Starting with Android N, a device that has been powered on can boot into a new mode called Direct Boot before the user has a chance to unlock it for the first time.
Direct Boot For Users
1、Boot directly to lock screen
2、Calls, SMS, alarms work after device reboot before unlock
3、Per-user disk encryption
Direct Boot For Developers
Data
On an FBE-enabled device, each user of the device has two storage locations available to applications:
1、Credential Encrypted (CE) storage:
By default, all app`s data in here
2、Device Encrypted (DE) storage:
DirectBootAware run before first user unlock and can use it
Briefly Introduct Direct-Boot && FBE
Api for create data in Android:
Context.createCredentialProtectedStorageContext()
Context.isCredentialProtectedStorage()
Aware
android:directBootAware=”true”
marking all components in the app as being encryption aware.
Briefly Introduct Direct-Boot && FBE
android:defaultToDeviceProtectedStorage=”true”
redirects the default app storage location to point at DE storage instead of pointing at CE storage.
Briefly Introduct Direct-Boot && FBE
Broadcast
In the normal boot state, when boot completed, system send "Intent.ACTION_BOOT_COMPLETED" broadcast.
if enabled FBE(File-Based encryption),system send "Intent.ACTION_LOCKED_BOOT_COMPLETED" broadcast before unlock device.
Most appropriate for apps that depen on time-sensitive alerts
Limit data you store in Device Protected storage
a、Avoid storing long-lived credentals in DP storage
b、Create limited purpose tokens(e.g. receive mail, not send it)
c、Encrypt sensitive data you receive to be decrypter only after unlock
Examples
Dialer
DeskClock
SystemUI
LatinIME
Settings
...
How to use it?
For users:
1、Settings > Developer options > Convert to file encryption
2、$ adb reboot-bootloader
$ fastboot --wipe-and-use-fbe
Warning: Both methods will perform a ***factory reset*** and ***delete all user data*** on your device.
For Developers, you can use an emulated Direct Boot mode:
$ adb shell sm set-emulate-fbe true
$ adb shell sm set-emulate-fbe false
File-Based Encryption
Android 7.0 and above supports file-based encryption (FBE). File-based encryption allows different files to be encrypted with different keys that can be unlocked independently.
The Relationship with Direct Boot?
Briefly Introduct Direct-Boot && FBE
Conclusion: ***Direct Boot depends on FBE***
Dependencies
Kernel Support for ext4 encryption
Keymaster Support with a HAL version 1.0 or 2.0.
Keymaster/Keystore and Gatekeeper must be implemented in a Trusted Execution Environment (TEE) to provide protection for the DE keys
Encryption performance in the kernel of at least 50MB/s
Hardware Root of Trust and Verified Boot bound to the keymaster initialisation is required to ensure
Kernel Support
The recommended solution is to use a kernel based on 4.4 or later.
Ext4 encryption has also been backported to a 3.10 kernel in the Android common repositories and for the supported Nexus kernels.