| page.title=Direct Boot |
| page.keywords=preview,sdk,direct boot |
| page.tags=androidn |
| |
| @jd:body |
| |
| <div id="qv-wrapper"> |
| <div id="qv"> |
| <h2>In this document</h2> |
| <ol> |
| <li><a href="#run">Requesting Access to Run During Direct Boot</a></li> |
| <li><a href="#access">Accessing Device Encrypted Storage</a></li> |
| <li><a href="#notification">Getting Notified of User Unlock</a></li> |
| <li><a href="#migrating">Migrating Existing Data</a></li> |
| <li><a href="#testing">Testing Your Encryption Aware App</a></li> |
| </ol> |
| </div> |
| </div> |
| |
| <p>Android N runs in a secure, <i>Direct Boot</i> mode |
| when the device has been powered on but the user has not unlocked the |
| device. To support this, the system provides two storage locations for data:</p> |
| |
| <ul> |
| <li><i>Credential encrypted storage</i>, which is the default storage location |
| and only available after the user has unlocked the device.</li> |
| <li><i>Device encrypted storage</i>, which is a storage location available both |
| during Direct Boot mode and after the user has unlocked the device.</li> |
| </ul> |
| |
| <p>By default, apps do not run during Direct Boot mode. |
| If your app needs to take action during Direct Boot mode, you can register |
| app components that should be run during this mode. Some common use cases |
| for apps needing to run during Direct Boot mode include:</p> |
| |
| <ul> |
| <li>Apps that have scheduled notifications, such as alarm clock |
| apps.</li> |
| <li>Apps that provide important user notifications, like SMS apps.</li> |
| <li>Apps that provide accessibility services, like Talkback.</li> |
| </ul> |
| |
| <p>If your app needs to access data while running in Direct Boot mode, use |
| device encrypted storage. Device encrypted storage contains data |
| encrypted with a key that is only available after a device has performed a |
| successful verified boot.</p> |
| |
| <p>For data that should be encrypted with a key associated with user |
| credentials, such as a PIN or password, use credential encrypted storage. |
| Credential encrypted storage is only available after the user has successfully |
| unlocked the device, up until when the user restarts the device again. If the |
| user enables the lock screen after unlocking the device, this doesn't lock |
| credential encrypted storage.</p> |
| |
| <h2 id="run">Requesting Access to Run During Direct Boot</h2> |
| |
| <p>Apps must register their components with the system before they |
| can run during Direct Boot mode or access device encrypted |
| storage. Apps register with the system by marking components as |
| <i>encryption aware</i>. To mark your component as encryption aware, set the |
| <code>android:encryptionAware</code> attribute to true in your manifest.<p> |
| |
| <p>Encryption aware components can register to receive a |
| <code>LOCKED_BOOT_COMPLETED</code> broadcast message from the |
| system when the device has been restarted. At this point device encrypted |
| storage is available, and your component can execute tasks that need to be |
| run during Direct Boot mode, such as triggering a scheduled alarm.</p> |
| |
| <p>The following code snippet is an example of how to register a |
| {@link android.content.BroadcastReceiver} as encryption aware, and add an |
| intent filter for <code>LOCKED_BOOT_COMPLETED</code>, in the app manifest:</p> |
| |
| <pre> |
| <receiever |
| android:encryptionAware="true" > |
| ... |
| <intent-filter> |
| <action android:name="android.intent.action.LOCKED_BOOT_COMPLETED" /> |
| </intent-filter> |
| </receiver> |
| </pre> |
| |
| <p>Once the user has unlocked the device, all components can access both the |
| device encrypted storage as well as credential encrypted storage.</p> |
| |
| <h2 id="access">Accessing Device Encrypted Storage</h2> |
| |
| <p>To access device encrypted storage, create a second |
| {@link android.content.Context} instance by calling |
| <code>Context.createDeviceEncryptedStorageContext()</code>. All storage API |
| calls made using this context access the device encrypted storage. The |
| following example accesses the device encrypted storage and opens an existing |
| app data file:</p> |
| |
| <pre> |
| Context directBootContext = Context.createDeviceEncryptedStorageContext(); |
| // Access appDataFilename that lives in device encrypted storage |
| FileInputStream inStream = directBootContext.openFileInput(appDataFilename); |
| // Use inStream to read content... |
| </pre> |
| |
| <p>Use device encrypted storage only for |
| information that must be accessible during Direct Boot mode. |
| Don't use device encrypted storage as a general-purpose encrypted store. |
| For private user information, or encrypted data that isn't needed during |
| Direct Boot mode, use credential encrypted storage.</p> |
| |
| <h2 id="notification">Getting Notified of User Unlock</h2> |
| |
| <p>Once the user unlocks the device after restart, your app can switch to |
| accessing credential encrypted storage and use regular system services that |
| depend on user credentials.</p> |
| |
| <p>To get notified when the user unlocks the device after a reboot, |
| register a {@link android.content.BroadcastReceiver} from a running component |
| to listen for the <code>ACTION_USER_UNLOCKED</code> message. Or, you can |
| receive the existing {@link android.content.Intent#ACTION_BOOT_COMPLETED |
| ACTION_BOOT_COMPLETED} message, which now indicates the device has booted and |
| the user has unlocked the device.</p> |
| |
| <p>You can directly query if the user has unlocked the device by calling |
| <code>UserManager.isUserUnlocked()</code>.</p> |
| |
| <h2 id="migrating">Migrating Existing Data</h2> |
| |
| <p>If a user updates their device to use Direct Boot mode, you might have |
| existing data that needs to get migrated to device encrypted storage. Use |
| <code>Context.migrateSharedPreferencesFrom()</code> and |
| <code>Context.migrateDatabaseFrom()</code> to migrate preference and database |
| data between credential encrypted storage and device encrypted storage.</p> |
| |
| <p>Use your best judgment when deciding what data to migrate from credential |
| encrypted storage to device encrypted storage. You should not migrate |
| private user information, such as passwords or authorization tokens, to |
| device encrypted storage. In some scenarios, you might need to manage |
| separate sets of data in the two encrypted stores.</p> |
| |
| <h2 id="testing">Testing Your Encryption Aware App</h2> |
| |
| <p>Test your encryption aware app using the new Direct Boot mode. There are |
| two ways to enable Direct Boot.</p> |
| |
| <p class="caution"><strong>Caution:</strong> Enabling Direct Boot |
| wipes all user data on the device.</p> |
| |
| <p>On supported devices with Android N installed, enable |
| Direct Boot by doing one of the following:</p> |
| |
| <ul> |
| <li>On the device, enable <b>Developer options</b> if you haven't already by |
| going to <b>Settings > About phone</b>, and tapping <b>Build number</b> |
| seven times. Once the developer options screen is available, go to |
| <b>Settings > Developer options</b> and select |
| <b>Convert to file encryption</b>.</li> |
| <li>Use the following adb shell commands to enable Direct Boot mode: |
| <pre class="no-pretty-print"> |
| $ adb reboot-bootloader |
| $ fastboot --wipe-and-use-fbe |
| </pre> |
| </li> |
| </ul> |
| |
| <p>An emulated Direct Boot mode is also available, in case you need to switch |
| modes on your test devices. Emulated mode should only be used during |
| development and may cause data loss. To enable emulated Direct Boot mode, |
| set a lock pattern on the device, choose "No thanks" if prompted for a |
| secure start-up screen when setting a lock pattern, and then use the |
| following adb shell command:</p> |
| |
| <pre class="no-pretty-print"> |
| $ adb shell sm set-emulate-fbe true |
| </pre> |
| |
| <p>To turn off emulated Direct Boot mode, use the following command:</p> |
| |
| <pre class="no-pretty-print"> |
| $ adb shell sm set-emulate-fbe false |
| </pre> |
| |
| <p>Using these commands causes the device to reboot.</p> |