Home | History | Annotate | Download | only in 9_security-model 
      1 ## 9.9\. Data Storage Encryption
      2 
      3 If device implementations support a secure lock screen as described in
      4 [section 9.11.1](#9_11_1_secure_lock_screen), they:
      5 
      6 *   [C-1-1] MUST support data storage encryption of the application private
      7 data (`/data partition`), as well as the application shared storage partition
      8 (`/sdcard partition`) if it is a permanent, non-removable part of the device.
      9 
     10 If device implementations support a secure lock screen as described in
     11 [section 9.11.1](#9_11_1_secure_lock_screen) and support data storage
     12 encryption with Advanced Encryption Standard (AES) crypto performance
     13 above 50MiB/sec, they:
     14 
     15 *    [C-2-1] MUST enable the data storage encryption by default at the time
     16 the user has completed the out-of-box setup experience. If device
     17 implementations are already launched on an earlier Android version with
     18 encryption disabled by default, such a device cannot meet the requirement
     19 through a system software update and thus MAY be exempted.
     20 
     21 *    SHOULD meet the above data storage encryption
     22 requirement via implementing [File Based Encryption](
     23 https://source.android.com/security/encryption/file-based.html) (FBE).
     24 
     25 ### 9.9.1\. Direct Boot
     26 
     27 Device implementations:
     28 
     29 *    [C-0-1] MUST implement the [Direct Boot mode](
     30 http://developer.android.com/preview/features/direct-boot.html) APIs even if
     31 they do not support Storage Encryption.
     32 
     33 *     [C-0-2] The [`ACTION_LOCKED_BOOT_COMPLETED`](
     34 https://developer.android.com/reference/android/content/Intent.html#ACTION_LOCKED_BOOT_COMPLETED)
     35 and [`ACTION_USER_UNLOCKED`](https://developer.android.com/reference/android/content/Intent.html#ACTION_USER_UNLOCKED)
     36 Intents MUST still be broadcast to signal Direct Boot aware applications that
     37 Device Encrypted (DE) and Credential Encrypted (CE) storage locations are
     38 available for user.
     39 
     40 ### 9.9.2\. File Based Encryption
     41 
     42 If device implementations support FBE, they:
     43 
     44 *    [C-1-1] MUST boot up without challenging the user for credentials and
     45 allow Direct Boot aware apps to access to the Device Encrypted (DE) storage
     46 after the `ACTION_LOCKED_BOOT_COMPLETED` message is broadcasted.
     47 *    [C-1-2] MUST only allow access to Credential Encrypted (CE) storage after
     48 the user has unlocked the device by supplying their credentials
     49 (eg. passcode, pin, pattern or fingerprint) and the `ACTION_USER_UNLOCKED`
     50 message is broadcasted.
     51 *    [C-1-3] MUST NOT offer any method to unlock the CE protected storage
     52 without the user-supplied credentials.
     53 *    [C-1-4] MUST support Verified Boot and ensure that DE keys are
     54 cryptographically bound to the device's hardware root of trust.
     55 *    [C-1-5] MUST support encrypting file contents using AES with a key length
     56 of 256-bits in XTS mode.
     57 *    [C-1-6] MUST support encrypting file name using AES with a key length of
     58 256-bits in CBC-CTS mode.
     59 
     60 *   The keys protecting CE and DE storage areas:
     61 
     62    *   [C-1-7] MUST be cryptographically bound to a hardware-backed Keystore.
     63    *   [C-1-8] CE keys MUST be bound to a user's lock screen credentials.
     64    *   [C-1-9] CE keys MUST be bound to a default passcode when the user has
     65 not specified lock screen credentials.
     66    *   [C-1-10] MUST be unique and distinct, in other words no user's CE or DE
     67    key matches any other user's CE or DE keys.
     68 
     69    *    [C-1-11] MUST use the mandatorily supported ciphers, key lengths and
     70    modes by default.
     71 
     72 *    SHOULD make preloaded essential apps (e.g. Alarm, Phone, Messenger)
     73 Direct Boot aware.
     74 *    MAY support alternative ciphers, key lengths and modes for file content
     75 and file name encryption.
     76 
     77 The upstream Android Open Source project provides a preferred implementation of
     78 this feature based on the Linux kernel ext4 encryption feature.
     79 
     80 ### 9.9.3\. Full Disk Encryption
     81 
     82 If device implementations support [full disk encryption](
     83 http://source.android.com/devices/tech/security/encryption/index.html)
     84 (FDE), they:
     85 
     86 *   [C-1-1] MUST use AES with a key of 128-bits (or greater) and a mode
     87 designed for storage (for example, AES-XTS, AES-CBC-ESSIV).
     88 *   [C-1-2] MUST use a default passcode to wrap the encryption key and
     89 MUST NOT write the encryption key to storage at any time
     90 without being encrypted.
     91    *   [C-1-3] MUST AES encrypt the encryption key by default unless the user
     92    explicitly opts out, except when it is in active use, with the lock screen
     93    credentials stretched using a slow stretching algorithm
     94    (e.g. PBKDF2 or scrypt).
     95 *   [C-1-4] The above default password stretching algorithm MUST be
     96 cryptographically bound to that keystore when the user has not specified a lock
     97 screen credentials or has disabled use of the passcode for encryption and
     98 the device provides a hardware-backed keystore.
     99 *   [C-1-5] MUST NOT send encryption key off the device
    100 (even when wrapped with the user passcode and/or hardware bound key).
    101 
    102 The upstream Android Open Source project provides a preferred implementation
    103 of this feature, based on the Linux kernel feature dm-crypt.
    104