Nexus-6p-AH-marshmallow-1

Marshmallow Requires New Devices to have Full-Disk Encryption

October 19, 2015 - Written By Alexander Maxham

Last year, with Android 5.0 Lollipop, Google had decided to make Encryption mandatory. And encrypted the Nexus 6 and Nexus 9. However, they had later decided to “strongly” recommend it for their partners. Google has released a new version of the Android Compatibility Definition Document which is a document that defines compatibility with other devices that partners can use for their Android-powered devices. It’s really a behind-the-scenes document that none of us will ever really see.

In the latest version of the Android Compatibility Definition Document, Google changed the portion about encryption to read as:

“For device implementations supporting full-disk encryption and with Advanced Encryption Standard (AES) crypto performance above 50MiB/sec, the full-disk encryption MUST be enabled by default at the time the user has completed the out-of-box setup experience.”

So this means that full-disk encryption is mandatory, and it must be done before the setup process is complete. That being the process you go through after opening the box and turning on your brand new phone. This should also happen whenever you do a factory reset and set up the smartphone again. Now if the device launched with a version of Android before Android 6.0, then they are exempt from this. However, if they did use Encryption before, like the Nexus 6 and Nexus 9, then they must still use encryption before the setup process is complete.

Now, Google is not requiring users to set a lock screen passcode, PIN, etc during the setup process. The manufacturer is asked to allow the user to forego making their lock screen secure during the setup process, but to secure the encrypted device with a “default passcode” in place of a secure lock screen. This makes it a better user experience, because not everyone wants to have a secure lock screen. Additionally it means that if the user wants to add a passcode or PIN to their lock screen later on, the device doesn’t need to be re-encrypted at that point. Which, obviously, would take a pretty long time. So it’s a good decision here from Google. Not only user intuitive, but also a bit better for encrypting everyone’s device.