Multiple encryption passwords (also different from screen lock password) with file-based encryption



  • QUESTIONS

    1. How can you set different passwords for file-based encryption of different files in an Android version that allows file-based encryption?

    2. As a corollary,* how can you set a file-based encryption password that is different from the screen lock password?

    *I am saying that the second question is corollary to the first because if you have two or more passwords for encryption then at least some of them would of necessity be different from the screen lock password.

    I would like the answer to refer to (a) methods (for 1 or 2) generally available in any Android version, (b) if no such methods exist, any method available for a particular version (e.g. Lineage) or brand of manufacture, (c) if no such version or brand exists, any method through a third party app or command line hack, or finally (d) state that there is no method to achieve 1 or 2.

    BACKGROUND

    The questions amount to asking what the implementation of the following statement (from https://source.android.com/security/encryption ) actually looks like.

    Android 7.0 and later supports file-based encryption. File-based encryption allows different files to be encrypted with different keys that can be unlocked independently.

    What I (perhaps naively) expected was to see handy Settings items for choosing groups of files and assigning them different passwords or at least a Settings item for assigning an encryption password different from the screen lock password.

    What I instead found:

    • My Samsung phone running Android 11 has a Settings item called "Strong protection" (which I understand is the reference to the file-based encryption). It can only be turned on or off. The blurb for it goes, "Encrypt your phone using your secure lock type (pattern, PIN, or password)." I found nothing else in Settings relating to an encryption password.
    • The statement that setting an encryption password different from the screen lock password was "no longer possible" with file-based encryption, as found in https://android.stackexchange.com/a/240995/362884 .
    • No guide out there on the Internet on how to set different passwords for different files or an encryption password different from a screen lock password (other than what looked like a hack, used a third party app, or was three or four years old).

    So it seems:

    • There is no practical way to separate encryption password from screen lock password in Android (as of version 11) to say nothing of setting different encryption passwords for different files.
    • The old complaint about having to strike a balance between security (from a long encryption password) and convenience (from a short screen lock) still remains.

    LATER ADDED

    As for the request appearing at the top of the post, i.e.

    Your question has been identified as a possible duplicate of another question. If the answers there do not address your problem, please edit to explain in detail the parts of your question that are unique.

    The linked post is about separate encryption vs. screen lock passwords. This post is about multiple encryption passwords (the encryption vs. screen lock part of it arising only as a corollary). I don't see how the two questions could be conflated, but there it is.

    Thanks for the comments tending to say that multiple passwords are either not possible or not to be encouraged.

    If so, how should I square away the apparent contradiction with the statement from android.com, i.e.:

    Android 7.0 and later supports file-based encryption. File-based encryption allows different files to be encrypted with different keys that can be unlocked independently.

    Maybe comments might suffice on this contradiction. If this must be a separate question, please advise. I am willing to remove the 'contradiction' bit to a new post.



  • This is final (d) state that there is no method to achieve this on FBE

    different files to be encrypted with different keys

    please note the distinction between terms keys and credentials
    each file get it's own encryption key, but all keys encrypted with same credentials (for this user)

    that can be unlocked independently

    probably refers to CE / DE where each user can unlock CE independently


    edit: Samsung devices provide (FBE) "Strong protection" which is successor to (FDE) Secure startup
    -> Settings -> Biometrics and security -> Other security settings -> Strong protection




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2