1 <html devsite> 2 <head> 3 <title>Full-Disk Encryption</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p>Full-disk encryption is the process of encoding all user data on an Android device using an 27 encrypted key. Once a device is encrypted, all user-created data is 28 automatically encrypted before committing it to disk and all reads 29 automatically decrypt data before returning it to the calling process.</p> 30 31 <p> 32 Full-disk encryption was introduced to Android in 4.4, but Android 5.0 introduced 33 these new features:</p> 34 <ul> 35 <li>Created fast encryption, which only encrypts used blocks on the data partition 36 to avoid first boot taking a long time. Only ext4 and f2fs filesystems 37 currently support fast encryption. 38 <li>Added the <a href="/devices/storage/config.html"><code>forceencrypt</code> 39 fstab flag</a> to encrypt on first boot. 40 <li>Added support for patterns and encryption without a password. 41 <li>Added hardware-backed storage of the encryption key using Trusted 42 Execution Environments (TEE) signing capability (such as in a TrustZone). 43 See <a href="#storing_the_encrypted_key">Storing the encrypted key</a> for more 44 details. 45 </ul> 46 47 <p class="caution"><strong>Caution:</strong> Devices upgraded to Android 5.0 and then 48 encrypted may be returned to an unencrypted state by factory data reset. New Android 5.0 49 devices encrypted at first boot cannot be returned to an unencrypted state.</p> 50 51 <h2 id=how_android_encryption_works>How Android full-disk encryption works</h2> 52 53 <p>Android full-disk encryption is based on <code>dm-crypt</code>, which is a kernel 54 feature that works at the block device layer. Because of 55 this, encryption works with Embedded MultiMediaCard<strong> (</strong>eMMC) and 56 similar flash devices that present themselves to the kernel as block 57 devices. Encryption is not possible with YAFFS, which talks directly to a raw 58 NAND flash chip. </p> 59 60 <p>The encryption algorithm is 128 Advanced Encryption Standard (AES) with 61 cipher-block chaining (CBC) and ESSIV:SHA256. The master key is encrypted with 62 128-bit AES via calls to the OpenSSL library. You must use 128 bits or more for 63 the key (with 256 being optional). </p> 64 65 <p class="note"><strong>Note:</strong> OEMs can use 128-bit or higher to encrypt the master key.</p> 66 67 <p>In the Android 5.0 release, there are four kinds of encryption states: </p> 68 69 <ul> 70 <li>default 71 <li>PIN 72 <li>password 73 <li>pattern 74 </ul> 75 76 <p>Upon first boot, the device creates a randomly generated 128-bit master key 77 and then hashes it with a default password and stored salt. The default password is: "default_password" 78 However, the resultant hash is also signed through a TEE (such as TrustZone), 79 which uses a hash of the signature to encrypt the master key.</p> 80 81 <p>You can find the default password defined in the Android Open Source Project <a 82 href="https://android.googlesource.com/platform/system/vold/+/master/cryptfs.c">cryptfs.c</a> 83 file.</p> 84 85 <p>When the user sets the PIN/pass or password on the device, only the 128-bit key 86 is re-encrypted and stored. (ie. user PIN/pass/pattern changes do NOT cause 87 re-encryption of userdata.) Note that 88 <a href="http://developer.android.com/guide/topics/admin/device-admin.html">managed device</a> 89 may be subject to PIN, pattern, or password restrictions.</p> 90 91 <p>Encryption is managed by <code>init</code> and <code>vold</code>. 92 <code>init</code> calls <code>vold</code>, and vold sets properties to trigger 93 events in init. Other parts of the system 94 also look at the properties to conduct tasks such as report status, ask for a 95 password, or prompt to factory reset in the case of a fatal error. To invoke 96 encryption features in <code>vold</code>, the system uses the command line tool 97 <code>vdc</code>s <code>cryptfs</code> commands: <code>checkpw</code>, 98 <code>restart</code>, <code>enablecrypto</code>, <code>changepw</code>, 99 <code>cryptocomplete</code>, <code>verifypw</code>, <code>setfield</code>, 100 <code>getfield</code>, <code>mountdefaultencrypted</code>, <code>getpwtype</code>, 101 <code>getpw</code>, and <code>clearpw</code>.</p> 102 103 <p>In order to encrypt, decrypt or wipe <code>/data</code>, <code>/data</code> 104 must not be mounted. However, in order to show any user interface (UI), the 105 framework must start and the framework requires <code>/data</code> to run. To 106 resolve this conundrum, a temporary filesystem is mounted on <code>/data</code>. 107 This allows Android to prompt for passwords, show progress, or suggest a data 108 wipe as needed. It does impose the limitation that in order to switch from the 109 temporary filesystem to the true <code>/data</code> filesystem, the system must 110 stop every process with open files on the temporary filesystem and restart those 111 processes on the real <code>/data</code> filesystem. To do this, all services 112 must be in one of three groups: <code>core</code>, <code>main</code>, and 113 <code>late_start</code>.</p> 114 115 <ul> 116 <li><code>core</code>: Never shut down after starting. 117 <li><code>main</code>: Shut down and then restart after the disk password is entered. 118 <li><code>late_start</code>: Does not start until after <code>/data</code> has been decrypted and mounted. 119 </ul> 120 121 <p>To trigger these actions, the <code>vold.decrypt</code> property is set to 122 <a href="https://android.googlesource.com/platform/system/vold/+/master/cryptfs.c">various strings</a>. 123 To kill and restart services, the <code>init</code> commands are:</p> 124 125 <ul> 126 <li><code>class_reset</code>: Stops a service but allows it to be restarted with class_start. 127 <li><code>class_start</code>: Restarts a service. 128 <li><code>class_stop</code>: Stops a service and adds a <code>SVC_DISABLED</code> flag. 129 Stopped services do not respond to <code>class_start</code>. 130 </ul> 131 132 <h2 id=flows>Flows</h2> 133 134 <p>There are four flows for an encrypted device. A device is encrypted just once 135 and then follows a normal boot flow. </p> 136 137 <ul> 138 <li>Encrypt a previously unencrypted device: 139 <ul> 140 <li>Encrypt a new device with <code>forceencrypt</code>: Mandatory encryption 141 at first boot (starting in Android L). 142 <li>Encrypt an existing device: User-initiated encryption (Android K and earlier). 143 </ul> 144 <li>Boot an encrypted device: 145 <ul> 146 <li>Starting an encrypted device with no password: Booting an encrypted device that 147 has no set password (relevant for devices running Android 5.0 and later). 148 <li>Starting an encrypted device with a password: Booting an encrypted device that 149 has a set password. 150 </ul> 151 </ul> 152 153 <p>In addition to these flows, the device can also fail to encrypt <code>/data</code>. 154 Each of the flows are explained in detail below.</p> 155 156 157 <h3 id=encrypt_a_new_device_with_forceencrypt>Encrypt a new device with forceencrypt</h3> 158 159 <p>This is the normal first boot for an Android 5.0 device.</p> 160 161 <ol> 162 <li><strong>Detect unencrypted filesystem with <code>forceencrypt</code> flag</strong> 163 164 <p> 165 <code>/data</code> is not encrypted but needs to be because <code>forceencrypt</code> mandates it. 166 Unmount <code>/data</code>.</p> 167 168 <li><strong>Start encrypting <code>/data</code></strong> 169 170 <p><code>vold.decrypt = "trigger_encryption"</code> triggers <code>init.rc</code>, 171 which will cause <code>vold</code> to encrypt <code>/data</code> with no password. 172 (None is set because this should be a new device.)</p> 173 174 175 <li><strong>Mount tmpfs</strong> 176 177 178 <p><code>vold</code> mounts a tmpfs <code>/data</code> (using the tmpfs options from 179 <code>ro.crypto.tmpfs_options</code>) and sets the property <code>vold.encrypt_progress</code> to 0. 180 <code>vold</code> prepepares the tmpfs <code>/data</code> for booting an encrypted system and sets the 181 property <code>vold.decrypt</code> to: <code>trigger_restart_min_framework</code> 182 </p> 183 184 <li><strong>Bring up framework to show progress</strong> 185 186 187 <p>Because the device has virtually no data to encrypt, the progress bar will 188 often not actually appear because encryption happens so quickly. See 189 <a href="#encrypt_an_existing_device">Encrypt an existing device</a> for more 190 details about the progress UI.</p> 191 192 <li><strong>When <code>/data</code> is encrypted, take down the framework</strong> 193 194 <p><code>vold</code> sets <code>vold.decrypt</code> to 195 <code>trigger_default_encryption</code> which starts the 196 <code>defaultcrypto</code> service. (This starts the flow below for mounting a 197 default encrypted userdata.) <code>trigger_default_encryption</code> checks the 198 encryption type to see if <code>/data</code> is encrypted with or without a 199 password. Because Android 5.0 devices are encrypted on first boot, there should 200 be no password set; therefore we decrypt and mount <code>/data</code>.</p> 201 202 <li><strong>Mount <code>/data</code></strong> 203 204 <p><code>init</code> then mounts <code>/data</code> on a tmpfs RAMDisk using 205 parameters it picks up from <code>ro.crypto.tmpfs_options</code>, which is set 206 in <code>init.rc</code>.</p> 207 208 <li><strong>Start framework</strong> 209 210 <p>Set <code>vold</code> to <code>trigger_restart_framework</code>, which 211 continues the usual boot process.</p> 212 </ol> 213 214 <h3 id=encrypt_an_existing_device>Encrypt an existing device</h3> 215 216 <p>This is what happens when you encrypt an unencrypted Android K or earlier 217 device that has been migrated to L.</p> 218 219 <p>This process is user-initiated and is referred to as inplace encryption in 220 the code. When a user selects to encrypt a device, the UI makes sure the 221 battery is fully charged and the AC adapter is plugged in so there is enough 222 power to finish the encryption process.</p> 223 224 <p class="warning"><strong>Warning:</strong> If the device runs out of power and shuts down before it has finished 225 encrypting, file data is left in a partially encrypted state. The device must 226 be factory reset and all data is lost.</p> 227 228 <p>To enable inplace encryption, <code>vold</code> starts a loop to read each 229 sector of the real block device and then write it 230 to the crypto block device. <code>vold</code> checks to see if a sector is in 231 use before reading and writing it, which makes 232 encryption much faster on a new device that has little to no data. </p> 233 234 <p><strong>State of device</strong>: Set <code>ro.crypto.state = "unencrypted"</code> 235 and execute the <code>on nonencrypted</code> <code>init</code> trigger to continue booting.</p> 236 237 <ol> 238 <li><strong>Check password</strong> 239 240 <p>The UI calls <code>vold</code> with the command <code>cryptfs enablecrypto inplace</code> 241 where <code>passwd</code> is the user's lock screen password.</p> 242 243 <li><strong>Take down the framework</strong> 244 245 <p><code>vold</code> checks for errors, returns -1 if it can't encrypt, and 246 prints a reason in the log. If it can encrypt, it sets the property <code>vold.decrypt</code> 247 to <code>trigger_shutdown_framework</code>. This causes <code>init.rc</code> to 248 stop services in the classes <code>late_start</code> and <code>main</code>. </p> 249 250 <li><strong>Create a crypto footer</strong></li> 251 <li><strong>Create a breadcrumb file</strong></li> 252 <li><strong>Reboot</strong></li> 253 <li><strong>Detect breadcrumb file</strong></li> 254 <li><strong>Start encrypting <code>/data</code></strong> 255 256 <p><code>vold</code> then sets up the crypto mapping, which creates a virtual crypto block device 257 that maps onto the real block device but encrypts each sector as it is written, 258 and decrypts each sector as it is read. <code>vold</code> then creates and writes 259 out the crypto metadata.</p> 260 261 <li><strong>While its encrypting, mount tmpfs</strong> 262 263 <p><code>vold</code> mounts a tmpfs <code>/data</code> (using the tmpfs options 264 from <code>ro.crypto.tmpfs_options</code>) and sets the property 265 <code>vold.encrypt_progress</code> to 0. <code>vold</code> prepares the tmpfs 266 <code>/data</code> for booting an encrypted system and sets the property 267 <code>vold.decrypt</code> to: <code>trigger_restart_min_framework</code> </p> 268 269 <li><strong>Bring up framework to show progress</strong> 270 271 <p><code>trigger_restart_min_framework </code>causes <code>init.rc</code> to 272 start the <code>main</code> class of services. When the framework sees that 273 <code>vold.encrypt_progress</code> is set to 0, it brings up the progress bar 274 UI, which queries that property every five seconds and updates a progress bar. 275 The encryption loop updates <code>vold.encrypt_progress</code> every time it 276 encrypts another percent of the partition.</p> 277 278 <li><strong>When<code> /data</code> is encrypted, update the crypto footer</strong> 279 280 <p>When <code>/data</code> is successfully encrypted, <code>vold</code> clears 281 the flag <code>ENCRYPTION_IN_PROGRESS</code> in the metadata.</p> 282 283 <p>When the device is successfully unlocked, the password is then used to 284 encrypt the master key and the crypto footer is updated.</p> 285 286 <p> If the reboot fails for some reason, <code>vold</code> sets the property 287 <code>vold.encrypt_progress</code> to <code>error_reboot_failed</code> and 288 the UI should display a message asking the user to press a button to 289 reboot. This is not expected to ever occur.</p> 290 </ol> 291 292 <h3 id=starting_an_encrypted_device_with_default_encryption> 293 Starting an encrypted device with default encryption</h3> 294 295 <p>This is what happens when you boot up an encrypted device with no password. 296 Because Android 5.0 devices are encrypted on first boot, there should be no set 297 password and therefore this is the <em>default encryption</em> state.</p> 298 299 <ol> 300 <li><strong>Detect encrypted <code>/data</code> with no password</strong> 301 302 <p>Detect that the Android device is encrypted because <code>/data</code> 303 cannot be mounted and one of the flags <code>encryptable</code> or 304 <code>forceencrypt</code> is set.</p> 305 306 <p><code>vold</code> sets <code>vold.decrypt</code> to 307 <code>trigger_default_encryption</code>, which starts the 308 <code>defaultcrypto</code> service. <code>trigger_default_encryption</code> 309 checks the encryption type to see if <code>/data</code> is encrypted with or 310 without a password. </p> 311 312 <li><strong>Decrypt /data</strong> 313 314 <p>Creates the <code>dm-crypt</code> device over the block device so the device 315 is ready for use.</p> 316 317 <li><strong>Mount /data</strong> 318 319 <p><code>vold</code> then mounts the decrypted real <code>/data</code> partition 320 and then prepares the new partition. It sets the property 321 <code>vold.post_fs_data_done</code> to 0 and then sets <code>vold.decrypt</code> 322 to <code>trigger_post_fs_data</code>. This causes <code>init.rc</code> to run 323 its <code>post-fs-data</code> commands. They will create any necessary directories 324 or links and then set <code>vold.post_fs_data_done</code> to 1.</p> 325 326 <p>Once <code>vold</code> sees the 1 in that property, it sets the property 327 <code>vold.decrypt</code> to: <code>trigger_restart_framework.</code> This 328 causes <code>init.rc</code> to start services in class <code>main</code> 329 again and also start services in class <code>late_start</code> for the first 330 time since boot.</p> 331 332 <li><strong>Start framework</strong> 333 334 <p>Now the framework boots all its services using the decrypted <code>/data</code>, 335 and the system is ready for use.</p> 336 </ol> 337 338 <h3 id=starting_an_encrypted_device_without_default_encryption> 339 Starting an encrypted device without default encryption</h3> 340 341 <p>This is what happens when you boot up an encrypted device that has a set 342 password. The devices password can be a pin, pattern, or password. </p> 343 344 <ol> 345 <li><strong>Detect encrypted device with a password</strong> 346 347 <p>Detect that the Android device is encrypted because the flag 348 <code>ro.crypto.state = "encrypted"</code></p> 349 350 <p><code>vold</code> sets <code>vold.decrypt</code> to 351 <code>trigger_restart_min_framework</code> because <code>/data</code> is 352 encrypted with a password.</p> 353 354 <li><strong>Mount tmpfs</strong> 355 356 <p><code>init</code> sets five properties to save the initial mount options 357 given for <code>/data</code> with parameters passed from <code>init.rc</code>. 358 <code>vold</code> uses these properties to set up the crypto mapping:</p> 359 360 <ol> 361 <li><code>ro.crypto.fs_type</code> 362 <li><code>ro.crypto.fs_real_blkdev</code> 363 <li><code>ro.crypto.fs_mnt_point</code> 364 <li><code>ro.crypto.fs_options</code> 365 <li><code>ro.crypto.fs_flags </code>(ASCII 8-digit hex number preceded by 0x) 366 </ol> 367 368 <li><strong>Start framework to prompt for password</strong> 369 370 <p>The framework starts up and sees that <code>vold.decrypt</code> is set to 371 <code>trigger_restart_min_framework</code>. This tells the framework that it is 372 booting on a tmpfs <code>/data</code> disk and it needs to get the user password.</p> 373 374 <p>First, however, it needs to make sure that the disk was properly encrypted. It 375 sends the command <code>cryptfs cryptocomplete</code> to <code>vold</code>. 376 <code>vold</code> returns 0 if encryption was completed successfully, -1 on internal error, or 377 -2 if encryption was not completed successfully. <code>vold</code> determines 378 this by looking in the crypto metadata for the <code>CRYPTO_ENCRYPTION_IN_PROGRESS</code> 379 flag. If it's set, the encryption process was interrupted, and there is no 380 usable data on the device. If <code>vold</code> returns an error, the UI should 381 display a message to the user to reboot and factory reset the device, and give 382 the user a button to press to do so.</p> 383 384 <li><strong>Decrypt data with password</strong> 385 386 <p>Once <code>cryptfs cryptocomplete</code> is successful, the framework 387 displays a UI asking for the disk password. The UI checks the password by 388 sending the command <code>cryptfs checkpw</code> to <code>vold</code>. If the 389 password is correct (which is determined by successfully mounting the 390 decrypted <code>/data</code> at a temporary location, then unmounting it), 391 <code>vold</code> saves the name of the decrypted block device in the property 392 <code>ro.crypto.fs_crypto_blkdev</code> and returns status 0 to the UI. If the 393 password is incorrect, it returns -1 to the UI.</p> 394 395 <li><strong>Stop framework</strong> 396 397 <p>The UI puts up a crypto boot graphic and then calls <code>vold</code> with 398 the command <code>cryptfs restart</code>. <code>vold</code> sets the property 399 <code>vold.decrypt</code> to <code>trigger_reset_main</code>, which causes 400 <code>init.rc</code> to do <code>class_reset main</code>. This stops all services 401 in the main class, which allows the tmpfs <code>/data</code> to be unmounted. </p> 402 403 <li><strong>Mount <code>/data</code></strong> 404 405 <p><code>vold</code> then mounts the decrypted real <code>/data</code> partition 406 and prepares the new partition (which may never have been prepared if 407 it was encrypted with the wipe option, which is not supported on first 408 release). It sets the property <code>vold.post_fs_data_done</code> to 0 and then 409 sets <code>vold.decrypt</code> to <code>trigger_post_fs_data</code>. This causes 410 <code>init.rc</code> to run its <code>post-fs-data</code> commands. They will 411 create any necessary directories or links and then set 412 <code>vold.post_fs_data_done</code> to 1. Once <code>vold</code> sees the 1 in 413 that property, it sets the property <code>vold.decrypt</code> to 414 <code>trigger_restart_framework</code>. This causes <code>init.rc</code> to start 415 services in class <code>main</code> again and also start services in class 416 <code>late_start</code> for the first time since boot.</p> 417 418 <li><strong>Start full framework</strong> 419 420 <p>Now the framework boots all its services using the decrypted <code>/data</code> 421 filesystem, and the system is ready for use.</p> 422 </ol> 423 424 <h3 id=failure>Failure</h3> 425 426 <p>A device that fails to decrypt might be awry for a few reasons. The device 427 starts with the normal series of steps to boot:</p> 428 429 <ol> 430 <li>Detect encrypted device with a password 431 <li>Mount tmpfs 432 <li>Start framework to prompt for password 433 </ol> 434 435 <p>But after the framework opens, the device can encounter some errors:</p> 436 437 <ul> 438 <li>Password matches but cannot decrypt data 439 <li>User enters wrong password 30 times 440 </ul> 441 442 <p>If these errors are not resolved, <strong>prompt user to factory wipe</strong>:</p> 443 444 <p>If <code>vold</code> detects an error during the encryption process, and if 445 no data has been destroyed yet and the framework is up, <code>vold</code> sets 446 the property <code>vold.encrypt_progress </code>to <code>error_not_encrypted</code>. 447 The UI prompts the user to reboot and alerts them the encryption process 448 never started. If the error occurs after the framework has been torn down, but 449 before the progress bar UI is up, <code>vold</code> will reboot the system. If 450 the reboot fails, it sets <code>vold.encrypt_progress</code> to 451 <code>error_shutting_down</code> and returns -1; but there will not be anything 452 to catch the error. This is not expected to happen.</p> 453 454 <p>If <code>vold</code> detects an error during the encryption process, it sets 455 <code>vold.encrypt_progress</code> to <code>error_partially_encrypted</code> 456 and returns -1. The UI should then display a message saying the encryption 457 failed and provide a button for the user to factory reset the device. </p> 458 459 <h2 id=storing_the_encrypted_key>Storing the encrypted key</h2> 460 461 <p>The encrypted key is stored in the crypto metadata. Hardware backing is 462 implemented by using Trusted Execution Environments (TEE) signing capability. 463 Previously, we encrypted the master key with a key generated by applying scrypt 464 to the user's password and the stored salt. In order to make the key resilient 465 against off-box attacks, we extend this algorithm by signing the resultant key 466 with a stored TEE key. The resultant signature is then turned into an appropriate 467 length key by one more application of scrypt. This key is then used to encrypt 468 and decrypt the master key. To store this key:</p> 469 470 <ol> 471 <li>Generate random 16-byte disk encryption key (DEK) and 16-byte salt. 472 <li>Apply scrypt to the user password and the salt to produce 32-byte intermediate 473 key 1 (IK1). 474 <li>Pad IK1 with zero bytes to the size of the hardware-bound private key (HBK). 475 Specifically, we pad as: 00 || IK1 || 00..00; one zero byte, 32 IK1 bytes, 223 476 zero bytes. 477 <li>Sign padded IK1 with HBK to produce 256-byte IK2. 478 <li>Apply scrypt to IK2 and salt (same salt as step 2) to produce 32-byte IK3. 479 <li>Use the first 16 bytes of IK3 as KEK and the last 16 bytes as IV. 480 <li>Encrypt DEK with AES_CBC, with key KEK, and initialization vector IV. 481 </ol> 482 483 <h2 id=changing_the_password>Changing the password</h2> 484 485 <p>When a user elects to change or remove their password in settings, the UI sends 486 the command <code>cryptfs changepw</code> to <code>vold</code>, and 487 <code>vold</code> re-encrypts the disk master key with the new password.</p> 488 489 <h2 id=encryption_properties>Encryption properties</h2> 490 491 <p><code>vold</code> and <code>init</code> communicate with each other by 492 setting properties. Here is a list of available properties for encryption.</p> 493 494 <h3 id=vold_properties>Vold properties</h3> 495 496 <table> 497 <tr> 498 <th>Property</th> 499 <th>Description</th> 500 </tr> 501 <tr> 502 <td><code>vold.decrypt trigger_encryption</code></td> 503 <td>Encrypt the drive with no 504 password.</td> 505 </tr> 506 <tr> 507 <td><code>vold.decrypt trigger_default_encryption</code></td> 508 <td>Check the drive to see if it is encrypted with no password. 509 If it is, decrypt and mount it, 510 else set <code>vold.decrypt</code> to trigger_restart_min_framework.</td> 511 </tr> 512 <tr> 513 <td><code>vold.decrypt trigger_reset_main</code></td> 514 <td>Set by vold to shutdown the UI asking for the disk password.</td> 515 </tr> 516 <tr> 517 <td><code>vold.decrypt trigger_post_fs_data</code></td> 518 <td> Set by vold to prep /data with necessary directories, et al.</td> 519 </tr> 520 <tr> 521 <td><code>vold.decrypt trigger_restart_framework</code></td> 522 <td>Set by vold to start the real framework and all services.</td> 523 </tr> 524 <tr> 525 <td><code>vold.decrypt trigger_shutdown_framework</code></td> 526 <td>Set by vold to shutdown the full framework to start encryption.</td> 527 </tr> 528 <tr> 529 <td><code>vold.decrypt trigger_restart_min_framework</code></td> 530 <td>Set by vold to start the 531 progress bar UI for encryption or 532 prompt for password, depending on 533 the value of <code>ro.crypto.state</code>.</td> 534 </tr> 535 <tr> 536 <td><code>vold.encrypt_progress</code></td> 537 <td>When the framework starts up, 538 if this property is set, enter 539 the progress bar UI mode.</td> 540 </tr> 541 <tr> 542 <td><code>vold.encrypt_progress 0 to 100</code></td> 543 <td>The progress bar UI should 544 display the percentage value set.</td> 545 </tr> 546 <tr> 547 <td><code>vold.encrypt_progress error_partially_encrypted</code></td> 548 <td>The progress bar UI should display a message that the encryption failed, and 549 give the user an option to 550 factory reset the device.</td> 551 </tr> 552 <tr> 553 <td><code>vold.encrypt_progress error_reboot_failed</code></td> 554 <td>The progress bar UI should display a message saying encryption 555 completed, and give the user a button to reboot the device. This error 556 is not expected to happen.</td> 557 </tr> 558 <tr> 559 <td><code>vold.encrypt_progress error_not_encrypted</code></td> 560 <td>The progress bar UI should 561 display a message saying an error 562 occurred, no data was encrypted or 563 lost, and give the user a button to reboot the system.</td> 564 </tr> 565 <tr> 566 <td><code>vold.encrypt_progress error_shutting_down</code></td> 567 <td>The progress bar UI is not running, so it is unclear who will respond 568 to this error. And it should never happen anyway.</td> 569 </tr> 570 <tr> 571 <td><code>vold.post_fs_data_done 0</code></td> 572 <td>Set by <code>vold</code> just before setting <code>vold.decrypt</code> 573 to <code>trigger_post_fs_data</code>.</td> 574 </tr> 575 <tr> 576 <td><code>vold.post_fs_data_done 1</code></td> 577 <td>Set by <code>init.rc</code> or 578 <code>init.rc</code> just after finishing the task <code>post-fs-data</code>.</td> 579 </tr> 580 </table> 581 <h3 id=init_properties>init properties</h3> 582 583 <table> 584 <tr> 585 <th>Property</th> 586 <th>Description</th> 587 </tr> 588 <tr> 589 <td><code>ro.crypto.fs_crypto_blkdev</code></td> 590 <td>Set by the <code>vold</code> command <code>checkpw</code> for later use 591 by the <code>vold</code> command <code>restart</code>.</td> 592 </tr> 593 <tr> 594 <td><code>ro.crypto.state unencrypted</code></td> 595 <td>Set by <code>init</code> to say this system is running with an unencrypted 596 <code>/data ro.crypto.state encrypted</code>. Set by <code>init</code> to say 597 this system is running with an encrypted <code>/data</code>.</td> 598 </tr> 599 <tr> 600 <td><p><code>ro.crypto.fs_type<br> 601 ro.crypto.fs_real_blkdev <br> 602 ro.crypto.fs_mnt_point<br> 603 ro.crypto.fs_options<br> 604 ro.crypto.fs_flags <br> 605 </code></p></td> 606 <td> These five properties are set by 607 <code>init</code> when it tries to mount <code>/data</code> with parameters passed in from 608 <code>init.rc</code>. <code>vold</code> uses these to setup the crypto mapping.</td> 609 </tr> 610 <tr> 611 <td><code>ro.crypto.tmpfs_options</code></td> 612 <td>Set by <code>init.rc</code> with the options init should use when 613 mounting the tmpfs /data filesystem.</td> 614 </tr> 615 </table> 616 <h2 id=init_actions>Init actions</h2> 617 618 <pre class="devsite-click-to-copy"> 619 on post-fs-data 620 on nonencrypted 621 on property:vold.decrypt=trigger_reset_main 622 on property:vold.decrypt=trigger_post_fs_data 623 on property:vold.decrypt=trigger_restart_min_framework 624 on property:vold.decrypt=trigger_restart_framework 625 on property:vold.decrypt=trigger_shutdown_framework 626 on property:vold.decrypt=trigger_encryption 627 on property:vold.decrypt=trigger_default_encryption 628 </pre> 629 630 </body> 631 </html> 632
