Pattern Unlock after Android Full Device Encryption

Question

Can pattern unlock be used for my device’s lock screen after I enable full device encryption?

I normally use pattern unlock, but the encryption procedure requires me to change to PIN or password before proceeding. Can I revert to pattern unlock once the encryption procedure is complete?

Answer

Important Note: The following answer is based on Android 4.0 (Ice Cream Sandwich). Beginning with Android 5.0 (KitKat) it is possible to encrypt one’s device using a pattern. However I have not tested if it is now possible to use a different security mechanism for boot unlock and screen unlock.

No, after encryption you must use PIN or password for your lock screen.

I could find no official documentation on this, so I tried it experimentally. I took a Nexus S running Android 4.0.3 (Ice Cream Sandwich), set a PIN lock, and performed the encryption procedure. After this, all unlock options other than PIN and Password are disabled (greyed out and inaccessible).

I suspect that the reason for this is that in order for the device encryption to be reasonably secure, it must be protected with a PIN or password to be entered at boot time, and Android settings do not provide a way to specify two different unlock methods for boot-time unlock and lock screen unlock. Maybe Android will gain this feature in a later version.

Note that there is no way to unencrypt your Android device without performing a factory reset, which will erase all of your data.


Share this content on:

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmail

16 comments

  1. On my Galaxy SII there is an option to decrypt the phone if it’s encrypted (it takes about an hour, during which time the screen is completely blank and the phone seems unresponsive). Lucky really, as I also tried the experimental method only to find that I’ve got to type in a “6 characters inc. 1 number” password every time I want to unlock the phone (which is insanely tedious). Incidentally, on my phone I had to use a password for encryption – even PIN was disabled.

    As you say, hopefully Android will allow us to type a password on power on, but use face or pattern unlocks after that.

  2. this works on my Google Nexus 7 tablet but does not work on my brand new Samsung Galaxy s4. Man this is a pain… it basically renders encryption on the Galaxy useless unless you root.

  3. The reason of not allowing separate unlock password and disk encryption password is to either weaken the disk encryption by choosing a short (easy to break) one or by discouraging of encrypting your disk all together because of the hassle of having to enter a complicated long (30 characters) password every time you unlock your phone. Is not in Google’s or NSA’s interest to have such an encryption system in place.

  4. “it basically renders encryption on the Galaxy useless unless you root”

    Aren’t all Android phones essentially useless unless you root? I wouldn’t know, because I root my devices as soon as possible after acquiring them.

    I think the encryption system on Android is completely ridiculous. There should be an option to encrypt the phone and SD card such that a decryption password is required on boot, but then a PIN/pattern could be used to unlock the screen. I’m actually more concerned about encrypting the SD card because anyone with a basic knowledge of Android could pull out my microSD card and restore apps with data from my Titanium Backup archives and have access to my email, Facebook, and even *gasp* my Words with Friends account!

    They don’t need a password to my phone or to my accounts if they have access to my Titanium Backup archive! …which is just sitting on removable storage!

    So I want encryption, but a relatively simple unlock method. This seems the obvious default solution. You’d have to be pretty hardcore to be willing to type in an 8+ digit alpha-numeric password every time you want to unlock your phone.

    1. It would appear that, when I first wrote this comment, I was unaware of the option to use encryption in Titanium Backup. I now have all of my backups encrypted, so someone getting possession of my microSD card and using my backups is no longer a concern for me.

  5. To address the concern that tying encryption to PIN/password unlock weakens, intentionally or otherwise, encryption: No, not necessarily. Users weaken encryption with poor education or bad choices. Unless you time the theft or other possible threat so that it occurs sufficiently near to the battery depletion, choosing a strong encryption password but a simple PIN or pattern based unlock patter completely defeats the point of encrypting the device. Once unlocked, you are free to copy unencrypted files via USB or messaging. And if you’ve timed your attack so well, you anticipated it very well and should know better in the first place.

    Attacking a weak PIN or pattern is far simpler than attacking a strong password, hence, if you are going to encrypt your device, choose a strong password and deal with it. If you are going to choose a weak one, you diminish the point in encrypting it in the first place.

  6. @Angel: The Problem is: Many people see you typing in the PIN, only a few see you typing in the encryption password. So if its the same, many people will have watched you type it in. So better a mid-range pin and a highly secure encryption password.

    BTW: Does anybody know how to do this on KitKat? Seems not to work anymore.

  7. Sorry, now it worked, not sure why. I tried UPDATE instead of INSERT statements, rebooted some times, and when i gave up, set a PIN and changed the encryption password with vdc, i had a pattern lockscreen after reboot. Not sure what worked, but its still possible with Android 4.4 (KitKat)

  8. Re #8 Aaron J. Angel: Allowing an indefinite number of tries on the long encryption password is, arguably, less secure than allowing the user the option of entering a three-digit PIN, say, five times – after which the device would forcibly shut down. No, the security scheme as it looks now is just terribly broken, I can see a few reasons for why this happened:

    (1) Just pure ignorance; not enough work was put into thinking about usability.
    (2) Possible Google+NSA conspiracy as post #5 already pointed out.
    (3) Possible lockout hazard: If people seldom use the encryption passphrase, it could easily be forgotten. Lockout = disappointed customer and also carrier; support case will require lots of work and resetting the phone.
    (4) A combination of any or all of the four factors above.

    But I rest my case, as things look now it’s just terribly bad and this should be fixed. With multiple and proper warnings to circumvent possible turmoil arising from point (4).

  9. @Tobias: That’s exactly how it should work. Allow a short pin or pattern to be used for unlock with a strong password required at boot, then do a forced shutdown if the wrong pin/pattern is entered more than say 3 (or 5) times. Even a 4 digit pin is extremely secure with only a handful of attempts possible. (Unless you are seen entering it, in which case it doesn’t much matter how strong it is.)

  10. Sorry to bring an old thread to life, but I have been researching this topic and haven’t found anything useful yet. Just a lot of very good ideas that will likely never make it to a stock ROM.

    Here’s my idea: full password is required at boot, as it is now. Then after a user-defined interval of idle time, the password will be required again. Between those two points, a standard screen unlock will be used.

    So for example, if my phone sits in my pocket for an hour, it will require a password to unlock. But if it has only been idle for a short time, it will only require a pin. Three wrong pin attempts and it will request the password. This way, my device is secure and I’m not often pestered by having to type a long password.

  11. I just encrypted my Samsung galaxy S6. On power off reboot, it asks me for my encryption password, which works fine. My question is after I enter that password is my data now accessible to anyone that can get past my screen lock? Basically what I asking is if I lose my phone while it is powered on and the encryption key has already been entered and the only item securing the phone is the screen lock, if someone wants to get into my personal data all they need to do is get past my screen lock password?

    1. Yes, you are correct. Once the device is initially unlocked after power-on, it is only protected by the screen lock. It should be clear that this is true because you can get to all your data once you enter the screen lock, right? So clearly anyone else who knows your unlock code can get to it the same way. If you want a more secure lock after power-on, you will need to use a strong password for your screen unlock as well. That will be annoying as hell, but it’s a classic security-convenience tradeoff.

Leave a Reply

Your email address will not be published. Required fields are marked *