I was trying to access a saved password on my new phone and Google prompted me about adding "on device encryption". I simply wanted to learn about the feature and his "set up". Google didn't provide me any setup screen. They just went ahead and set it up. I am reading that you cannot undo this setting? And it sounds like this setting is going to make all of my passwords unusable on any other device for the same Google login? That's a complete disaster for me. Where do I read more about this in detail, and is there any escape from this? Is it going to re-encrypt passwords I already set in the Password Manager? Being able to share the passwords across all my devices is the entire point of the password manager!!
Question Google On Device Encryption of Passwords
- Thread starter pone
- Start date
- Mar 9, 2012
- 169,330
- 10,616
- 113
Here's an explanation using Google's AI Overview:
"Google on-device encryption is a feature that encrypts your saved passwords and other data on your own devices, using a key that is only accessible to you via your lock screen PIN, pattern, or password. This adds an extra layer of security, preventing Google or others from accessing your data, even if a security breach occurred. On the Android operating system, "Encrypt phone" refers to the full disk encryption for the device's storage, which also requires your lock screen credentials to decrypt at startup. [1, 2, 3, 4]
Google Password Manager on-device encryption
[1] https://support.google.com/nexus/answer/2844831?hl=en
[2] https://support.google.com/chrome/answer/10311524?hl=en
[3] https://blog.mega.io/is-google-password-manager-safe
[4] [5] https://chromeunboxed.com/google-password-manager-encryption
[6] https://9to5google.com/2022/06/21/google-password-on-device-encryption/
[7] https://www.manageengine.com/mobile-device-management/mdm-device-encryption-for-android.html
[8] https://www.securecodewarrior.com/article/secure-coding-technique-android-device-encryption-and-direct-boot
[9] https://copperhead.co/blog/android-encryption-password/
[10] https://www.cashify.in/how-to-encrypt-your-android-smartphone"
So as long as you don't forget your Google account credentials, you'll always still be able to access your passwords via your Google account. This is why it's so important to make sure you have more than one method of authenticating your Google account. I would strongly recommend creating hardcopy backup codes as a last resort and storing them securely somewhere (like a safe at home): https://support.google.com/accounts/answer/185839?hl=en&co=GENIE.Platform=Desktop
"Google on-device encryption is a feature that encrypts your saved passwords and other data on your own devices, using a key that is only accessible to you via your lock screen PIN, pattern, or password. This adds an extra layer of security, preventing Google or others from accessing your data, even if a security breach occurred. On the Android operating system, "Encrypt phone" refers to the full disk encryption for the device's storage, which also requires your lock screen credentials to decrypt at startup. [1, 2, 3, 4]
Google Password Manager on-device encryption
- How it works: When you enable this feature, your passwords and passkeys are encrypted on your device before being sent to Google's servers. The encryption key is tied to your device's lock screen credentials or a dedicated Google Account password.
- What it protects: It protects your saved login information from being accessed by Google or anyone else who might gain access to your account in the cloud.
- How to set it up: You can enable it in the settings of the Google Password Manager, usually by going to the settings menu and looking for an "On-device encryption" or "Set up on-device encryption" option.
- Important considerations:
- How it works: This is a system-level feature that encrypts all data on your Android device's internal storage.
- What it protects: It protects the data stored on your phone from unauthorized access if your device is lost or stolen, as it cannot be accessed without your PIN, pattern, or password.
- How to set it up:
- Go to your device's Settings app.
- Tap on Security & Location.
- Under "Encryption," tap Encrypt phone or Encrypt tablet.
- Follow the on-screen instructions, which will require you to set a lock screen PIN, pattern, or password.
- Important considerations:
[1] https://support.google.com/nexus/answer/2844831?hl=en
[2] https://support.google.com/chrome/answer/10311524?hl=en
[3] https://blog.mega.io/is-google-password-manager-safe
[4] [5] https://chromeunboxed.com/google-password-manager-encryption
[6] https://9to5google.com/2022/06/21/google-password-on-device-encryption/
[7] https://www.manageengine.com/mobile-device-management/mdm-device-encryption-for-android.html
[8] https://www.securecodewarrior.com/article/secure-coding-technique-android-device-encryption-and-direct-boot
[9] https://copperhead.co/blog/android-encryption-password/
[10] https://www.cashify.in/how-to-encrypt-your-android-smartphone"
So as long as you don't forget your Google account credentials, you'll always still be able to access your passwords via your Google account. This is why it's so important to make sure you have more than one method of authenticating your Google account. I would strongly recommend creating hardcopy backup codes as a last resort and storing them securely somewhere (like a safe at home): https://support.google.com/accounts/answer/185839?hl=en&co=GENIE.Platform=Desktop
If the passwords are being encrypted on my *DEVICE*, then logically the passwords are no longer accessible from my desktop computer? That defeats the whole point of having a password manager that seamlessly blends acccess to sites on both a desktop browser and on devices.
Further, they are implying that you must use the same PIN or access method/values on each remote device, otherwise even your devices cannot share.
Is this thing now re-encrypting the 100 passwords I already saved to this account before I stupidly turned this misguided feature on? Or does this only mess up passwords I create from this point on?
Assuming that this is not globally encrypting all of the accounts I already had created without encryption, that would suggest that moving forward I would need to create the username and password on my desktop browser, and then let it migrate to the devices?
I am still confused by how this works, and I am not really understanding how to work around it or if I have accidentally rendered all of my passwords worthless.
- Mar 9, 2012
- 169,330
- 10,616
- 113
I'll re-emphasize this part of the summary with added boldface: "When you enable this feature, your passwords and passkeys are encrypted on your device before being sent to Google's servers. The encryption key is tied to your device's lock screen credentials or a dedicated Google Account password."
So your passwords will still be saved to your Google account in the cloud, but encrypted using either your phone's lockscreen credentials OR your Google Account password. Since you would need to log into your Google account on a desktop with that password, that's how your passwords would be decrypted.
So your passwords will still be saved to your Google account in the cloud, but encrypted using either your phone's lockscreen credentials OR your Google Account password. Since you would need to log into your Google account on a desktop with that password, that's how your passwords would be decrypted.
There are two ways this could be done:
#1: They could encrypt a local copy of the password on the device, using the PIN, etc. And then the password could be shared encrypted by your Google Account password with the cloud. That would give you extra protection on the device, while still allowing your desktop browser to use the credentials.
#2: They could encrypt the password on the device, and then further encrypt the encrypted password on the cloud with your Google Account password. In that case, how could your desktop browser access the credentials again? They are encrypted by a means on the device that the desktop browser cannot emulate?
VidJunky
Well-known member
- Dec 6, 2011
- 6,457
- 1,516
- 113
No, that is not how that works. When you unlock your phone, PIN, password, pattern, whatever you use, decrypts the data on your phone for use. So, it isn't encrypted forever when you use it. Let's say someone got a hold of your phone and found your Password folder, there really isn't a folder for this but for anecdote sake let's just imagine a folder on your home screen, the information they would find would be useless because it would be gibberish without the decryption code. Wherever the password would be used, a web page or app name, would be gibberish. The password itself would be gibberish, and none of it would be useful to anyone without your decryption code, which on your device would be your PIN, Password, etc etc. whatever you use to unlock the phone. Once you unlock your phone the data is regular data and used the same as you normally would. Your data in the cloud is already encrypted, so if you're in a browser and Google pops up asking if you want to use your saved password, that password is encrypted until you sign into your Google account. That sign in decrypts your data for use. The password never changes, it just looks like and for all intents and purposes is gibberish until decrypted. Which you decrypt by signing into your Google account or accessing your device with a PIN, Pattern, etc etc.
I tried to find a video on encryption that wasn't just a guide on how to enable it but I couldn't find one that touched on the point I was trying to make so I found this one that might help you understand better.
What you are describing is my option #1 in my post above. They are simply encrypting *LOCAL COPIES* of the password, NOT encrypting the cloud copy of the password that sits on Google's servers.
That's totally fine. I just want to make sure this feature is only encrypting the local cached copies of the password, not affecting the cloud-stored password in a way that would prevent me from using it on a desktop browser.
I would not object to them having the additional encryption level in the cloud, but then they would need to modify Google Chrome and any other interfaces that use those passwords to let me provide the PIN on the desktop computer.
VidJunky
Well-known member
- Dec 6, 2011
- 6,457
- 1,516
- 113
You are already decrypting your online cloud stuff by signing into Google. Your passwords and auto fill don't work if you're not signed in to your account. If you need more security, they also offer 2 factor, Google calls it 2-Step, verification which decrypts your account information which includes your passwords, contacts and backup data to name a few.
Similar threads
Trending Posts
-
How can I keep apps from detecting screenshots?
- Started by kriyapedo
- Replies: 2
-
-
-
-
Facebook
Twitter
Instagram