BETARecently I had a frustrating problem while trying to enable full disk encryption on my Android device (Motorola G3 “osprey”). Every time the encryption process would hang forever at:
Encrypting
Wait while your phone is being encrypted.
Time remaining 00:00
After forcibly rebooting the phone, any password (even the wrong one) would result in a message like:
Decryption unsuccessful
The password you entered is correct, but unfortunately your data is corrupt. To resume using your phone, you need to perform a factory reset. When you set up your phone after the reset, you’ll have an opportunity to restore any data that was backed up to your Google Account.
This same message appeared even after the suggested factory reset – from this state, the only way I could find to restore the phone to working order was to format the data partition.
I looked into the source code, and it turns out that this problem happens if the encryption finishes successfully but the final writing of encryption metadata to the metadata partition (or the final test mount) fails for some reason. Normally the phone would restart soon after completion and the time remaining screen would disappear, but in this case nothing tells the user interface to report that an error occurred so it just sits there.
Debugging this sort of problem is not too difficult if you can plug in the phone via USB and view live logs with adb logcat. The good news is that the logs output from the encryption process are quite verbose. The bad news is that since the encryption process is done as part of a restart – with only a minimal system running and without user configuration loaded – adbd may not be running at this point to allow connection. To allow debugging this, I built my own Android image with adb enabled at boot by making these changes. (Building Android from source is daunting but easier than you would think… mainly it just uses a lot of Internet bandwidth and disk space.)
In my case – unofficial LineageOS 16.0 on my osprey device – the root problem turned out to be incorrect SELinux rules that denied vold (the volume manager daemon) permission to the metadata partition:
D vold : cryptfs_enable_inplace_f2fs success
E Cryptfs : Cannot open footer file /dev/block/bootdevice/by-name/metadata for put
W Binder:256_2: type=1400 audit(0.0:19): avc: denied { read write } for
uid=0 name="mmcblk0p26" dev="tmpfs" ino=9642 scontext=u:r:vold:s0
tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
I Cryptfs : cryptfs_check_passwd
E Cryptfs : Cannot open footer file /dev/block/bootdevice/by-name/metadata for get
E Cryptfs : Error getting crypt footer and key
E Cryptfs : Could not get footer
E Cryptfs : Encrypted filesystem not validated, aborting
To work around this I added a hack to system/sepolicy/vold.te in my Android build tree to allow vold access to all block devices… I’m sure there is a better way but this helped me to get back up and running quickly.
allow vold block_device:blk_file { create setattr unlink rw_file_perms };
I hope this helps someone else if they run into this same frustrating problem!
