Doesn't work with Android 9

[jfeise]

Unfortunately, this app doesn't work with Android 9. Google has taken away the ability to use raw vdc cryptfs commands.

[utack]

Is there anything we can do?
Do I have to downgrade to Android 8, encrypt+vdc cryptfs, and then install Android 9 on top of that already encrypted data partition?

[jfeise]

Is there anything we can do?
Do I have to downgrade to Android 8, encrypt+vdc cryptfs, and then install Android 9 on top of that already encrypted data partition?

I tried that, didn't work. The reason is that when you select a screen lock pin/password/pattern on first boot of Android 9, it sets it for the encryption as well (or, if you select not to use it for encryption, it clears the encryption password.)
I have tried this with LineageOS 16.0 on my OnePlus 3 phone.
Since I build the OS myself, I actually modified the code to not change the encryption key when setting the screen lock.
I believe it should be possible to call the function in the Android StorageManager from an app. Haven't tried that yet, though.
In the LineageOS 16.0/Android 9 code, this is in frameworks/base/services/core/java/com/android/server/StorageManagerService.java, the function is called changeEncryptionPassword(int type, String password)

[bastei]

As a workaround, you can do the following (on your own risk):

1. set the desired password for the screen lock
2. backup lockscreen files:
   1. all files under /data/system_de/0/spblob/
   2. files containing "_synthetic_password_" in /data/misc/keystore/user_0/
   3. /data/system/locksettings.db
3. set the desired password for the device encryption
4. restore / replace all lockscreen files

If something went wrong, sqlite into /data/system/locksettings.db and set the values of sp-handle and lockscreen.password_type to 0 to reset the screen lock.

[dartraiden]

As a workaround, you can do the following

Does not work with Pixel Expirience on my Redmi Note 4X, but I found a much easier method:

1. set the desired password for the device encryption
2. restart, check the encryption
3. delete /data/system/locksettings.db from recovery (this removes the screen lock)
4. set the desired password for the screen lock and reject the offer to use it for device encryption

[utack]

4. set the desired password for the screen lock and reject the offer to use it for device encryption

for me this resets the encryption password and it is disabled

[dartraiden]

Maybe it depends of firmware...

Just tested again (Redmi Note 4X with Pixel Experience):

• installed the firmware (without setting the lock screen)
• Settings → Security and Location → Screen lock → Password → Yes

• rebooted with my password
• rebooted to recovery, decrypted /data
• deleted /data/system/locksettings.db (also deleted locksettings.db-wal and locksettings.db-shm just in case)
• rebooted to system with my password
• Settings → Security and Location → Screen lock → PIN → No

Rebooted to system with my password and unlocked screen with my PIN.

[utack]

@dartraiden exactly what I did, but then encryption was "disabled" (emtpy password) once I selected "no" on encrypted startup
Maybe they changed the behaviour

[jfeise]

@dartraiden exactly what I did, but then encryption was "disabled" (emtpy password) once I selected "no" on encrypted startup

That's the behavior I see in the LineageOS 16.0 source code, I assume that came from AOSP. Maybe some manufacturers have changed it.

[myfirstnameispaul]

I performed the following steps with my Galaxy S5 SM-G900T:
Formatted data from recovery
Installed LineageOS 16, gapps pico, and Lineage SU
Booted into system
Set password and required on boot
Rebooted to system, entered password to boot
Enabled encryption
Rebooted to system, entered password to boot
Rebooted to recovery, entered password to decrypt data
Deleted /data/system/locksettings.db and associated files
Rebooted to system, entered password to boot
Set screen lock PIN and selected NO to require PIN on start
Rebooted to system, not prompted to enter password to boot.

What did I do wrong?

Note that the phone is still encrypted.

[jfeise]

I performed the following steps with my Galaxy S5 SM-G900T:
Formatted data from recovery
Installed LineageOS 16, gapps pico, and Lineage SU
Booted into system
Set password and required on boot
Rebooted to system, entered password to boot
Enabled encryption
Rebooted to system, entered password to boot
Rebooted to recovery, entered password to decrypt data
Deleted /data/system/locksettings.db and associated files
Rebooted to system, entered password to boot
Set screen lock PIN and selected NO to require PIN on start
Rebooted to system, not prompted to enter password to boot.

What did I do wrong?

Note that the phone is still encrypted.

That's how LineageOS works. If you select NO to require pin or password on start LineageOS clears the password.

[dartraiden]

Yes, some firmware (LineageOS) remove encryption, some (PE) leave it on

[thedroidgeek]

I've added support for Android 9 on my fork and included an .apk for download, but in order for this to work, the app has to be systemized and privilege whitelisted (both of which can be done using the 'App Systemizer' module which can be downloaded directly through the Magisk Manager, though be sure to choose '/system/priv-app' when prompted for the install location) so it can be allowed the CRYPT_KEEPER permission in order for it to be able to access the StorageManager stuff and work its magic.

[k4tfish]

I had no luck with your fork on LOS 16, the CRYPT_KEEPER permission doesn't exist.

systemize -d cryptfs-app-debug.apk                                         
 Checking APK size - 1M
 Transfering cryptfs-app-debug.apk(org.nick.cryptfs.passwdmanager) to '/system/priv-app'...
 Granting Permissions
 org.nick.cryptfs.passwdmanager - Done
 android.permission.CRYPT_KEEPER doesn't exist!

[thedroidgeek]

I had no luck with your fork on LOS 16, the CRYPT_KEEPER permission doesn't exist.

systemize -d cryptfs-app-debug.apk                                         
 Checking APK size - 1M
 Transfering cryptfs-app-debug.apk(org.nick.cryptfs.passwdmanager) to '/system/priv-app'...
 Granting Permissions
 org.nick.cryptfs.passwdmanager - Done
 android.permission.CRYPT_KEEPER doesn't exist!

Yeah I don't know why it complains about the permission with the -d option, but the way I did it is by installing as a regular app first, then I ran systemize in prompt mode (no args) and chose the Systemize Installed Apps (Listed) option.

It's also worth to check that there's a /system/etc/permissions/privapp-permissions-org.nick.cryptfs.passwdmanager.xml after the script runs, with something like:

<?xml version="1.0" encoding="utf-8"?>
<!--
        Generated by App Systemizer (Terminal Emulator) by veez21
-->
<permissions>
    <privapp-permissions package="org.nick.cryptfs.passwdmanager">
        <permission name="android.permission.CRYPT_KEEPER"/>
    </privapp-permissions>
</permissions>

[icescalar]

I was able to install cryptfs-password-manager on LOS 16.0 as @thedroidgeek suggested. The privapp-permissions-org.nick.cryptfs.passwdmanager.xml is also were it should be.

but when i try to change the password using the app, i just got an error "Password change error. Failed to change device encryption password."

Any idea?