Open angadsingh opened 6 years ago
work profiles uses part of multiuser
They use android's file based encryption (FBE): https://source.android.com/security/encryption/file-based
The system_ce and system_de folders are actually Credential Encrypted (CE) storage and Device Encrypted (DE) storage as documented above.
I can't even do an adb pull on my work profile's folders:
adb: error: failed to copy '/data/system_ce/10/gZbggZAffqRWsSUW3jB7gD' to './10/gZbggZAffqRWsSUW3jB7gD': open failed: Required key not available```
Having the same issue. Is there any way to exclude certain folders from the backup?
I agree that excluding secondary users (if backup is not possible) would be great.
Please ignore that files on backup AND restore. So that the other user of profile will not be touched at all.
Hi,
I use work profile as a secondary user. So, PLEASE, include:
With all of this we'll can do a full backup using multiuser profiles. Thank you!
Any update on this one? I backed up my phone while work profile was enabled. Now I am unable to restore: extractTarFork() process ended with ERROR: 255
This should work fine now, but you would need to backup the phone with the newest version of TWRP, and then the new backup should restore properly. Any previous backups would not work as the work profile would've been encrypted.
No, it didn't work. I created the backup with 3.4.0 and tried to restore it with 3.4.0. Error 255. Turns out I had a user with ID 11, probably created by Island, which is using the work profile feature.
Cannot find key for 11 error looking up proper e4crypt policy for '//data/system_de/11/' - 1DE11 tar_extract_file(): failed to extract //data/system_de/11/ !!!
So I deleted all files and folders named "11" from /data/system_de/, /data/misc/user/ and /data/vendor_de/ manually from the backup files (with 7-Zip) and pushed them back to my phone. Then I was able to restore the backup.
Not sure if this is a corner case, but apparently TWRP did not skip this profile when creating the backup.
Did you first decrypt the work profile before performing the backup? Where is the recovery log? You shouldn't have to delete or skip anything. Without logs it's impossible to determine what happened here.
I did not decrypt anything before taking the backup.
It initially failed on the first file (data.f2fs.win000) with "11" files/folders in /data/misc/user/ and /data/vendor_de/.
So I deleted them and then it failed on the last file (data.f2fs.win012) with "11" files in /data/system_de/.
I was not unable to restore anything without deleting these files.
Here is the log from the second attempt https://www.dropbox.com/s/9jec7aobe02to0p/recovery%5B1%5D.7z?dl=0
I did not decrypt anything before taking the backup.
It initially failed on the first file (data.f2fs.win000) with "11" files/folders in /data/misc/user/ and /data/vendor_de/.
So I deleted them and then it failed on the last file (data.f2fs.win012) with "11" files in /data/system_de/.
I was not unable to restore anything without deleting these files.
Here is the log from the second attempt https://www.dropbox.com/s/9jec7aobe02to0p/recovery%5B1%5D.7z?dl=0
I think I'm missing a log. You're going to need to walk through your entire process, and provide the logs from each step. There should be a log from the backup in the backup folder - I think that one will be the most useful. For the restore, did you format the device or do something that would've deleted the work profile prior to restoring? According to that log, there's no user 11 on the device, which explains why it couldn't restore it.
I do not have any other logs. All previous logs got deleted during my ROM flashing attempts. Yes, I formatted everything including /system, then flashed a fresh factory image, then tried to restore the data partition. Restoring everything including all other partitions did not work, I ended up in a bootloop.
As already mentioned, I had Island (https://island.oasisfeng.com/) installed on my phone and I think this is where that user "11" came from? But it was not in use, I think the work profile was not even active when taking the backup.
There is a recovery log in your backup folder. Since you were able to restore your backup, that folder/log must exist. That's the log we need to see.
Yes, thanks, found it. https://www.dropbox.com/s/vcdgxq1cbo0c8id/recovery.7z?dl=0
Backup/restore operations will fail without all users decrypted. Whether they are in use or not. TWRP will automatically try to decrypt secondary profiles with the default password and/or the password provided by the user for the primary profile. I don't know what "password" is used by Island.
I'll work on adding ignore logic for non-decrypted users.
Ok, but the backup operation succeeded without any errors while the restore operation failed with
error looking up proper e4crypt policy for '//data/system_de/11/' - 1DE11
Shouldn't the backup abort at this point instead of going on?
Failed to decrypt user 11
Right now there is no logic to explicitly abort backups with undecrypted users. I'm not sure why it doesn't error out when backing up but does when restoring.
Hi, maybe you have an idea for me, as decryption on user 10 always fails.
e4crypt_unlock_user_key 0 serial=0 token_present=0
Skipping non-key ..
Skipping non-key .
Trying user CE key /data/misc/vold/user_keys/ce/0/current
Successfully retrieved key
Determining wrapped-key support for /data
fbe.data.wrappedkey = false
Determining wrapped-key support for /data
fbe.data.wrappedkey = false
Added key 798111340 (ext4:341e9bb1c698a11d) to keyring 449853792 in process 540
Added key 972089171 (f2fs:341e9bb1c698a11d) to keyring 449853792 in process 540
Added key 243114293 (fscrypt:341e9bb1c698a11d) to keyring 449853792 in process 540
Installed ce key for user 0
User 0 Decrypted Successfully!
User 0 Decrypted Successfully
I:User 10 is not decrypted.
Attempting to decrypt FBE for user 10...
Using synthetic password method
Handle is 'a94c05821e4281f1'
Using synthetic password method
Handle is 'a94c05821e4281f1'
using secdis
gatekeeper verification failed
Using synthetic password method
Handle is 'a94c05821e4281f1'
e4crypt_unlock_user_key 10 serial=0 token_present=0
Skipping non-key ..
Skipping non-key .
Trying user CE key /data/misc/vold/user_keys/ce/10/current
Using Keymaster HAL: 4 from QTI for encryption. Security level: TRUSTED_ENVIRONMENT, HAL: android.hardware.keymaster@4.0::IKeymasterDevice/default
Failed to read from /data/misc/vold/user_keys/ce/10/current/keymaster_key_blob
Failed to find working ce key for user 10
Couldn't read key for 10
e4crypt_unlock_user_key returned fail
Failed to decrypt user 10
The path for /data/misc/vold/user_keys/ce/0/current and /data/misc/vold/user_keys/ce/10/current looks identical. Both contains the files encrypted_key,secdiscardable, stretching and version. The file keymaster_key_blob doesn't exist for both. There are hard coded paths that twrp is looking for or searches it the path at boot? I attach the whole recovery.log.
twrp path https://github.com/redispade/device_xiaomi_grus-twrp
Xiaomi Mi 9SE
Hi, maybe you have an idea for me, as decryption on user 10 always fails.
e4crypt_unlock_user_key 0 serial=0 token_present=0 Skipping non-key .. Skipping non-key . Trying user CE key /data/misc/vold/user_keys/ce/0/current Successfully retrieved key Determining wrapped-key support for /data fbe.data.wrappedkey = false Determining wrapped-key support for /data fbe.data.wrappedkey = false Added key 798111340 (ext4:341e9bb1c698a11d) to keyring 449853792 in process 540 Added key 972089171 (f2fs:341e9bb1c698a11d) to keyring 449853792 in process 540 Added key 243114293 (fscrypt:341e9bb1c698a11d) to keyring 449853792 in process 540 Installed ce key for user 0 User 0 Decrypted Successfully! User 0 Decrypted Successfully I:User 10 is not decrypted. Attempting to decrypt FBE for user 10... Using synthetic password method Handle is 'a94c05821e4281f1' Using synthetic password method Handle is 'a94c05821e4281f1' using secdis gatekeeper verification failed Using synthetic password method Handle is 'a94c05821e4281f1' e4crypt_unlock_user_key 10 serial=0 token_present=0 Skipping non-key .. Skipping non-key . Trying user CE key /data/misc/vold/user_keys/ce/10/current Using Keymaster HAL: 4 from QTI for encryption. Security level: TRUSTED_ENVIRONMENT, HAL: android.hardware.keymaster@4.0::IKeymasterDevice/default Failed to read from /data/misc/vold/user_keys/ce/10/current/keymaster_key_blob Failed to find working ce key for user 10 Couldn't read key for 10 e4crypt_unlock_user_key returned fail Failed to decrypt user 10
The path for /data/misc/vold/user_keys/ce/0/current and /data/misc/vold/user_keys/ce/10/current looks identical. Both contains the files encrypted_key,secdiscardable, stretching and version. The file keymaster_key_blob doesn't exist for both. There are hard coded paths that twrp is looking for or searches it the path at boot? I attach the whole recovery.log.
twrp path https://github.com/redispade/device_xiaomi_grus-twrp
Xiaomi Mi 9SE
Do you have a separate password for user 10? If so, did you attempt to decrypt using Advanced -> Decrypt Users?
I only have a password for user 0, then I think the password is derived from user 0. For the work profile I use shelter app. Advanced -> Decrypt Users? doesnt work
I found this ticket after having this problem myself. The question below triggered something I wanted to try:
Do you have a separate password for user 10? If so, did you attempt to decrypt using Advanced -> Decrypt Users?
That got me thinking. I went into accounts and found an option 'use one lock'. I unchecked that and set the same pin code for the work profile. That enabled TWRP to unlock both profiles with the same pin. Somehow 'use one lock' and setting it once (main) is in Android 10 different from setting the same code twice.
With the 'use one lock' I guess Android 10 thinks of a lock for the work profile and sets (and unlocks) it via internal code instead of setting the same code. Advanced -> Decrypt Users doesn't work with 'use one lock' but it is even not needed when you manually set the same code on both main and work profile. (is probably needed when you set 2 different codes)
Device: Samsung Tab S5e TWRP: 3.4.0-0 from https://build.twrp.me/twrp-3.4.0-0-gts4lvwifi.img (@luk1337 built) Image: Lineage 17.1 Firmware: T720XXU1BTF7_CL18864194_QB32199498_REV00.zip
That got me thinking. I went into accounts and found an option 'use one lock'. I unchecked that and set the same pin code for the work profile. That enabled TWRP to unlock both profiles with the same pin
Great man, works on my Xiaomi Mi 9SE too :-)
That got me thinking. I went into accounts and found an option 'use one lock'. I unchecked that and set the same pin code for the work profile. That enabled TWRP to unlock both profiles with the same pin
Sadly does not work for me.
Oneplus 7 GM1903 OOS 10.03.GM57BA TWRP 3.3.1-74
Edit: With TWRP 3.4.0-0 it works! Thanks!
That got me thinking. I went into accounts and found an option 'use one lock'. I unchecked that and set the same pin code for the work profile. That enabled TWRP to unlock both profiles with the same pin
While it did work for the backup, after formatting Data I couldn't restore it back. I guess it's that time of the year again where I have to start everything from scratch :/ . I guess it could be worse too, at least I have a way to recover my contacts and other stuff.
That got me thinking. I went into accounts and found an option 'use one lock'. I unchecked that and set the same pin code for the work profile. That enabled TWRP to unlock both profiles with the same pin
While it did work for the backup, after formatting Data I couldn't restore it back. I guess it's that time of the year again where I have to start everything from scratch :/ . I guess it could be worse too, at least I have a way to recover my contacts and other stuff.
Just create the user account in Android again first, and then the restore should work fine.
Can anyone confirm this? I'm worried my backup strategy isn't sufficient.
Can anyone confirm this? I'm worried my backup strategy isn't sufficient.
Confirm what?
Confirm that restore works fine with the suggestion from your previous post.
Confirm that restore works fine with the suggestion from your previous post.
You mean additional confirmation? I've done it several times, on several devices.
No, I just wasn't sure if you've actually tried it as you said it "should" work.
No, I just wasn't sure if you've actually tried it as you said it "should" work.
I only said "should" because just because it works for me doesn't automatically mean it will work for everyone else. I can confirm that it does work for me.
Still doesn't work with my Xiaomi Mi Note 10. Before it starts to even backup it complains with the same Error 255. I have a work profile installed and creates a user 11.
Still doesn't work with my Xiaomi Mi Note 10. Before it starts to even backup it complains with the same Error 255. I have a work profile installed and creates a user 11.
Which part are you saying doesn't work?
The createTarFork() process ended with ERROR: 255
The createTarFork() process ended with ERROR: 255
That doesn't answer my question. I have no idea what it is that you tried to do that caused this error.
You're saying that you tried what was suggested here: https://github.com/TeamWin/Team-Win-Recovery-Project/issues/1256#issuecomment-684834828 and it didn't work?
I found this ticket after having this problem myself. The question below triggered something I wanted to try:
Do you have a separate password for user 10? If so, did you attempt to decrypt using Advanced -> Decrypt Users?
That got me thinking. I went into accounts and found an option 'use one lock'. I unchecked that and set the same pin code for the work profile. That enabled TWRP to unlock both profiles with the same pin. Somehow 'use one lock' and setting it once (main) is in Android 10 different from setting the same code twice.
With the 'use one lock' I guess Android 10 thinks of a lock for the work profile and sets (and unlocks) it via internal code instead of setting the same code. Advanced -> Decrypt Users doesn't work with 'use one lock' but it is even not needed when you manually set the same code on both main and work profile. (is probably needed when you set 2 different codes)
Device: Samsung Tab S5e TWRP: 3.4.0-0 from https://build.twrp.me/twrp-3.4.0-0-gts4lvwifi.img (@luk1337 built) Image: Lineage 17.1 Firmware: T720XXU1BTF7_CL18864194_QB32199498_REV00.zip
I don't know whether I am mistaken. I use pattern for my main profile. Then I cannot use this trick to set up the same pattern. Currently, I set up a password and I succeed to decrypt it by TWRP.
My phone (Fairphone 3+) with an unlocked bootloader and an unofficial LineageOS 17.1 with microG (generic system image) and Magisk is stuck in a bootloop. It uses file-based encryption (FBE). I would like to backup my data including on /data/media for every user (LineageOS has a multiuser function) and the "work profiles". I was able to decrypt the main user. Since TWRP 3.5 I am also able to decrypt the different users. However I am unable to decrypt my "work profiles" even though they luckily were active on the last shutdown (If they are active on shutdown, they are automatically decrypted when the corresponding user (in my case user 0) is decrypted). I think I found the decryption keys in the Android Keystore, though I don't know how to use them.
I would be grateful if anyone could explain how I can use the decryption keys to decrypt my "work profiles".
I also think it would add functionality to TWRP if decrypting of active "work profiles" could be implemented. It would make the backup process much easier.
Thanks in advance!
My phone (Fairphone 3+) with an unlocked bootloader and an unofficial LineageOS 17.1 with microG (generic system image) and Magisk is stuck in a bootloop. It uses file-based encryption (FBE). I would like to backup my data including on /data/media for every user (LineageOS has a multiuser function) and the "work profiles". I was able to decrypt the main user. Since TWRP 3.5 I am also able to decrypt the different users. However I am unable to decrypt my "work profiles" even though they luckily were active on the last shutdown (If they are active on shutdown, they are automatically decrypted when the corresponding user (in my case user 0) is decrypted). I think I found the decryption keys in the Android Keystore, though I don't know how to use them.
I would be grateful if anyone could explain how I can use the decryption keys to decrypt my "work profiles".
I also think it would add functionality to TWRP if decrypting of active "work profiles" could be implemented. It would make the backup process much easier.
Thanks in advance!
The only way to get the work profile to decrypt in TWRP is to disable the "Use one lock" option in Android as has been mentioned above in the previous comments. When that option is set, for some reason TWRP is unable to decrypt the work profile using the user 0 default password, so separating the passwords is the only way that works. Note that you can uncheck that option and then set the exact same password for the work profile, and then TWRP will be able to decrypt it using the user 0 password. So there's some "Google magic" in the work profile password setup for that option that the TWRP team has been unable to decipher. If you have a clue about how to do it, then please let us know and submit a patch to Gerrit so that it'll work for everyone.
Thanks for your reply!
When that option is set, for some reason TWRP is unable to decrypt the work profile using the user 0 default password, so separating the passwords is the only way that works.
So, if I understand it right, TWRP is already using (or trying to use) the keys from the Keystore of user 0 (/tmp/misc/keystore/user_0/.0_chr_USRPKEY_profile_key_name_decrypt_<user id of work profile>
)? Is exactly this really the case? @CaptainThrowback
Note that you can uncheck that option and then set the exact same password for the work profile, and then TWRP will be able to decrypt it using the user 0 password.
I can't: My phone is stuck in a bootloop. It doesn't start up properly, it doesn't stop showing the boot animation.
I would like to use TWRP (booted using fastboot boot <TWRP image>
) to create a full backup of my data (which includes /data/media
) to a SD card so I can format my phone and install the official LineageOS 17.1 which already came out for it or maybe a GNU/Linux based mobile os with a Debian-like package manegement like Mobian if available for my phone or if I can port it to my phone (though I never tried anything like that before) and then restore my data.
So there's some "Google magic" in the work profile password setup for that option that the TWRP team has been unable to decipher. If you have a clue about how to do it, then please let us know and submit a patch to Gerrit so that it'll work for everyone.
If TWRP really is already tying to use the keys from the Keystore of user 0 I'm afraid I can only suggest looking through the AOSP or LinegeOS source code. However I am not even able to find the part which does the encryption and even if I would I am not sure I would understand it. Though I am always willing to try and learn. If I find out anything I will share it.
How exactly does TWRP use the encrypted keys? Where does it search for / expect them? How does it detect the encryption algorithm for decrypting the key and for finally decrypting the FBE using the decrypted key?
Thanks in advance!
How exactly does TWRP use the encrypted keys? Where does it search for / expect them? How does it detect the encryption algorithm for decrypting the key and for finally decrypting the FBE using the decrypted key?
Thanks in advance!
Look at the code.
Could you please point me to the part of the code where i can find that out (for Android 10 file-based encryption)? Thanks!
Could you please point me to the part of the code where i can find that out (for Android 10 file-based encryption)? Thanks!
Specifically? No. Just look in the crypto folder. The 10 tree uses fscrypt, so if you grep in that folder you should find what you're looking for.
Here is my guess. I have no idea if I'm doing this right, but here is what I found:
static const char* e4crypt_unencrypted_folder = "/unencrypted";
#define DATA_MNT_POINT "/data"
...
const std::string device_key_dir = std::string() + DATA_MNT_POINT + e4crypt_unencrypted_folder;
const std::string device_key_path = device_key_dir + "/key";
Given the code from above, my guess is that the content of device_key_dir
would be /data/unencrypted/key
.
device_key_dir
is then passed to the method retrieveKey
here:
if (!android::vold::retrieveKey(device_key_path,
kEmptyAuthentication, &device_key)) return false;
which appears to be defined here:
and here:
I don't know if this helps or if this is even the correct directory or method, but sounds like it could be.
Thanks!
I looked into the database /data/system/locksettings.db
which TWRP doesn't look into so it doesn't need the SQLite library and found out that on my phone there are three different password types in use: user 0 uses the lockscreen.password_type
65536
, the users created using the LineageOS multi user function all use the lockscreen.password_type
196608
and the work profiles (of user 0) (I created one of them on the command line) all use the lockscreen.password_type
327680
.
@T-vK my last comment was before I saw yours. Well trying to help always has the potential to help or at least get closer to the solution and you surely know more than me. In fact I am the one who will have to think about your comment quite long to understand it (I only know very, very little about C++ or Java and am only 15. I think I do have a good logical-analytical understanding especially about IT (hosting a few online services (to get independent from the big ones) on my server and so on) though.).
I can confirm that there is no /key
nor /data/key
directory on my phone and that there is a /data/unencrypted/key
directory on my phone containing the following files:
encrypted_key keymaster_key_blob secdiscardable stretching version
However I don't know how this could cause a problem only affecting the decryption of the work profiles while the others decrypt fine. But don't let my possible lack of knowledge put you off!
I was essentially just saying the key(s) are located in /data/unencrypted/key
. The code snippets just show where the variables are defined that are then concatenated to form this path.
I was just trying to answer your question Where does it search for / expect them?
to give you a starting point.
In regards to your actual problem, I can't really help you as I have no experience with the TWRP source code.
If you want to understand how/where the decryption is happening I'd suggest learning the very basics of C++ (variables, function calls, includes, ...) and then
start by searching for retrieveKey calls in the code and follow it. For example you'd probably want to check where the third parameter is used after the call. In Ext4Crypt.cpp for instance you'd want to check where the variable device_key is used after the call.
Maybe you can even try to find some info on how to properly debug TWRP with an IDE and an emulator.
Thanks for your help!
I think I do have a basic understanding, but if I try to understand any complex source code, somehow I fail to understand it or it takes me very long. Somehow I understand the basics but then fail to remember what every single thing meant and have trouble finding my way through long code.
Device: OP6 Google "Work profile" created for work account (https://support.google.com/work/android/answer/6191949?hl=en) TWRP/Nandroid backup from recovery throws the following error:
It seems that (similar to multi-user account or parallel apps), work profiles create a new user on the device, and
/data/system_ce/10
might be an artifact of my work profile (not sure). The other folder is/data/system_ce/0
.Going by XDA, TWRP doesn't support multi-user profiles. Does it not support work profiles either?