Does Encryption work with Lineage OS?

Is it today possible to encrypt lineage os? It’s not working right now and crashing every time I try…

Encryption works fine for me.

Edit: Found it, it must have been some LineageOS build from July '17 when it started working, it wasn’t working with the 2017-06-14 build before.

2 Likes

But I have all the latest version and a fresh Installation…

Try resizing the data partition in TWRP, I can remember I did this while I was having trouble with encryption …

4 Likes

Enabling encryption does not work for me on Lineage, the phone simply restarts, but encryption is not started.

Did you already resize the data partition?
(See 1 post above yours).

1 Like

I saw the post, but wanted to report the bug is still on Lineage. Forgot we have a bugtracker for that.

Before I report that issue there, is encryption working for others out of the box? The reason I’m asking is that I bought the FP2 used and reinstalled FP OS myself. The person who owned the phone before me experimented with early Lineage Builds and it could be my partitioning was/is different.

My partition was already the correct size, so workaround did not help. Instead, I run in the
“Bad magic block” issue, but i only get the first part of the error:

E/Cryptfs ( 236): Bad magic for real block device /dev/block/platform/msm_sdcc.1/by-name/userdata

Will try a factory reset.

1 Like

Ok. It simply does not work. Thats sad, i consider encryption as absolutely crucial.

Here is what I tried:

  1. Resizing the userdata filesystem: Does not help, was already correct.
  2. Clearing the full userdata with TWRP: No change
  3. dd if=/dev/zero of=/dev/block/mmcblk0p20: No change
  4. Replace Lineage with a clean installation of Fairphone OS, the reinstall Lineage: No change
  5. Check the magic block of user data: Its 0x53 as it should be.
  6. Remove the SD Card. No change.
  7. Remove the Camera module. A tip by a friend of mine (obscure, right?). Does not help, phone does not boot without the module. I don’t have the old module any more.
  8. Reformat the the userdata with f2fs (@chrmhoffmann mentioned somewhere using f2fs with encryption). Get the old error

E/Cryptfs ( 237): Orig filesystem overlaps crypto footer region. Cannot encrypt in place.

  1. Resize the f2fs filesystem. Loose all userdata in the process. Again. Reboot, enable ADB for logs, set a unlock, enable encryption and finally:
  2. The phone reboots and asks for my passcode. The reboot is taking quite long, I guess that is a good sign, but it could also be a boot loop: :man_shrugging:.

Now, I imagine formatting to f2fs and then resizing somehow triggered the required change. Regarding error analysis, I can imagine two scenarios.

First: The owner before me experimented with f2fs and somewhere deep in the Fairphone, a wrong magic number survived all my wiping experiments. After formatting to f2fs, the code matched again?
Second: Reformatting with ext4 left some data untouched. Only changing the filesystem was successful in completely wiping the phone. The would indicate, that I could change the fs back to ext4 and it would still work.

No Idea how to proceed. Phone is still booting. No way to see if it does something useful.

I remember I occasionally had to destroy the LUKS header to resolve a failed encryption attempt to make encryption possible again.

Edit: Oh, perhaps that is the same as your point 3.

1 Like

fairphoneangels ?
Which OS did you boot without the camera?

Tried that to.

My phone was almost empty. How long should encrypting take in this case?

Edit: I know get a boot animation for a few second, then I am able to enter my password. Afterwards, however, I am stuck at boot.

Should complete almost instantly. I did that, too.

So for better or worse, encryption seems to be in place.
Edit: When booting into TWRP, does TWRP request the password?

Might take a few minutes the first time, but if that isn’t it … Does the booting process after entering the encryption PIN get stuck, or do you get a reboot loop?

Anyway, if the encryption is indeed in place now, you could now reinstall the OS all you like without breaking the encryption, just don’t format the data partition.

It’s stuck. I can access the data partition on twrp after entering the PIN. I can even mount it, in the shell:

~ # mount /data
~ # ls /data/
adb cache mediadrm ss
anr camera misc ssh
app connectivity misc_ce system
app-asec dalvik-cache misc_de system_ce
app-ephemeral data ota system_de
app-lib drm ota_package time
app-private lineageos_updates property tombstones
audio local resource-cache user
backup lost+found security user_de
bootchart media shared usf

Do you think that would help? I did nothing the OS, it was clean. I would reinstall lineage, the modem and gapps, but not wipe data right? I could simply run rm -rf * in data, right?

Edit: That seems to have worked! I boot into the recovery (turn the phone off, then hold volume up. I entered the PIN and used adb shell to log into the phone.

I used mount to check /data is actually mounted to /dev/dm-0, the encrypted user data. I then deleted all files in userdata with rm -rf * and rebooted. Of course, all data is lost, but I am now greeted with the first use setup. I am restoring my apps from Google Play atm. :+1:

But I am bit afraid that this does not survive the next reboot :wink:

1 Like

That sounds good.

Encryption not working for you after all you did was beyond my logic, so … I’m now beyond logic, anything goes :slight_smile: .

Worth a try. I would do that in this situation.

Logically thinking again, yes, for what it’s worth :innocent: .

1 Like

I’ve also been struggling to get encryption to work with Lineage OS. I found the solution in the end: for me, it’s not specific to Lineage OS at all. It’s a bug with the Fairphone 2 to do with the new camera. This solution worked for me: Encrypting new FP2 fails (“just” remove the rear camera, encrypt, and replace it again when done).

2 Likes

I finally found some time to encrypt my phone (after going through the hassle of disassembling the rear camera). Now on boot up, the process has changed and my pin is asked quite early in the boot process.
Now when I power off the phone (rear camera still disassembled, otherwise it would reboot right away) and then power into TWRP I’m not asked for a pin or anything. That surprised me a little. But what changed, is that now I’m asked to keep it “read only” which I can cancel with a swipe.

So then I tried to browse thru the file manager the external SD card is still completely readable but the internal things seem not to show up.

How can I encrypt the external SD card?

Do I have to worry when installing new versions of LineageOS? So far I downloaded them, made sure they are on the internal SD card went to TWRP and installed it from there. Is this process still the same or do I have to watch out for something now?
I’m a little worried as I’m not asked for the PIN when entering TWRP mode.

Maybe as an additional Info, I have TWRP 3.0.2 installed. (It came with the Fairphone Open OS Version I installed). But I just saw that it is quite old. Should I upgrade to the most current Version? Should I have done that before trying the encryption?

Maybe you only need to enter the pin if you need to access the data. But for, when I reboot into recovery using adb reboot recovery, I get the prompt to mount my data partition (Title: Mount - Decrypt data), but I can cancel it and then I get the same prompt you have.

I think that is not possible. Did not find a way to do so.

I have the latest version installed.

Thank you for the quick answer @ben .
I installed the newest TWRP version and now I get asked for a PIN and can access the local file system in twrp mode. I got some error messages though when installing. I guess because some of the default folders were not accessible because of the encryption. I’m actually a little (positively) surprised, that everything still seems to work though :slight_smile:

Btw, what do you mean by using adb reboot recovery? This is done from a PC connected to the phone, correct? Because I’m looking for a way to boot into recovery from within LineageOS, like when installing an update.

And is it possible to decrypt the phone again? From within LineageOS it does not seem to be possible.

Encryption is irreversible - at least this is what Android says when starting the encryption process. You’d have to format your data partition, but this clearly is not decryption.

2 Likes

You have to activate developer options (click ten times at ‘Build Number’), go there to ‘Extended Restart’ and activate it. Than you do a long press at the on/off button and you are able to choose to reboot into recovery.

2 Likes