptfs changed a little, is this the only problem?

Now it looks like:

vdc cryptfs enablecrypto <wipe|inplace> default|password|pin|pattern [passwd]
vdc cryptfs changepw default|password|pin|pattern [newpasswd]

If I do it manually will it work or is there some bigger problem? Whan can be done?

Thank you for cryptfs-password-manager. Please post your bitcoin address in the readme.

Unfortunately, this app doesn't work with Android 9. Google has taken away the ability to use raw vdc cryptfs commands.

Nexus 5 D821
Stock 6.0 build MRA58K
TWRP 2.8.7.1
ElementalX kernel 6.03
SuperSU v2.52
Bootloader state Unlocked
SELinux Enforcing

Initially had a PIN and location based Smart Lock enabled. Encrypted it successfully and rebooted a couple of times to make sure. Then changed disk encryption password using this app, confirmed the password I entered was correct in the pop up after it was done. Rebooted to TWRP recovery, saw that the password was reported as wrong. Rebooted to System, again password seems wrong. Earlier pin isn't not working either, of course.

I am 100% sure the password I'm entering is correct, but decryption fails during boot up and in TWRP. I do have the necessary backups (Nandroid, Titanium) on my computer of course, so I will try again on 100% stock (/system, /data, /recovery, but with chainfire's /boot so as to root) after battery charges up and report back.

Hej why does this happens all the time i wanna open it?

hey, it would be really nice if you could enable lockscreen-unlocking through other security methods than PIN.
just for comparison:

• PIN (insecure)
• Password (insecure OR unusable)
• Pattern (if not 3x3, more secure than PIN / more usable)
• Gesture (more secure than Pattern/PIN / more usable)

as you may suspect, I really like the Gesture to unlock my phone but would like to keep it after encrypting my phone.

On CM13 (maybe also on Android 6), the vdc cryptfs changepw command is wrong, and results in an empty password.
A check of system/vold/CryptCommandListener.cpp shows that the command needs to be
vdc cryptfs password current-password new-password

Update: Removed angle brackets since they are interpreted...

If spaces are included at the beginning or end of the password entered by the user they will not be included in the newly set password. For example a password of " password " gets set as "password". The confirmation displayed after the password is set does not make it clear that the spaces were dropped. Spaces in the middle of the password are included as intended.

I was trying to change the password for my 6X6 grid (on ArrowOS 10) and couldn't find the right sequence.
Kept getting the error Failed: Status(-8, EX_SERVICE_SPECIFIC): '-1: '

It took me ages but I ended up finding this post with the correct grid -
TeamWin/Team-Win-Recovery-Project#1388

Once I had the right pattern using -
vdc cryptfs changepw password OLD_PASSWORD NEW_PASSWORD
worked like a charm

Might be useful to put it in the readme so others can find it more easily

Hi,

could you support CM12. It looks like it correctly gains root access but then fails:

7096 D/su ( 6233): su invoked. 7097 D/su ( 6233): starting daemon client 10073 10073 7098 D/su ( 6235): remote pid: 6233 7099 D/su ( 6235): remote pts_slave:· 7100 D/su ( 6235): waiting for child exit 7101 D/su ( 6238): su invoked. 7102 E/su ( 6238): SU from: u0_a73 7103 D/su ( 6238): Checking whether app [uid:10073, pkgName: org.nick.cryptfs.passwdmanager] is allowed to be root 7104 D/VoldCmdListener( 2400): cryptfs getpwtype 7105 D/su ( 6238): Privilege elevation allowed by appops 7106 D/su ( 6238): Allowing via appops. 7107 D/su ( 6238): 10073 /system/bin/app_process32 executing 0 /system/bin/sh using binary /system/bin/sh : sh 7108 D/su ( 6238): Waiting for pid 6239. 7109 D/su ( 6241): su invoked. 7110 D/su ( 6238): Finishing su operation for app [uid:10073, pkgName: org.nick.cryptfs.passwdmanager] 7111 D/su ( 6235): sending code 7112 D/su ( 6235): child exited 7113 D/su ( 6233): client exited 0

Hi @nelenkov,

do you plan to support CM14 / LineageOS or is there anything present in those releases that don't make your app necessary anymore?

Cheers & thanks in advance
Thomas

I'm using the "declared permission" option of my su-management. That means, that su-request will be only allowed from apps that declare android.permission.ACCESS_SUPERUSER.

So would you please add the following line:
<uses-permission android:name="android.permission.ACCESS_SUPERUSER" />
to your:
AndroidManifest.xml
in future versions?
[credits / source: https://github.com/kibab/encpasschanger/issues/2]

Thanks in advance for any response.

Hi.
I use your app for a long time.
Didn't checked properly into source code, but around april 2018 AOSP heavily changed vdc and now, password does not need to be provided as HEX anymore.
This lead into issues while on release after april 2018.

Gonna check another time, but mostly, after successfully changing the device password, it gets displayed on the screen, but never work.
As a workaround, TWRP is able to decrypt as it try both version of the password (plain text and hex converted one).

Is there anyway to check somwhere and disable password change for such devices until fixed?
I am aware of this issue but don't think every one using your app will.

Thanks in advance

You're currently checking checking for ro.crypto.state == encrypted but you should also check for ro.crypto.type == block.
Cryptfs is pointless for File-Based Encryption (FBE).

See also here and here.