| Danielle Roberts | 20334fc | 2015-09-24 16:36:35 -0700 | [diff] [blame^] | 1 | page.title=Adoptable Storage |
| 2 | @jd:body |
| 3 | <!-- |
| 4 | Copyright 2015 The Android Open Source Project |
| 5 | Licensed under the Apache License, Version 2.0 (the "License"); |
| 6 | you may not use this file except in compliance with the License. |
| 7 | You may obtain a copy of the License at |
| 8 | http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | Unless required by applicable law or agreed to in writing, software |
| 10 | distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | See the License for the specific language governing permissions and |
| 13 | limitations under the License. |
| 14 | --> |
| 15 | <div id="qv-wrapper"> |
| 16 | <div id="qv"> |
| 17 | <h2>In this document</h2> |
| 18 | <ol id="auto-toc"> |
| 19 | </ol> |
| 20 | </div> |
| 21 | </div> |
| 22 | |
| 23 | |
| 24 | <p>Android has always supported external storage accessories (such as SD cards), but |
| 25 | these accessories were historically limited to simple file storage, due to |
| 26 | their expected impermanence and the minimal data protection offered to |
| 27 | <a href="{@docRoot}devices/storage/traditional.html">traditional external storage</a>. |
| 28 | Android 6.0 introduces the ability to |
| 29 | <a href="https://developer.android.com/preview/behavior-changes.html#behavior-adoptable-storage">adopt</a> |
| 30 | external storage media to act like internal storage.</p> |
| 31 | |
| 32 | <p>When external storage media is adopted, it’s formatted and encrypted to only |
| 33 | work with a single Android device at a time. Because the media is strongly tied |
| 34 | to the Android device that adopted it, it can safely store both apps and |
| 35 | private data for all users.</p> |
| 36 | |
| 37 | <p>When users insert new storage media (such as an SD card) in an adoptable |
| 38 | location, Android asks them how they want to use the media. They can choose to |
| 39 | adopt the media, which formats and encrypts it, or they can continue using it |
| 40 | as-is for simple file storage. If they choose to adopt, the platform offers to |
| 41 | migrate the primary shared storage contents (typically mounted at <code>/sdcard</code>) |
| 42 | to the newly adopted media, freeing up valuable space on internal storage.</p> |
| 43 | |
| 44 | <p>Apps can be placed on adopted storage media only when the developer has |
| 45 | indicated support through the <code>android:installLocation</code> attribute. |
| 46 | New installs of supported apps are automatically placed on the |
| 47 | storage device with the most free space, and users can move supported apps |
| 48 | between storage devices in the <em>Settings</em> app. Apps moved to adopted |
| 49 | media are remembered while the media is ejected, |
| 50 | and return when the media is reinserted.</p> |
| 51 | |
| 52 | <h2 id=security>Security</h2> |
| 53 | |
| 54 | |
| 55 | <p>The platform randomly generates an encryption key for each adopted device, |
| 56 | and that key is stored on the internal storage of the Android device. This |
| 57 | effectively makes the adopted media as secure as internal storage. Keys are |
| 58 | associated with adopted devices based on the adopted partition GUID. The |
| 59 | adopted device is encrypted using <code>dm-crypt</code> configured with the |
| 60 | <code>aes-cbc-essiv:sha256</code> algorithm and a 128-bit key size.</p> |
| 61 | |
| 62 | <p>The on-disk layout of the adopted device closely mirrors the internal data |
| 63 | partition, including SELinux labels, etc. When multi-user is supported on the |
| 64 | Android device, the adopted storage device also supports multi-user with the |
| 65 | same level of isolation as internal storage.</p> |
| 66 | |
| 67 | <p>Because the contents of an adopted storage device are strongly tied to the |
| 68 | Android device that adopted it, the encryption keys should not be extractable |
| 69 | from the parent device, and therefore the storage device can't be mounted elsewhere.</p> |
| 70 | |
| 71 | <h2 id=performance_and_stability>Performance and stability</h2> |
| 72 | |
| 73 | |
| 74 | <p>Only external storage media in stable locations, such as a slot inside a |
| 75 | battery compartment or behind a protective cover, should be considered for |
| 76 | adoption to help avoid accidental data loss or corruption. In particular, USB |
| 77 | devices connected to a phone or tablet should never be considered for adoption. |
| 78 | One common exception would be an external USB drive connected to a TV-style |
| 79 | device, because the entire TV is typically installed in a stable location.</p> |
| 80 | |
| 81 | <p>When a user adopts a new storage device, the platform runs a benchmark and |
| 82 | compares its performance against internal storage. If the adopted device is |
| 83 | significantly slower than internal storage, the platform warns the user about a |
| 84 | possibly degraded experience. This benchmark was derived from the actual I/O |
| 85 | behavior of popular Android apps. Currently, the AOSP implementation will only |
| 86 | warn users beyond a single threshold, but device manufacturers may adapt this |
| 87 | further, such as rejecting adoption completely if the card is extremely slow.</p> |
| 88 | |
| 89 | <p>Adopted devices must be formatted with a filesystem that supports POSIX |
| 90 | permissions and extended attributes, such as <code>ext4</code> or <code>f2fs</code>. |
| 91 | For optimal performance, the <code>f2fs</code> filesystem is recommended for |
| 92 | flash-based storage devices.</p> |
| 93 | |
| 94 | <p>When performing periodic idle maintenance, the platform issues <code>FI_TRIM</code> |
| 95 | to adopted media just like it does for internal storage. The current SD card |
| 96 | specification does not support the <code>DISCARD</code> command; but the kernel |
| 97 | instead falls back to the <code>ERASE</code> command, which SD card firmware |
| 98 | may choose to use for optimization purposes.</p> |