Recovery and Encryption

[diogotavc]

Build used

lineage-18.1-20240809-UNOFFICIAL-zeroltexx.zip

Model number

SM-G925F

Describe the bug

Not exactly a bug, and since I don't know where to ask: I'm curious about the fact encryption is disabled out of the box, and why there's a custom build of TWRP (with support for OTA) as opposed to using LineageOS's recovery.

Is TWRP used just because it can access files on the device easier? Why not use LineageOS's most minimal recovery, that's more reliable and easier to build and package together with the rom?

Note: Since the device is quite old, I doubt you can get TrustZone and so on to collaborate on having working FBE, but since FDE is technically still supported up to Android 13, I see this as a bit of a security risk (when it comes to stolen devices).

To Reproduce

not a bug

Any extra info

As stated on Google's page on Full-Disk Encryption , "Only devices that launched with Android 9 or lower can use full-disk encryption. (...) Android 10-12 support full-disk encryption only for devices that upgraded from a lower Android version.", indicating that both Android 11 and 12 still support FDE.

[fakemanoan]

A lot of the things you need to do (root, install addons, backups, etc) are not well supported, or are not possible in Lineage Recovery. Also on newer versions of Android the Lineage recovery just doesn't work for our device, whereas TWRP works fine. Traditionally TWRP is used on the older Samsung devices, so that is what I support.

Encryption wasn't standard when the S6 came out, so I don't enable it, which I believe is the proper guidelines.

[diogotavc]

Would you consider properly notifying users and enabling FDE on supported versions of Android, with the option to flash a zip to disable forced encryption (as it takes way longer to encrypt an already booted device, than to disable encryption before first booting)?

This now is less relevant, but regarding LineageOS 18.1 through to 20, the recovery isn't compatible with the S6? Never heard of that. Also, you should still be able to build the recovery when building LOS and it shouldn't be overwritten after an OTA (I can research about that - even if it is, it should possible to add an addon.d script not to flash the recovery).

Thanks for your work!

[diogotavc]

Seems encryption is bugged or takes way longer than it should. I left it for an hour or so, and it never ended up finishing. Would this happen with forceencrypt as opposed to encryptable? Or does the kernel not support FDE properly?

Another note: Having forceencrypt was mandatory on devices launched with Android 6 and newer. Although Android 5 had support for it and I believe was the default, it wasn't forced upon manufacturers. Since Exynos 7420 has ARM TrustZone, meaning it has hardware support for encryption and decryption, it shouldn't also impact performance much. (not sure if TEE will play super nice, but I'm 100% down to test an experimental forceencrypt build, if such is necessary)

I know you're doing this work for free, and having brought up and worked on another Exynos device, I absolutely respect your dedication, time and effort. Hopefully my request is reasonable and you can make it work. Thank you!

[fakemanoan]

At least Lineage 20 recovery wouldn't work when I tried it. I haven't validated 18.1 recovery, but I assume it would work.

Kernel should support FDE. I remember exynos 7580 devices had issues with encryption when binderised GNSS was used, could be related. I will have to look into it when I have the time.