Yes, Google wants you to keep your bits and bytes as safe as possible through encryption.
With the launch of Android 5.0 Lollipop
last year, Google wanted to make full disk Encryption mandatory, but unfortunately, the idea did not go too well.
However, Google thinks the idea will go right this time, and it will try again to require full-disk encryption by default for devices that release with the newest Android 6.0 Marshmallow and higher versions.
Google has published the new version of the Android Compatibility Definition Document
), mandating Android encryption with a couple of exceptions in Android 6.0 Marshmallow.
The document reads:
“For device implementations supporting full-disk encryption and with Advanced Encryption Standard (AES) crypto performance above 50MiB/sec, the full-disk encryption MUST be enabled by default at the time the user has completed the out-of-box setup experience.”
New smartphones and tablets that ship with Android 6.0 Marshmallow and have certain performance standard must be encrypted by default.
The new Android Compatibility Definition Document for Marshmallow states: If the device implementation supports a secure lock screen… then the device MUST support fulldisk encryption [Resources, 1 32] of the application private data (/data partition), as well as the application shared storage partition (/sdcard partition) if it is a permanent, non-removable part of the device.
For device implementations supporting full-disk encryption and with Advanced Encryption Standard (AES) crypto performance above 50MiB/sec, the full-disk encryption MUST be enabled by default at the time the user has completed the out-of-box setup experience. If a device implementation is already launched on an earlier Android version with full-disk encryption disabled by default, such a device cannot meet the requirement through a system software update and thus MAY be exempted.
Encryption MUST use AES with a key of 1 28-bits (or greater) and a mode designed for storage (for example, AES-XTS, AES-CBC-ESSIV). The encryption key MUST NOT be written to storage at any time without being encrypted.
What is Full Disk Encryption?
Full disk encryption (FDE) is the process of encoding all user’s data on an Android device using an encrypted key. Once encrypted, all data on the device is automatically encrypted before ever written to disk.
In turn, the data is automatically decrypted before it returns to any calling process that asks for it. All you need is the correct key.
Full Disk Encryption is done with a kernel feature that acts directly on the block layer of the storage and has been available in devices since Android 3.0 Honeycomb.
However, Android 6.0 Marshmallow brings some pretty big changes and improvements in the overall working of the full disk encryption.
New Android devices running Marshmallow and having AES crypto performance above 50MiB-per-second require supporting encryption of:
- The private user data partition (/data)
- The public data partition (/sdcard)
In other words, Full Disk Encryption is damned secure, and Google has done a pretty good job by making full disk encryption mandatory on Android devices.
What’s the Problem with Full Disk Encryption?
Last year when Google implemented full disk encryption by default on the Nexus 6 devices, you had probably heard about poor device performance for disk reading and writing.
It’s true — the problem with full-disk encryption is a hit on the device performance because when you need to encrypt or decrypt on the fly, disk Input/Output speeds suffer.
In short, there are some drawbacks if encryption becomes mandatory:
- Slower Performance: As mentioned above, Encryption always adds some overhead, which causes your device a bit slower.
- Encryption is One-Way Only: If you forget the decryption key, you’ll need to factory reset your device that will eventually erase all the data stored on your phone.
Do we Really Need Full Disk Encryption By Default?
In older devices, there is an option to enable full disk encryption, but by default it is turned OFF. This left us with a choice — Do we need full disk encryption?
Many of us will find full disk encryption useful. This helps us to keep secure our sensitive information that we never, ever want to fall into the wrong hands. Full disk encryption also keeps our data secure from snoopers and government agencies who need to see it.
But for others, just the standard lock screen security is enough. If they lose their phone, they have Android Device Manager or other utilities to remotely wipe their data. They quickly change their passwords of Google and other accounts, and they even don’t have a reason to fear any consequences if government snoops into their data.
So, do you need Full Disk Encryption by Default? Share your views with us; Hit the comments below.