Android’s Password For Encryption Can Be Different From The Screen Unlock PIN

I can't remember when I first read about Android's ability to encrypt the user data partition. What I did remember however was, that the article said that the PIN used for unlocking the screen is also used during system startup to unlock the encrypted partition. I was pretty disappointed at the time because a four or five digit screen unlock PIN can easily be cracked in an offline attack so I never really bothered to give encryption a try. But is this really the case?

A Long Password For Encryption And A Short PIN for Unlocking The Screen

As I couldn't find the definite answer on the web I tried out myself with a device running CyanogenMod 11 (Android 4.4.4). And indeed, to start the encryption process a screen unlock PIN has to be set which is then also used to unlock the encrypted drive during system startup. But, and this is the good part now, the password to unlock the encryption key during system startup can be changed afterward to a password of a much longer length independent of the screen unlock PIN. In other words, it's possible to use use a long and strong password during system startup and a reasonably short and different screen unlock PIN. Perfect!

CyanogenMod Update Trouble

As far as CyanogenMod is concerned, however, there's a little catch: The automatic updater doesn't work anymore as the downloaded image is put into the user's encrypted data directory. Unfortunately, the CWM (ClockWorkMod) recovery manager used by CyanogenMod for many devices doesn't support encrypted user data partitions. The only way to update the system image on such devices if they are encrypted is to push the image from a PC via ADB to a temporary partition after the device has been booted to recovery mode. Here's a description of how that works. It's not difficult to do but not very convenient either.

More Details on Encryption

And for some more background information on how Android encryption works, have a look here.