I’ve recently been looking at improving my phone’s security configuration, and I found some advice regarding filesystem encryption which applied to Android L but not to M – and some reports of problems with this advice when applied to Cyanogenmod 13, which led me to information about a bug which stopped this working. I discovered that it was was fixed in mid-February, but my CM13 installation predates that: this meant that my phone, until shortly before writing this, never asked me for anything other than the usual at the lock screen.
So here’s a quick guide to changing your phone’s filesystem encryption pass phrase. You may know this as the boot pass phrase; in one important way, it is indeed exactly that, so I’m going to call it that.
This information is valid for Cyanogenmod 13, and may also be valid for other modified OSes and for stock Marshmallow.
Keeping lock screen and boot pass phrases the same
This is easy. Just set the pass phrase for the lock screen and you’ll be asked whether you want to use it at start-up. If you choose not to then any existing boot pass phrase will be removed and you won’t be asked for one after rebooting.
Making them different
I’m assuming a certain amount of technical capability here (if I didn’t, this article would be about three times the size – at least).
- Developer mode is enabled.
- Access to a root shell on your phone. It doesn’t matter whether this is via a terminal app or via ADB.
CM13 has a terminal app built in. You can enable it and allow root access via developer options once developer mode is enabled.
Back up first!
In case of mistakes, make a backup. Make sure that it’s stored somewhere other than on the phone. If you make a mess of changing the pass phrase, you’re going to have to wipe and re-install.
A good way to create a backup is to run adb backup -apk -all -shared -system, which will create a file named “backup.ab”. You can later restore this using adb restore backup.ab should you need to.
As I use TWRP for recovery and update purposes, I created my backup using that and copied it from my phone by using “adb pull /sdcard/TWRP/BACKUPS .”. Had there been a problem, I’d flash an appropriate stock Marshmallow image, re-install TWRP, start that up then push the backup directory back to my phone then tell TWRP to restore the correct backup from that.
Making the change
You’ll need the current boot pass phrase. This is whatever you type in when asked “
To start Android, enter your password”; if your phone doesn’t ask then it’s using the hard-coded default, which is “
Choose a pass phrase. The usual advice about something easy to remember and hard to brute-force applies. Do not choose an empty pass phrase!
“default_password” and “new_password” as appropriate (no encoding needed, except perhaps a \ or two in specific circumstances):
vdc cryptfs changepw password 'default_password' 'new_password'
Or, if you’re setting a PIN:
vdc cryptfs changepw pin 'default_password' 'new_password'
This will take somewhere between 2 and maybe 10 seconds to run, depending on your phone. If all is well, you’ll get this response:
200 0 0
If not, something’s gone wrong. I don’t have sufficient information about errors here, unfortunately. Anyway, if the output differs, retry the command, first checking that you entered it correctly; otherwise, you’ll have to look up result codes from that command and decide from that.
Reboot and test
Now. Here’s the fun bit. Reboot your phone. You’ll fairly quickly be asked for the new boot pass phrase, so enter it. All being well, your phone will continue to boot and you’ll end up at the lock screen as normal.
Remember that you’ve not changed anything which affects the lock screen: you can unlock exactly as you did before making the boot pass phrase change.
Oh, and don’t forget that pass phrase…
It appears to be possible to set the pass phrase to a pattern. I’m guessing that the pass phrase, in this case, would be a sequence of digits describing the dots to be joined, and in what order.