Updating CyanogenMod 11 (KitKat) Milestones on Encrypted Devices

CyanogenMod is a great Android distribution and it gets better with each milestone.  KitKat has solid full-drive encryption, which is great for privacy – but the update process is not yet able to work with both.

TWRP recovery supports encrypted data partitions, but not the kind that AOSP 4.4.4 makes.   Vendors have had to roll their own for a while, while AOSP worked to do it right.  The current plan is for TWRP to support the AOSP 4.4 encryption type (dm-crypt managed by vold from what I can tell, but with no userland tools installed)  but for now TWRP isn’t ready.  And while the contents of /data aren’t necessary for an update to apply, the update routine tries to mount /data and will bail out if that fails.

TWRP still enables us to update, though, so install it first.  Here’s the page for my Galaxy S4, but find the one for your page so the block numbers will be correct.  The app install methods all failed for me (they just left ClockWork which doesn’t support encryption at all), but the dd method worked perfectly.


  1. Install TWRP.
  2. Boot into recovery (volume up on my S4).
  3. Download the current update image to your computer.
  4. install adb on your computer if you don’t have it.  If you’re on a Fedora-derived machine:
    yum -y install android-tools
  5. on the computer type:
    sudo adb shell
    (adb) mount -t tmpfs none /sdcard
    (adb) mount -t tmpfs none /data
    (adb) mkdir /data/media
    (adb) exit
  6. now, back in TWRP, go into ‘Advanced’ and ‘Sideload’.  You probably want to leave the two ‘wipe’ checkboxes checked, then start the sideload process.
  7. back on the computer, type:
    sudo adb sideload whatever-your-downloaded-updater-is-called.zip

    The reason you had to create /data/media above is that this file will wind up as /data/media/sideload.zip.
    It must be using /sdcard as temp space because I could only get the sideload to get to 38% before it would fail until I created /sdcard .  Aside: tmpfs is a memory filesystem, so it will just go away after a reboot.

  8. Now on the phone, you should see it verifying the ZIP file (you can use unzip -T on linux to pre-verify)  and then it will say it is wiping the cache partitions.  So, you might be wondering when the update is installed.  Apparently after the ZIP file is verified, but I saw no indication in the GUI at all that the install happened.  Afterwards, I looked at the recovery.log file (copy it to sdcard in TWRP and get it with ‘adb pull’)  and it contained a verbose log of the install, so it definitely happened.  What’s more, after rebooting and entering my passphrase, it saw the update and processed it.  OK, that’s only half true – it rebooted itself once first – ‘adb logcat’ seemed to indicate an selinux re-label as the cause but it wasn’t clear enough to be sure.  On the second reboot the update happened.

With those items complete, I’m successfully updated and the phone is acting perfectly (all my data is still there too!).   It’s not so bad to follow this recipe, but I’ll love it when TWRP makes this blog post obsolete.  At that point, CM should really consider recommending TWRP as the default recovery product for users to use.  Encrypted data on a phone ought to be the default expectation at this point – nobody wants to lose their phone and also have their data compromised – plus, it’s not 2012 anymore.