Full-disk encryption was partially introduced in Android v4.4, and fully introduced in Android v5.0. With full-disk encryption, all the user data on an Android device is encoded using an encryption key. Once a device is encrypted, all user-created data is automatically encrypted before writing to the disk and all reads are automatically decrypted before data processing.
Full-disk encryption uses a single encryption key to protect the data. The disk encryption key is protected with the user’s device password. The encryption key must not be written to storage at any time without being encrypted. In Android devices, full-disk encryption is based on the Linux Kernel feature dm-crypt, which runs at the block device layer. Therefore, encryption works with eMMC or UFS devices that present themselves to the Kernel as block devices.
Upon boot, the user must provide their credentials before any part of the disk is accessible. While this is great for security, it also means most of the core functionality of the phone is unavailable until the user provides their credentials. Because access to user data is protected behind the user credentials, features like alarms, accessibility services and phone service are unavailable. Full-disk encryption uses Advanced Encryption Standard-Cipher Block Chaining (AES-CBC) for encrypting the master key and AES-CBC-ESSIV (Encrypted Salt-Sector Initialization Vector) for encrypting the data.
Android 7.0 and above supports another cryptographic method called file-based encryption, which encrypts different files with different keys that can be unlocked independently. Devices that support file-based encryption can also support a new feature called direct boot, allowing encrypted devices to boot straight to the lock screen without asking for user credentials, thus enabling quick access to core device functionality such as accessibility services and alarms.
In a device using file-based encryption, each user has two available storage locations:
- Credential encrypted (CE) storage - Is the default storage location and is available only after the user has unlocked the device using their credentials
- Device encrypted (DE) storage - Is the available storage location during the Direct Boot mode and also after the user has unlocked the device; the DE keys are cryptographically bound to the device's hardware root of trust
Direct boot-aware applications can access DE storage but can only access CE storage after the user has unlocked the device by providing their credentials. With file-based encryption, applications like alarms and phone services can still operate within a limited context even before the user provides the device password. In file-based encryption mode, the file contents are encrypted using AES-XTS, while file names are encrypted using the AES-CBC-CTS (ciphertext stealing) mode.
For Android, the keys protecting CE and DE storage locations must be unique and distinct, and cryptographically bound to a hardware-backed keystore in the trusted execution environment.