diff options
author | Clay Murphy <claym@google.com> | 2014-10-22 11:10:53 -0700 |
---|---|---|
committer | Clay Murphy <claym@google.com> | 2014-10-22 11:10:53 -0700 |
commit | ec58cfbbb01b6fee819b3560294db5b80eb08fcf (patch) | |
tree | 6debe29112ff9ff3a025d471261ece6861e4f1f5 | |
parent | b3aee88c344a2824ec7e155ebb55329a2ec73456 (diff) | |
download | source.android.com-ec58cfbbb01b6fee819b3560294db5b80eb08fcf.tar.gz |
Docs: Adding caution about description, replacing L refs
Bug: 17657556
Change-Id: I6241fabeb4a50ffa7e7c19969ce6e9b89583510c
-rw-r--r-- | src/devices/tech/encryption/index.jd | 25 |
1 files changed, 16 insertions, 9 deletions
diff --git a/src/devices/tech/encryption/index.jd b/src/devices/tech/encryption/index.jd index e3038d40..1a88d77f 100644 --- a/src/devices/tech/encryption/index.jd +++ b/src/devices/tech/encryption/index.jd @@ -32,7 +32,7 @@ encrypted key. Once a device is encrypted, all user-created data is automatically encrypted before committing it to disk and all reads automatically decrypt data before returning it to the calling process.</p> -<h2 id=what_we’ve_added_for_android_l>What we’ve added for Android L</h2> +<h2 id=what_we’ve_added_for_android_l>What we’ve added for Android 5.0</h2> <ul> <li>Created fast encryption, which only encrypts used blocks on the data partition @@ -44,6 +44,10 @@ currently support fast encryption. href="#storing_the_encrypted_key">Storing the encrypted key</a> for more details. </ul> +<p class="caution"><strong>Caution:</strong> Devices upgraded to Android 5.0 and then +encrypted may be returned to an unencrypted state by factory data reset. New Android 5.0 +devices encrypted at first boot cannot be returned to an unencrypted state.</p> + <h2 id=how_android_encryption_works>How Android encryption works</h2> <p>Android disk encryption is based on <code>dm-crypt</code>, which is a kernel feature that works at the block device layer. Because of @@ -58,7 +62,7 @@ the key (with 256 being optional). </p> <p class="note"><strong>Note:</strong> OEMs can use 128-bit or higher to encrypt the master key.</p> -<p>In the L release, there are four kinds of encryption states: </p> +<p>In the Android 5.0 release, there are four kinds of encryption states: </p> <ul> <li>default @@ -115,7 +119,7 @@ and then follows a normal boot flow. </p> <li>Boot an encrypted device: <ul> <li>Starting an encrypted device with no password: Booting an encrypted device that -has no set password (relevant for devices running Android L and later). +has no set password (relevant for devices running Android 5.0 and later). <li> Starting an encrypted device with a password: Booting an encrypted device that has a set password. </ul> @@ -125,7 +129,7 @@ has a set password. <h3 id=encrypt_a_new_device_with_forceencrypt>Encrypt a new device with <code>/forceencrypt</code></h3> -<p>This is the normal first boot for an Android L device. </p> +<p>This is the normal first boot for an Android 5.0 device. </p> <ol> <li><strong>Detect unencrypted filesystem with <code>/forceencrypt</code> flag</strong> @@ -156,10 +160,13 @@ often not actually appear because encryption happens so quickly. See <a href="#e <li><strong>When <code>/data</code> is encrypted, take down the framework</strong> -<p><code>vold</code> sets <code>vold.decrypt</code> to <code>trigger_default_encryption</code> which starts the <code>defaultcrypto</code> service. (This starts the flow below for mounting a default encrypted -userdata.) <code>trigger_default_encryption</code> checks the encryption type to see if <code>/data</code> is encrypted with or without a password. Because Android L devices are -encrypted on first boot, there should be no password set; therefore we decrypt -and mount <code>/data</code>.</p> +<p><code>vold</code> sets <code>vold.decrypt</code> to +<code>trigger_default_encryption</code> which starts the +<code>defaultcrypto</code> service. (This starts the flow below for mounting a +default encrypted userdata.) <code>trigger_default_encryption</code> checks the +encryption type to see if <code>/data</code> is encrypted with or without a +password. Because Android 5.0 devices are encrypted on first boot, there should +be no password set; therefore we decrypt and mount <code>/data</code>.</p> <li><strong>Mount <code>/data</code></strong> @@ -231,7 +238,7 @@ reboot. This is not expected to ever occur.</p> <h3 id=starting_an_encrypted_device_with_default_encryption>Starting an encrypted device with default encryption</h3> <p>This is what happens when you boot up an encrypted device with no password. -Because Android L devices are encrypted on first boot, there should be no set +Because Android 5.0 devices are encrypted on first boot, there should be no set password and therefore this is the <em>default encryption</em> state.</p> <ol> |