What is full disk encryption in Android Lollipop?

Phone Security
Phone Security (Image credit: Jerry Hildenbrand / Android Central)

There's a lot of information out there about Android 5.0 Lollipop's "default" full disk encryption (FDE). Some of it is good information, some of it is bad information, and plenty of it is just repeated snippets of speculation. While this makes for good conversation — and FDE is something worth talking about — we wanted to break down the finer points into an easy-to-read discussion.

This isn't meant to be the be-all end-all document on Android encryption. Google has already posted that one. We're going to tackle the consumer-oriented questions we keep hearing. As always, use the comments for discussion so we all can learn a little something.

What is encryption?

Lollipop encryption

Encryption is the process of protecting data using an encryption key. Think of a password as a key, and the encryption is a very secure lock. You need the key to get in to do something. And while getting in without the right key is possible, it's not very likely. (Yes, any and every encryption system can — theoretically, at least — be defeated by patient and crafty individuals.)

On our Androids, all the user data on a device (since Android 3.0) can be encrypted. The data is actually encrypted on the fly, before it's ever written to disk. In turn, the data is decrypted before it gets returned to any program that asks for it. All you need is the correct key, which is password based using the device master password.

Changes in Lollipop

Lollipop encryption

While FDE has been available in Android since the ill-fated Android 3.x Honeycomb, Android 5.0 brings some pretty big changes and improvements in how it all works.

In Lollipop, FDE is done with a kernel feature that acts directly on the block layer of the storage. This means encryption can work on flash devices like eMMC storage — which have no native encryption features — because they present themselves to the kernel as a standard block device. Encryption isn't possible with file systems that talk directly with the storage (like YAFFS). The people who made your phone or tablet might have included a method to encrypt external storage (like the SD Card), but the Android AOSP deals mostly with internal storage. The algorithm used is 128-bit AES with CBC and an encrypted salt-sector initialization vector using the SHA256 hash function. The master key also uses calls to the OpenSSL library.

In other words, it's damned secure.

On the first boot into Android, your device creates a random 128-bit master key, then hashes it and stores it in the crypto metadata. This data is unlocked by your user passphrase. (And remember, folks, don't use weak passwords.) The resulting hash is also signed through hardware backing, such as TEE-based (that's Trusted Execution Environment) features like TrustZone. Prior to Android 5.0, the master key was encrypted based only on the user's password, which could be vulnerable to off-box attacks through ADB.

Interestingly, Google is not using the Qualcomm hardware cryptographic engine in AOSP or for the Nexus 6. This is inefficient as it forces CPU-based encryption and decryption during disk I/O (likely at every 512 byte interval) versus using Qualcomm's hardware-based performance features. We're not going to second guess why this is done, but know that OEMs are free to implement it as they like. We hope they will.

Google has done a lot to make full disk encryption on Android secure. All in all, they've done a pretty good job.

Performance issues

Lollipop encryption

You've probably heard about poor performance for disk reading and writing on Nexus devices with encryption enabled. It's true — when you need to encrypt and decrypt on the fly, disk I/O speeds are going to suffer. As mentioned above, Google is not using Qualcomm's hardware-based kernel features on the Nexus 6, which causes it to suffer even a bit more. But how bad is it?

Disk I/O in Lollipop is several times faster than is was in KitKat and previous versions of Android. Software optimization and device-specific code means that Android can read and write from the storage faster than ever. This is a very good thing that's mostly negated by slower I/O times due to encryption.

If you need to use FDE (or are forced to use it because you bought a new Nexus and don't want to install custom firmware) your performance is still going to be better (on paper) than it would have been on KitKat. It just won't be as good as it could be without encryption. In real-world use, most users we've talked to don't notice any device lag because of slow I/O. Your experience might be different.

If you want or need FDE, the trade-off is probably worth it.

Encryption isn't mandatory (and do you need it anyway?)

Galaxy Note 4 encryption setting

Anyone with a phone that already has the Lollipop update can tell you that Lollipop doesn't force you to use encryption. While the Nexus 6 and Nexus 9 (and possibly all future Nexus devices) ship with it enabled and no easy way to turn it off, phones that were updated to Lollipop — like the Galaxy Note 4 — do not automatically have full disk encryption enabled.

The same goes for new devices that are shipping with Android 5.x like the LG G Flex 2. The option is there should you want to enable it, but by default full encryption is turned off. This brings us to a choice — do we need full disk encryption?

Plenty of us will find full disk encryption useful. If you have sensitive information that you never, ever want to fall into the wrong hands on your phone, FDE is a godsend. For someone to get into your data, they must know your device password. No amount of fiddling over a wire is going to let them break in, and provided you used a strong password, your data is safe because after a handful of wrong guesses, everything goes on lockdown.

For others, just the standard lock screen security will enough. If we lose a phone, we can remotely wipe it via Android Device Manager or another utility, and if someone is able to go offline before we can wipe, then get lucky enough to bypass our lock screen password (it can happen), all they get is a few pictures and Google account access that we can quickly change a password on.

There also is the whole government snooping issue to think about. While most of us don't have a reason to fear any consequences for what we have stored on our phones, we still deserve a bit of privacy and protection when our personal data is concerned. Full disk encryption gets us closer to keeping our data secure from government agencies who think they need to see it.

Only you know if you need full device encryption.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • All I know is that my nexus 6 lagged like a bastard compared to the 5.I can only assume this is down to the encryption they forced on us. At least provide the option. When I had to get a Samsung phone to have a quicker phone you know something's gone wrong. Posted via the Android Central App
  • Everyone must start being vocal about this issue to google! This is a 700 dollar phone we're talking about here!
  • Iphone 6 has encryption but that's not slowing down. Google need to fix the encryption algorithm
  • Could be hardware level encryption like what Qualcomm is offering. The iPhone has an in-house CPU. Posted on my OnePlus One
  • iPhones indeed have hardware-based FDE, since 3GS. 256-bit AES keys. http://www.technologyreview.com/news/428477/the-iphone-has-passed-a-key-...
  • my N5 bordered on unusable when i had encryption on with lollipop. it would take, and I'm not joking 7-10 seconds from the time I'd hit say, the multitasking key, to the point where it actually brought up the recent apps view. I tried multiple factory resets and encryption off and on with them and without a doubt the N5 was *significantly* slower with encryption on than off.
  • I had exactly the same experience with both my moto x and my lg gpe tablet. Both were awful with lollipop encrypted. The lg tablet was unusable. Posted via the Android Central App
  • I turned encryption on (N5 5.0.1) and didnt notice much of a difference if at all. In todays age I feel it needs to be on, especially for me as I do banking, corporate exchange account, personal documents and pics. Boot times for me have suffered, but I rarely restart my phone so not a big deal. Once I am loaded in the OS I don't see any difference... Just my 2 cents
  • Encryption will only help regarding government snooping if they get physical access to your device. Otherwise, if it's booted up and you're actively using it that encryption isn't going to stop them from possibly seeing what you're doing. The encryption is only happening locally on the device via its file system. Thank goodness non-Nexus devices don't automatically encrypt (I'd be pissed with forced encryption). This type of thing should always be opt-in, NEVER opt-out.
  • Right? That's my question too. Posted via the Android Central App
  • Oop, sorry edited my post as a statement instead of a question.
  • Yeah, don't really see the point of encryption. Your average thief will just reset the phone anyway. Posted via the Android Central App
  • Google should make something similar to iCloud on what Apple did to iOS 7 where no one can factory reset without your iCloud password. Posted via the Android Central App
  • I believe they are working on something like that
  • The point of encryption isn't to keep someone from stealing your phone. it is to keep them from stealing your data. There can be any number of things on your phone like work secrets, banking information, scandalous photos, etc. Encryption can keep these things safe as long as they don't have your password.
  • My guess is that it was the best that Google could do immediately after Apple announced its security. changes.
  • While I agree in principle, I cant really get how people really care about “government snooping” so they need Full Disk Encryption. The only way this would matter is if they had your device seized and a warrant to search it. Even then, your average digital forensics lab has what…..a couple guys neck deep in real cases? Seriously, the last thing they care about is snooping on your selfies…..
    On the other hand, it is very good idea for stopping criminals who may steal your phone. In fact, that is an excellent and realist reason to use FDE….as opposed to the CIA is going to break into your room at night to check your browser history
  • That first picture makes me cringe.  
  • thought the same thing!
  • How do you explain a brand new Nexus 6 showing its encrypted but you haven't made a password yet? >.<
  • The Nexus 6 uses what's called "Default Encryption" which uses a randomly generated hash key. Jerry linked to the Google dev page that explains this a lot better than I can... https://source.android.com/devices/tech/security/encryption/
  • It is stupid to force disk encryption on people that don't want it and never change the default encryption password. It offers them none of the protection is was designed for and all of the penalties they don't want. I think it should have been optional for the nexus 6 and 9's. BTW, I use it and have set my encryption key and love how fast and smooth my device is, but others that want it unencrypted should have had a choice in the matter.
  • Eat it NSA. Posted via the Android Central App
  • LOL, the NSA does not care about you....but if they did your FDE would do nothing to stop them.
  • Question it wasn't mentioned in the article but will this also have the ability to encrypt SD cards. Just curious. The hardware based encryption would definitely help in terms of performance.
  • No, SD cards use FAT/FAT32 filesystem which doesn't support encryption. Besides, if you could encrypt it, it wouldn't be readable in any other device, which kind of defeats the point of removable storage.
  • Thanks...
  • beetle's comment isn't 100% true. I don't know the details if or not FAT32 doesn't support encryption but that doesn't mean data on a FAT32 partition can't be encrypted. Encryption doesn't have to be affected by partition formats or hardware.
    Encryption can be solely software based.
  • That and SDcards can be formatted to EXT4 and EXT4+LUKS is device agnostic (As long as the device supports EXT4+LUKS) I have all my banking docs stored on an encrypted flash drive and when I plug it in I am prompted for a password and bam.
  • My nexus 6 runs great out of the box with encrypt on. Posted via the Android Central App
  • +1 Posted via the Android Central App
  • Same here, I was worried before I bought it, then read I could remove it in xda. But after I got it, it runs great
  • My Nexux 9 has no performance issues either; encryption is on. It may be a matter of perspective as I upgraded tablets from an old Samsung Galaxy Tab (1); anything newer would be... Still, I'm impressed. If/when my Moto X (2013) gets the push to Lollipop I may find out if there is a noticeable difference; I still have time to think about it, it seems. Really good article, too. Many things I was aware of, but the message is framed well. Kudos.
  • I'm waiting for the Lollipop update for my Galaxy Note 3
  • Do You think that's Jerry's real homescreen or did he clean it up for the pic? Posted via the Android Central App
  • i haven't decided if i need/want encryption on for my N5. i understand the performance and security tradeoffs. its the actually day-to-day use that i'm unsure of: so with the phone completely OFF, I hold the power key to turn it on...and I'll be asked for my super-secret password. do i also have to enter that password when waking the phone from sleep? if not, what lock screen options do i have? pattern, pin, or just password? does smart lock still function (so my Moto360 can cause a lock screen bypass)? what options, once selected, are permanent? (meaning they can only be changed with a factory reset) m.
  • my Nexus 6 is stupid fast, except for those times it's not and I'm sure it's the encryption but for the most part it's a non issue for me. I would like to see it become an option in the new update.. I'd factory reset to at least try it out without it and see what the results are.
  • lel, this might just be the reason why many devices don't ship with lollipop with oems releasing OTA update later on.
  • Using a Nexus 6 I have found no issues that would cause me any serious concerns regarding performance.
  • I'm entirely tech illliterate... Does my T Mobile LG-P769 require anything different? Please help, thank u