• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1## 9.9\. Data Storage Encryption
2
3If device implementations support a secure lock screen as described in
4[section 9.11.1](#9_11_1_secure_lock_screen), they:
5
6*   [C-1-1] MUST support data storage encryption of the application private
7data (`/data partition`), as well as the application shared storage partition
8(`/sdcard partition`) if it is a permanent, non-removable part of the device.
9
10If device implementations support a secure lock screen as described in
11[section 9.11.1](#9_11_1_secure_lock_screen) and support data storage
12encryption with Advanced Encryption Standard (AES) crypto performance
13above 50MiB/sec, they:
14
15*    [C-2-1] MUST enable the data storage encryption by default at the time
16the user has completed the out-of-box setup experience. If device
17implementations are already launched on an earlier Android version with
18encryption disabled by default, such a device cannot meet the requirement
19through a system software update and thus MAY be exempted.
20
21*    SHOULD meet the above data storage encryption
22requirement via implementing [File Based Encryption](
23https://source.android.com/security/encryption/file-based.html) (FBE).
24
25### 9.9.1\. Direct Boot
26
27Device implementations:
28
29*    [C-0-1] MUST implement the [Direct Boot mode](
30http://developer.android.com/preview/features/direct-boot.html) APIs even if
31they do not support Storage Encryption.
32
33*     [C-0-2] The [`ACTION_LOCKED_BOOT_COMPLETED`](
34https://developer.android.com/reference/android/content/Intent.html#ACTION_LOCKED_BOOT_COMPLETED)
35and [`ACTION_USER_UNLOCKED`](https://developer.android.com/reference/android/content/Intent.html#ACTION_USER_UNLOCKED)
36Intents MUST still be broadcast to signal Direct Boot aware applications that
37Device Encrypted (DE) and Credential Encrypted (CE) storage locations are
38available for user.
39
40### 9.9.2\. File Based Encryption
41
42If device implementations support FBE, they:
43
44*    [C-1-1] MUST boot up without challenging the user for credentials and
45allow Direct Boot aware apps to access to the Device Encrypted (DE) storage
46after the `ACTION_LOCKED_BOOT_COMPLETED` message is broadcasted.
47*    [C-1-2] MUST only allow access to Credential Encrypted (CE) storage after
48the user has unlocked the device by supplying their credentials
49(eg. passcode, pin, pattern or fingerprint) and the `ACTION_USER_UNLOCKED`
50message is broadcasted.
51*    [C-1-3] MUST NOT offer any method to unlock the CE protected storage
52without the user-supplied credentials.
53*    [C-1-4] MUST support Verified Boot and ensure that DE keys are
54cryptographically bound to the device's hardware root of trust.
55*    [C-1-5] MUST support encrypting file contents using AES with a key length
56of 256-bits in XTS mode.
57*    [C-1-6] MUST support encrypting file name using AES with a key length of
58256-bits in CBC-CTS mode.
59
60*   The keys protecting CE and DE storage areas:
61
62   *   [C-1-7] MUST be cryptographically bound to a hardware-backed Keystore.
63   *   [C-1-8] CE keys MUST be bound to a user's lock screen credentials.
64   *   [C-1-9] CE keys MUST be bound to a default passcode when the user has
65not specified lock screen credentials.
66   *   [C-1-10] MUST be unique and distinct, in other words no user's CE or DE
67   key matches any other user's CE or DE keys.
68
69*    SHOULD make preloaded essential apps (e.g. Alarm, Phone, Messenger)
70Direct Boot aware.
71*    MAY support alternative ciphers, key lengths and modes for file content
72and file name encryption, but MUST use the mandatorily supported ciphers, key
73lengths and modes by default.
74
75The upstream Android Open Source project provides a preferred implementation of
76this feature based on the Linux kernel ext4 encryption feature.
77
78### 9.9.3\. Full Disk Encryption
79
80If device implementations support [full disk encryption](
81http://source.android.com/devices/tech/security/encryption/index.html)
82(FDE), they:
83
84*   [C-1-1] MUST use AES with a key of 128-bits (or greater) and a mode
85designed for storage (for example, AES-XTS, AES-CBC-ESSIV).
86*   [C-1-2] MUST use a default passcode to wrap the encryption key and
87MUST NOT write the encryption key to storage at any time
88without being encrypted.
89   *   [C-1-3] MUST provide the user the possibility to AES encrypt the
90   encryption key, except when it is in active use, with the lock screen
91   credentials stretched using a slow stretching algorithm
92   (e.g. PBKDF2 or scrypt).
93*   [C-1-4] The above default password stretching algorithm MUST be
94cryptographically bound to that keystore when the user has not specified a lock
95screen credentials or has disabled use of the passcode for encryption and
96the device provides a hardware-backed keystore.
97*   [C-1-5] MUST NOT send encryption key off the the device
98(even when wrapped with the user passcode and/or hardware bound key).
99
100The upstream Android Open Source project provides a preferred implementation
101of this feature, based on the Linux kernel feature dm-crypt.