First let's have a look why it is not (yet) possible to mount encrypted userdata partition from TWRP especially on Samsung devices.
Encryption is hardware-backed in TEE and therefore vendor specific. Furthermore ...
... some vendors such as Samsung use their own encryption techniques. Without heavy deconstruction/decompiling of custom library blobs, and successful ports by an active maintainer, this may never be done.
Decryption involves the underlaying firmware. It requires to mount various partitions and running libraries for communication with (TEE) Trusted Execution Environment.
For Qualcomm devices it is necessary to run qseecomd
, for Exynos devices the Trustonic Kinibi daemon. In this example the modem
partition is mounted with mounttodecrypt
flag (qualcomm)
/firmware
vfat
/dev/block/bootdevice/by-name/modem
flags=slotselect;display="Firmware";mounttodecrypt;fsflags=ro
As we can see on this list of libraries also the vendor
partition is mounted. This is also OEM specific content used by LineageOS and not included in TWRP by default. Some recent TWRP builds have it, most builds are designed to use the firmware. However no Samsung devices known. This example is from another qualcomm device not for Samsung:
/firmware/image/cmnlib.b00
/firmware/image/cmnlib.b01
/firmware/image/cmnlib.b02
/firmware/image/cmnlib.b03
/firmware/image/cmnlib.mdt
/firmware/image/keymaste.b00
/firmware/image/keymaste.b01
/firmware/image/keymaste.b02
/firmware/image/keymaste.b03
/firmware/image/keymaste.mdt
/system/bin/linker64
/system/bin/qseecomd
/system/lib64/hw/keystore.qcom.so
/system/lib64/libbacktrace.so
/system/lib64/libbinder.so
/system/lib64/libcnefeatureconfig.so
/system/lib64/libc.so
/system/lib64/libcutils.so
/system/lib64/libEGL.so
/system/lib64/libgccdemangle.so
/system/lib64/libGLES_trace.so
/system/lib64/libGLESv2.so
/system/lib64/libgui.so
/system/lib64/libhardware.so
/system/lib64/liblog.so
/system/lib64/libm.so
/system/lib64/libnetd_client.so
/system/lib64/libsigchain.so
/system/lib64/libstdc++.so
/system/lib64/libstlport.so
/system/lib64/libsync.so
/system/lib64/libui.so
/system/lib64/libunwind-ptrace.so
/system/lib64/libunwind.so
/system/lib64/libutils.so
/system/vendor/lib64/libdiag.so
/system/vendor/lib64/libdrmfs.so
/system/vendor/lib64/libdrmtime.so
/system/vendor/lib64/libNimsWrap.so
/system/vendor/lib64/libQSEEComAPI.so
/system/vendor/lib64/librpmb.so
/system/vendor/lib64/lib-sec-disp.so
/system/vendor/lib64/libsecureui.so
/system/vendor/lib64/libsecureui_svcsock.so
/system/vendor/lib64/libssd.so
/system/vendor/lib64/libStDrvInt.so
/system/vendor/lib64/libtime_genoff.so
/system/vendor/lib64/libvendorconn.so
Now, as we know there is a lot of research to make decryption working, it's obviously TWRP maintainers are desperate overhelmed with providing encryption support for all devices. Therefore decryption is always only a goody, heavily depending on maintainers knowledge and engagement.
That might one reason why android modding scene prefer to run custom ROMs unencrypted
Encryption is forced since Android 5.0 with forceencrypt=
flag in fstab (FDE) or fileencryption=
(FBE)
The flags encryptable=
forceencrypt=
and forcefdeorfbe=
are always pointing to crypto footer. Therefore they are interchangeable.
To disable force encryption (FDE) use the first flag. Edit your fstab entry for userdata
partition and replace forceencrypt=
with encryptable=
/dev/block/platform/11120000.ufs/by-name/USERDATA
/data
ext4
noatime,nosuid,nodev,discard,errors=panic
wait,check,encryptable=footer,length=-20480,reservedsize=128M
This can be done from TWRP by installing no-verity-opt-encrypt-6.1.zip
The benefit of having force encryption disabled while keeping the availability for encryption is in the nature of Direct Boot vs Secure Start. Upon first boot, the device creates a randomly generated 128-bit master key and then hashes it with a password and stored salt. The resultant hash is also signed through TEE (such as TrustZone), which uses hash of the signature to encrypt the master key. There are four kinds of encryption states:
- default
- PIN
- password
- pattern
On Direct Boot the former one is forced with 'default_password', indeed that's how most android devices still encrypted. (TWRP always probes against 'default_password' and only asking for password if decryption failes.)
If you choose Secure Start from security menu the keystore password is re-created using your current lock screen credentials. downside of this encryption state android won't boot until correct passphrase is entered.
To overcome this the benefits of Secure Start with Direct Boot was merged in (FBE) File-Based Encryption, which was introduced with Android 7.0 and enforced for devices shipped with Android 10+
Be aware there is no way to disable enforcement of (FBE) File-Based Encryption. Therefore the only method left is to disable encryption completely by deleting the fileencryption=
flag from fstab (with no proper replacement). Indeed that is how Magisk does currently when flashed from TWRP.
Universal DM-Verity ForceEncrypt Disk Quota Disabler will disable encryption completely
The only* way to decrypt existing data on Samsung devices is boot into android.
(*there exist investigations to break encryption, however not for Samsung encryption)
If your goal is data recovery from encrypted Samsung device TWRP is not the way to go.