Samsung devices and File-based Encryption (FBE)

By Technical Publications Team

The new Samsung smartphones–scheduled to reach consumers in early 2019–add support for File-based Encryption (FBE), which is a feature of the Android OS. This blog post provides a high-level overview of FBE as well as more information about the possible impact to partner applications available on Samsung devices.

Overview

FBE is a feature available with Android OS 7.0 and higher. FBE allows encryption of different files with different keys that are used to unlock each file independently.

An FBE-enabled device offers each user and all applications the following two storage options:

  • Credential Encrypted (CE) storage: CE storage is the default storage location that is only available after the user unlocks the device.
  • Device Encrypted (DE) storage: DE storage is a storage location available during both the Direct Boot mode as well as after the user unlocks the device.

FBE enables a new feature called Direct Boot that is available in Android OS 7.0 or higher. Direct Boot lets encrypted devices boot straight to the lock screen, resulting in apps operating within a limited context.

The introduction of FBE and related new APIs help applications become aware of encryption—making apps ‘crypto-aware’—and let these apps operate within a limited context. Examples of this situation include situations where the user restarts the device but has not yet provided their login credentials. In such a situation, the apps that are crypto-aware still work, but any private information is still under lockdown due to FBE. For more information on FBE and how it helps secure your device, see File-based Encryption.

Impact to Partner apps

Per the specifications set out in the Android OS, all FBE-enabled devices support Direct Boot. For devices with Direct Boot, after a user restarts the device and does not log in, only the DE storage location is available to all apps. Apps that are not crypto-aware—that is aware of CE and DE storage locations—do not run in this mode.

In certain situations, device or network management tasks may need apps to run in Direct Boot mode. Take for example a situation when a user reboots their device and is unable to log in because they have lost their password.  In this case, the IT admin needs to reset the password using the EMM agent. If the EMM agent is not crypto-aware, it does not run after device reboot and does not reset the user’s password.

We recommend our partners to examine their current app data storage options to determine if the apps need access to data in Direct Boot mode. If necessary, we recommend that our partners make their apps crypto-aware so that the devices’ functionality and usability are not impacted.

Note that for devices running Android OS version P or higher, apps that are part of the Knox Workspace do not show the lock screen by default upon device reboot. The lock screen only shows when the user tries to open an application.

For more information on changing your apps to support Direct Boot mode, see Support Direct Boot mode.

Impact to VPN Partners

On devices that support FBE and Direct boot, the behavior of VPN clients on such devices will change unless our partners implement code changes. We recommend that our VPN partners determine if they need to update their VPN client to include awareness of encryption on the device. If the VPN client is made crypto-aware, upon device reboot, the VPN connection starts before the user unlocks the device. If the VPN client is not crypto-aware, the VPN connection does not start until the user unlocks the device.

Note that a normal user-initiated device lock and unlock should not cause this change in VPN client behavior. Also, FBE should not affect access to certificates.

Next Steps: