Google Pushes Mandatory Full-Disk Encryption in Android 6.0

Google has stepped up the security of its Android operating system with the release of Android 6.0 Marshmallow by requiring manufacturers to enable full-disk encryption out-of-the-box for new devices.

Previously, Google announced that full-device encryption was recommended for all devices that could meet certain performance levels, but it has since made the security measure mandatory in the most recent Android Compatibility Definition Document. Google also requires that AES with a key of 128-bit or higher be used, and that the key be stored on the device only if AES encrypted.

“For device implementations supporting full-disk encryption and with Advanced Encryption Standard (AES) crypto performance above 50MiB/sec, the full-disk encryption MUST be enabled by default at the time the user has completed the out-of-box setup experience,” Google notes in the Android 6.0 CDD.

Full-disk encryption is mandatory on all device implementations that support a secure lockscreen and which have high memory resources. Such devices must include support for full-disk encryption of both application private data and (/datapartition) shared storage partition (/sdcardpartition), as long as the latter is non-removable, Google says.

When setting up a new Android 6.0 device, users will be able to skip setting the secure lockscreen right from the start, but the device still has to be encrypted, using a default passcode instead. Thus, when the user decides to create the secure lockscreen, the device won’t have to be re-encrypted, as that would take time and hurt performance.

The full-disk encryption will be required in all future versions of Android, and all manufacturers are required to comply. The policy applies not only to new devices, but also to older ones that already had full-disk encryption enabled, although only two products are known to include the option, namely Nexus 6 and Nexus 9, as Android Police reports.

“If a device implementation is already launched on an earlier Android version with full-disk encryption disabled by default, such a device cannot meet the requirement through a system software update and thus MAY be exempted,” Google explains. This means that smartphones and tablets launched under older Android releases can be updated to Android 6.0, despite the new security policy.

Google is enforcing the full-disk encryption policy only on smartphones and tablets that meet certain hardware requirements because the security option is likely to affect the overall device performance. On devices with enough memory, however, the decrease in performance is likely to impact user experience very little, while the overall security gain should offset it completely.

The full-disk encryption policy is the latest step Google has taken toward improving the security of Android devices, after committing to release monthly updates for the Nexus devices. Other vendors have committed to regularly updating their Android devices, including Samsung.