1 ## 9.9\. Data Storage Encryption 2 3 If device implementations support a secure lock screen as described in 4 [section 9.11.1](#9_11_1_secure_lock_screen), they: 5 6 * [C-1-1] MUST support data storage encryption of the application private 7 data (`/data partition`), as well as the application shared storage partition 8 (`/sdcard partition`) if it is a permanent, non-removable part of the device. 9 10 If device implementations support a secure lock screen as described in 11 [section 9.11.1](#9_11_1_secure_lock_screen) and support data storage 12 encryption with Advanced Encryption Standard (AES) crypto performance 13 above 50MiB/sec, they: 14 15 * [C-2-1] MUST enable the data storage encryption by default at the time 16 the user has completed the out-of-box setup experience. If device 17 implementations are already launched on an earlier Android version with 18 encryption disabled by default, such a device cannot meet the requirement 19 through a system software update and thus MAY be exempted. 20 21 * SHOULD meet the above data storage encryption 22 requirement via implementing [File Based Encryption]( 23 https://source.android.com/security/encryption/file-based.html) (FBE). 24 25 ### 9.9.1\. Direct Boot 26 27 Device implementations: 28 29 * [C-0-1] MUST implement the [Direct Boot mode]( 30 http://developer.android.com/preview/features/direct-boot.html) APIs even if 31 they do not support Storage Encryption. 32 33 * [C-0-2] The [`ACTION_LOCKED_BOOT_COMPLETED`]( 34 https://developer.android.com/reference/android/content/Intent.html#ACTION_LOCKED_BOOT_COMPLETED) 35 and [`ACTION_USER_UNLOCKED`](https://developer.android.com/reference/android/content/Intent.html#ACTION_USER_UNLOCKED) 36 Intents MUST still be broadcast to signal Direct Boot aware applications that 37 Device Encrypted (DE) and Credential Encrypted (CE) storage locations are 38 available for user. 39 40 ### 9.9.2\. File Based Encryption 41 42 If device implementations support FBE, they: 43 44 * [C-1-1] MUST boot up without challenging the user for credentials and 45 allow Direct Boot aware apps to access to the Device Encrypted (DE) storage 46 after the `ACTION_LOCKED_BOOT_COMPLETED` message is broadcasted. 47 * [C-1-2] MUST only allow access to Credential Encrypted (CE) storage after 48 the user has unlocked the device by supplying their credentials 49 (eg. passcode, pin, pattern or fingerprint) and the `ACTION_USER_UNLOCKED` 50 message is broadcasted. 51 * [C-1-3] MUST NOT offer any method to unlock the CE protected storage 52 without the user-supplied credentials. 53 * [C-1-4] MUST support Verified Boot and ensure that DE keys are 54 cryptographically bound to the device's hardware root of trust. 55 * [C-1-5] MUST support encrypting file contents using AES with a key length 56 of 256-bits in XTS mode. 57 * [C-1-6] MUST support encrypting file name using AES with a key length of 58 256-bits in CBC-CTS mode. 59 60 * The keys protecting CE and DE storage areas: 61 62 * [C-1-7] MUST be cryptographically bound to a hardware-backed Keystore. 63 * [C-1-8] CE keys MUST be bound to a user's lock screen credentials. 64 * [C-1-9] CE keys MUST be bound to a default passcode when the user has 65 not specified lock screen credentials. 66 * [C-1-10] MUST be unique and distinct, in other words no user's CE or DE 67 key matches any other user's CE or DE keys. 68 69 * [C-1-11] MUST use the mandatorily supported ciphers, key lengths and 70 modes by default. 71 72 * SHOULD make preloaded essential apps (e.g. Alarm, Phone, Messenger) 73 Direct Boot aware. 74 * MAY support alternative ciphers, key lengths and modes for file content 75 and file name encryption. 76 77 The upstream Android Open Source project provides a preferred implementation of 78 this feature based on the Linux kernel ext4 encryption feature. 79 80 ### 9.9.3\. Full Disk Encryption 81 82 If device implementations support [full disk encryption]( 83 http://source.android.com/devices/tech/security/encryption/index.html) 84 (FDE), they: 85 86 * [C-1-1] MUST use AES with a key of 128-bits (or greater) and a mode 87 designed for storage (for example, AES-XTS, AES-CBC-ESSIV). 88 * [C-1-2] MUST use a default passcode to wrap the encryption key and 89 MUST NOT write the encryption key to storage at any time 90 without being encrypted. 91 * [C-1-3] MUST AES encrypt the encryption key by default unless the user 92 explicitly opts out, except when it is in active use, with the lock screen 93 credentials stretched using a slow stretching algorithm 94 (e.g. PBKDF2 or scrypt). 95 * [C-1-4] The above default password stretching algorithm MUST be 96 cryptographically bound to that keystore when the user has not specified a lock 97 screen credentials or has disabled use of the passcode for encryption and 98 the device provides a hardware-backed keystore. 99 * [C-1-5] MUST NOT send encryption key off the device 100 (even when wrapped with the user passcode and/or hardware bound key). 101 102 The upstream Android Open Source project provides a preferred implementation 103 of this feature, based on the Linux kernel feature dm-crypt. 104