Stock Android has offered full device encryption abilities to users since Honeycomb (Android 3.0). One of the problems with the stock implementation of full device encryption on Android, however, is the fact that it forces you to set the same password to both decrypt the device on boot and to unlock the lock screen. This leads to a couple of different problems, especially if you check your phone regularly. As a couple of articles, such as this, pointed that out the users were more likely to choose weak pass phrases as a result, given the amount of effort that would be required to unlock their phones each time.
However, if you have a rooted device, you can easily work around this. All you need is the root and a way of access the shell in android (either ADB shell, or locally on the phone using a program such as ConnectBot.) If one looks at the Android Open Source Project (AOSP) documentation, however, we can see this page. It essentially tells us we can change the at-boot password after the device has been encrypted. So the basic instructions to do this is as follows:
- Set a password or PIN up in Android. (This should be the PIN you want for your lock screen access.)
- Encrypt the device normally using the option under Settings –> Security.
- Open up an Android shell (using any program like those mentioned in the preceding paragraph), and get root. (Typically with “su”).
- Run the command “vdc cryptfs changepw YOURBOOTPASSWORD”. That’s it!
- Restart your phone and you should you’ll need to use your (hopefully significantly longer) boot password to start it up. Once its running, simply use the PIN you used at the very beginning to unlock your screen.
This set-up is much better than the default stock Android situation. My next step is hopefully finding a way to automatically power off the phone after 3 failed lock attempts (so that an attacker is forced to go against a significantly stronger boot password.)