Encrypt the Android file system

To enable the file system encryption, use the following configuration in localconf.mk to enable TrustFence:

TRUSTFENCE_ENABLE := "1"
TRUSTFENCE_ENCRYPT_USERDATA := "1"

Note By default, the local configuration makefile localconf.mk does not enable any TrustFence setting.

CAUTION! Only the data partition on your Android device will be encrypted; all other partitions will remain unencrypted.

CAUTION! Use file system encryption only on closed devices. File system encryption is not secure on open devices because the encryption key is secured with a test master key.

Encrypt the Android file system

The following section describes the steps to use an encrypted data partition.

Step 8: Program an encryption key

Android requires a key to encrypt the data partition of your device. This key is stored on the eMMC and secured in a keyblob so it is unreadable when the device is off. If you try to boot Android images configured with filesystem encryption but a key is not found, the encryption process fails and prints instructions on how to create the keyblob:

*************************************************
* Start the recovery image and create a new key *
* or an empty string to generate a random key   *
*************************************************

To program the key:

  1. Reset your device and press any key to stop the auto-boot process.
  2. Set the bootargs_once U-Boot variable to format data and cache partitions and to define the file system encryption key value, androidboot.trustfence.fskey. The value can be either:
    • A 32 byte base64-encoded binary key.
=> bootargs_once="androidboot.data=format androidboot.cache=format androidboot.trustfence.fskey=YjNz1psJsO3PsxIcdQwCjW7MA0Y5IryT38UCddViJNM="
  • An empty string so the system creates a random key for the device.
=> bootargs_once="androidboot.data=format androidboot.cache=format androidboot.trustfence.fskey="
  1. Boot in recovery mode to program the key:
=> run recoverycmd

After that command, the recovery ramdisk secures the key in a keyblob and stores it on the eMMC in the U-Boot environment partition. It also wipes the /data and /cache partitions on the eMMC.

CAUTION! Establishing or changing the key requires wiping the /data and /cache partitions. All data in these partitions will be lost.

Step 9: Boot the encrypted file system

  1. Once the new encryption key is established and the partitions are wiped, the system automatically reboots.
  2. During the first boot, after programming a new key, Android starts encrypting the data partition using this new key. A progress information bar is shown on the screen during the encryption process.
  3. Once that process finishes, Android starts the launcher application and the system is ready to use.
  4. Subsequent boots will be standard boots. This process will not be repeated again unless you change the encryption key.