1page.title=Encryption
2@jd:body
3
4<!--
5    Copyright 2014 The Android Open Source Project
6
7    Licensed under the Apache License, Version 2.0 (the "License");
8    you may not use this file except in compliance with the License.
9    You may obtain a copy of the License at
10
11        http://www.apache.org/licenses/LICENSE-2.0
12
13    Unless required by applicable law or agreed to in writing, software
14    distributed under the License is distributed on an "AS IS" BASIS,
15    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16    See the License for the specific language governing permissions and
17    limitations under the License.
18-->
19
20<div id="qv-wrapper">
21  <div id="qv">
22    <h2>In this document</h2>
23    <ol id="auto-toc">
24    </ol>
25  </div>
26</div>
27
28<h2 id=what_is_encryption>What is encryption?</h2>
29
30<p>Encryption is the process of encoding user data on an Android device using an
31encrypted key. Once a device is encrypted, all user-created data is
32automatically encrypted before committing it to disk and all reads
33automatically decrypt data before returning it to the calling process.</p>
34
35<h2 id=what_we’ve_added_for_android_l>What we’ve added for Android 5.0</h2>
36
37<ul>
38  <li>Created fast encryption, which only encrypts used blocks on the data partition
39to avoid first boot taking a long time. Only ext4 and f2fs filesystems
40currently support fast encryption.
41  <li>Added the <code>forceencrypt</code> flag to encrypt on first boot.
42  <li>Added support for patterns and encryption without a password.
43  <li>Added hardware-backed storage of the encryption key. See <a
44       href="#storing_the_encrypted_key">Storing the encrypted key</a> for more details.
45</ul>
46
47<p class="caution"><strong>Caution:</strong> Devices upgraded to Android 5.0 and then
48encrypted may be returned to an unencrypted state by factory data reset. New Android 5.0
49devices encrypted at first boot cannot be returned to an unencrypted state.</p>
50
51<h2 id=how_android_encryption_works>How Android encryption works</h2>
52
53<p>Android disk encryption is based on <code>dm-crypt</code>, which is a kernel feature that works at the block device layer. Because of
54this, encryption works with Embedded MultiMediaCard<strong> (</strong>eMMC) and similar flash devices that present themselves to the kernel as block
55devices. Encryption is not possible with YAFFS, which talks directly to a raw
56NAND flash chip. </p>
57
58<p>The encryption algorithm is 128 Advanced Encryption Standard (AES) with
59cipher-block chaining (CBC) and ESSIV:SHA256. The master key is encrypted with
60128-bit AES via calls to the OpenSSL library. You must use 128 bits or more for
61the key (with 256 being optional). </p>
62
63<p class="note"><strong>Note:</strong> OEMs can use 128-bit or higher to encrypt the master key.</p>
64
65<p>In the Android 5.0 release, there are four kinds of encryption states: </p>
66
67<ul>
68  <li>default
69  <li>PIN
70  <li>password
71  <li>pattern
72</ul>
73
74<p>Upon first boot, the device generates a 128-bit key. This key is then encrypted
75with a default password, and the encrypted key is stored in the crypto
76metadata. The 128-bit key generated is valid until the next factory reset. Upon
77factory reset, a new 128-bit key is generated.</p>
78
79<p>When the user sets the PIN/pass or password on the device, only the 128-bit key
80is re-encrypted and stored. (ie. user PIN/pass/pattern changes do NOT cause
81re-encryption of userdata.) </p>
82
83<p>Encryption is managed by <code>init</code> and <code>vold</code>. <code>init</code> calls <code>vold</code>, and vold sets properties to trigger events in init. Other parts of the system
84also look at the properties to conduct tasks such as report status, ask for a
85password, or prompt to factory reset in the case of a fatal error. To invoke
86encryption features in <code>vold</code>, the system uses the command line tool <code>vdc</code>’s <code>cryptfs</code> commands: <code>checkpw</code>, <code>restart</code>, <code>enablecrypto</code>, <code>changepw</code>, <code>cryptocomplete</code>, <code>verifypw</code>, <code>setfield</code>, <code>getfield</code>, <code>mountdefaultencrypted</code>, <code>getpwtype</code>, <code>getpw</code>, and <code>clearpw</code>.</p>
87
88<p>In order to encrypt, decrypt or wipe <code>/data</code>, <code>/data</code> must not be mounted. However, in order to show any user interface (UI), the
89framework must start and the framework requires <code>/data</code> to run. To resolve this conundrum, a temporary filesystem is mounted on <code>/data</code>. This allows Android to prompt for passwords, show progress, or suggest a data
90wipe as needed. It does impose the limitation that in order to switch from the
91temporary filesystem to the true <code>/data</code> filesystem, the system must stop every process with open files on the
92temporary filesystem and restart those processes on the real <code>/data</code> filesystem. To do this, all services must be in one of three groups: <code>core</code>, <code>main</code>, and <code>late_start</code>.</p>
93
94<ul>
95  <li><code>core</code>: Never shut down after starting.
96  <li><code>main</code>: Shut down and then restart after the disk password is entered.
97  <li><code>late_start</code>: Does not start until after <code>/data</code> has been decrypted and mounted.
98</ul>
99
100<p>To trigger these actions, the  <code>vold.decrypt</code> property is set to <a href="https://android.googlesource.com/platform/system/vold/+/master/cryptfs.c">various strings</a>. To kill and restart services, the <code>init</code> commands are:</p>
101
102<ul>
103  <li><code>class_reset</code>: Stops a service but allows it to be restarted with class_start.
104  <li><code>class_start</code>: Restarts a service.
105  <li><code>class_stop</code>: Stops a service and adds a <code>SVC_DISABLED</code> flag. Stopped services do not respond to <code>class_start</code>.
106</ul>
107
108<h2 id=flows>Flows</h2>
109
110<p>There are four flows for an encrypted device. A device is encrypted just once
111and then follows a normal boot flow.  </p>
112
113<ul>
114  <li>Encrypt a previously unencrypted device:
115  <ul>
116    <li>Encrypt a new device with <code>forceencrypt</code>: Mandatory encryption at first boot (starting in Android L).
117    <li>Encrypt an existing device: User-initiated encryption (Android K and earlier).
118  </ul>
119  <li>Boot an encrypted device:
120  <ul>
121    <li>Starting an encrypted device with no password: Booting an encrypted device that
122has no set password (relevant for devices running Android 5.0 and later).
123    <li> Starting an encrypted device with a password: Booting an encrypted device that
124has a set password.
125  </ul>
126</ul>
127
128<p>In addition to these flows, the device can also fail to encrypt <code>/data</code>. Each of the flows are explained in detail below.</p>
129
130<h3 id=encrypt_a_new_device_with_forceencrypt>Encrypt a new device with /forceencrypt</h3>
131
132<p>This is the normal first boot for an Android 5.0 device. </p>
133
134<ol>
135  <li><strong>Detect unencrypted filesystem with <code>/forceencrypt</code> flag</strong>
136
137<p>
138<code>/data</code> is not encrypted but needs to be because <code>/forceencrypt</code> mandates it.
139Unmount <code>/data</code>.</p>
140
141  <li><strong>Start encrypting <code>/data</code></strong>
142
143<p><code>vold.decrypt = "trigger_encryption"</code> triggers <code>init.rc</code>, which will cause <code>vold</code> to encrypt <code>/data</code> with no password. (None is set because this should be a new device.)</p>
144
145
146  <li><strong>Mount tmpfs</strong>
147
148
149<p><code>vold</code> mounts a tmpfs <code>/data</code> (using the tmpfs options from
150<code>ro.crypto.tmpfs_options</code>) and sets the property <code>vold.encrypt_progress</code> to 0.
151<code>vold</code> prepepares the tmpfs <code>/data</code> for booting an encrypted system and sets the
152property <code>vold.decrypt</code> to: <code>trigger_restart_min_framework</code>
153</p>
154
155  <li><strong>Bring up framework to show progress</strong>
156
157
158<p>Because the device has virtually no data to encrypt, the progress bar will
159often not actually appear because encryption happens so quickly. See <a href="#encrypt_an_existing_device">Encrypt an existing device</a> for more details about the progress UI. </p>
160
161  <li><strong>When <code>/data</code> is encrypted, take down the framework</strong>
162
163<p><code>vold</code>  sets <code>vold.decrypt</code> to
164<code>trigger_default_encryption</code> which starts the
165<code>defaultcrypto</code> service. (This starts the flow below for mounting a
166default encrypted userdata.) <code>trigger_default_encryption</code> checks the
167encryption type to see if <code>/data</code> is  encrypted with or without a
168password. Because Android 5.0 devices are encrypted on first boot, there should
169be no password set; therefore we decrypt and mount <code>/data</code>.</p>
170
171  <li><strong>Mount <code>/data</code></strong>
172
173<p><code>init</code> then mounts <code>/data</code> on a tmpfs RAMDisk using parameters it picks up from <code>ro.crypto.tmpfs_options</code>, which is set in <code>init.rc</code>.</p>
174
175  <li><strong>Start framework</strong>
176
177<p>Set <code>vold</code> to <code>trigger_restart_framework</code>, which continues the usual boot process.</p>
178</ol>
179
180<h3 id=encrypt_an_existing_device>Encrypt an existing device</h3>
181
182<p>This is what happens when you encrypt an unencrypted Android K or earlier
183device that has been migrated to L. Note that this is the same flow as used in
184K.</p>
185
186<p>This process is user-initiated and is referred to as “inplace encryption” in
187the code. When a user selects to encrypt a device, the UI makes sure the
188battery is fully charged and the AC adapter is plugged in so there is enough
189power to finish the encryption process.</p>
190
191<p class="warning"><strong>Warning:</strong> If the device runs out of power and shuts down before it has finished
192encrypting, file data is left in a partially encrypted state. The device must
193be factory reset and all data is lost.</p>
194
195<p>To enable inplace encryption, <code>vold</code> starts a loop to read each sector of the real block device and then write it
196to the crypto block device. <code>vold</code> checks to see if a sector is in use before reading and writing it, which makes
197encryption much faster on a new device that has little to no data. </p>
198
199<p><strong>State of device</strong>: Set <code>ro.crypto.state = "unencrypted"</code> and execute the <code>on nonencrypted</code> <code>init</code> trigger to continue booting.</p>
200
201<ol>
202  <li><strong>Check password</strong>
203
204<p>The UI calls <code>vold</code> with the command <code>cryptfs enablecrypto inplace</code> where <code>passwd</code> is the user's lock screen password.</p>
205
206  <li><strong>Take down the framework</strong>
207
208<p><code>vold</code> checks for errors, returns -1 if it can't encrypt, and prints a reason in the
209log. If it can encrypt, it sets the property <code>vold.decrypt</code> to <code>trigger_shutdown_framework</code>. This causes <code>init.rc</code> to stop services in the classes <code>late_start</code> and <code>main</code>. </p>
210
211  <li><strong>Unmount <code>/data</code></strong>
212
213<p><code>vold</code> unmounts <code>/mnt/sdcard</code> and then <code>/data</code>.</p>
214
215  <li><strong>Start encrypting <code>/data</code></strong>
216
217<p><code>vold</code> then sets up the crypto mapping, which creates a virtual crypto block device
218that maps onto the real block device but encrypts each sector as it is written,
219and decrypts each sector as it is read. <code>vold</code> then creates and writes out the crypto metadata.</p>
220
221  <li><strong>While it’s encrypting, mount tmpfs</strong>
222
223<p><code>vold</code> mounts a tmpfs <code>/data</code> (using the tmpfs options from <code>ro.crypto.tmpfs_options</code>) and sets the property <code>vold.encrypt_progress</code> to 0. <code>vold</code> prepares the tmpfs <code>/data</code> for booting an encrypted system and sets the property <code>vold.decrypt</code> to: <code>trigger_restart_min_framework</code> </p>
224
225  <li><strong>Bring up framework to show progress</strong>
226
227<p><code>trigger_restart_min_framework </code>causes <code>init.rc</code> to start the <code>main</code> class of services. When the framework sees that <code>vold.encrypt_progress</code> is set to 0, it brings up the progress bar UI, which queries that property
228every five seconds and updates a progress bar. The encryption loop updates <code>vold.encrypt_progress</code> every time it encrypts another percent of the partition. </p>
229
230  <li><strong>When<code> /data</code> is encrypted, reboot</strong>
231
232<p>When <code>/data</code> is successfully encrypted, <code>vold</code> clears the flag <code>ENCRYPTION_IN_PROGRESS</code> in the metadata and reboots the system. </p>
233
234<p> If the reboot fails for some reason, <code>vold</code> sets the property <code>vold.encrypt_progress</code> to <code>error_reboot_failed</code> and the UI should display a message asking the user to press a button to
235reboot. This is not expected to ever occur.</p>
236</ol>
237
238<h3 id=starting_an_encrypted_device_with_default_encryption>Starting an encrypted device with default encryption</h3>
239
240<p>This is what happens when you boot up an encrypted device with no password.
241Because Android 5.0 devices are encrypted on first boot, there should be no set
242password and therefore this is the <em>default encryption</em> state.</p>
243
244<ol>
245  <li><strong>Detect encrypted <code>/data</code> with no password</strong>
246
247<p>Detect that the Android device is encrypted because <code>/data</code>
248cannot be mounted and one of the flags <code>encryptable</code> or
249<code>forceencrypt</code> is set.</p>
250
251<p><code>vold</code> sets <code>vold.decrypt</code> to <code>trigger_default_encryption</code>, which starts the <code>defaultcrypto</code> service. <code>trigger_default_encryption</code> checks the encryption type to see if <code>/data</code> is  encrypted with or without a  password. </p>
252
253  <li><strong>Decrypt /data</strong>
254
255<p>Creates the <code>dm-crypt</code> device over the block device so the device is ready for use.</p>
256
257  <li><strong>Mount /data</strong>
258
259<p><code>vold</code> then mounts the decrypted real <code>/data </code>partition and then prepares the new partition. It sets the property <code>vold.post_fs_data_done</code> to 0 and then sets <code>vold.decrypt</code> to <code>trigger_post_fs_data</code>. This causes <code>init.rc</code> to run its <code>post-fs-data</code> commands. They will create any necessary directories or links and then set <code>vold.post_fs_data_done</code> to 1.</p>
260
261<p>Once <code>vold</code> sees the 1 in that property, it sets the property <code>vold.decrypt</code> to: <code>trigger_restart_framework.</code> This causes <code>init.rc</code> to start services in class <code>main</code> again and also start services in class <code>late_start</code> for the first time since boot.</p>
262
263  <li><strong>Start framework</strong>
264
265<p>Now the framework boots all its services using the decrypted <code>/data</code>, and the system is ready for use.</p>
266</ol>
267
268<h3 id=starting_an_encrypted_device_without_default_encryption>Starting an encrypted device without default encryption</h3>
269
270<p>This is what happens when you boot up an encrypted device that has a set
271password. The device’s password can be a pin, pattern, or password. </p>
272
273<ol>
274  <li><strong>Detect encrypted device with a password</strong>
275
276<p>Detect that the Android device is encrypted because the flag <code>ro.crypto.state = "encrypted"</code></p>
277
278<p><code>vold</code> sets <code>vold.decrypt</code> to <code>trigger_restart_min_framework</code> because <code>/data</code> is  encrypted with a password.</p>
279
280  <li><strong>Mount tmpfs</strong>
281
282<p><code>init</code> sets five properties to save the initial mount options given for <code>/data</code> with parameters passed from <code>init.rc</code>.  <code>vold</code> uses these properties to set up the crypto mapping:</p>
283
284<ol>
285  <li><code>ro.crypto.fs_type</code>
286  <li><code>ro.crypto.fs_real_blkdev</code>
287  <li><code>ro.crypto.fs_mnt_point</code>
288  <li><code>ro.crypto.fs_options</code>
289  <li><code>ro.crypto.fs_flags </code>(ASCII 8-digit hex number preceded by 0x)
290  </ol>
291
292  <li><strong>Start framework to prompt for password</strong>
293
294<p>The framework starts up and sees that <code>vold.decrypt</code> is set to <code>trigger_restart_min_framework</code>. This tells the framework that it is booting on a tmpfs <code>/data</code> disk and it needs to get the user password.</p>
295
296<p>First, however, it needs to make sure that the disk was properly encrypted. It
297sends the command <code>cryptfs cryptocomplete</code> to <code>vold</code>. <code>vold</code> returns 0 if encryption was completed successfully, -1 on internal error, or
298-2 if encryption was not completed successfully. <code>vold</code> determines this by looking in the crypto metadata for the <code>CRYPTO_ENCRYPTION_IN_PROGRESS</code> flag. If it's set, the encryption process was interrupted, and there is no
299usable data on the device. If <code>vold</code> returns an error, the UI should display a message to the user to reboot and
300factory reset the device, and give the user a button to press to do so.</p>
301
302  <li><strong>Decrypt data with password</strong>
303
304<p>Once <code>cryptfs cryptocomplete</code> is successful, the framework displays a UI asking for the disk password. The
305UI checks the password by sending the command <code>cryptfs checkpw</code> to <code>vold</code>. If the password is correct (which is determined by successfully mounting the
306decrypted <code>/data</code> at a temporary location, then unmounting it), <code>vold</code> saves the name of the decrypted block device in the property <code>ro.crypto.fs_crypto_blkdev</code> and returns status 0 to the UI. If the password is incorrect, it returns -1 to
307the UI.</p>
308
309  <li><strong>Stop framework</strong>
310
311<p>The UI puts up a crypto boot graphic and then calls <code>vold</code> with the command <code>cryptfs restart</code>. <code>vold</code> sets the property <code>vold.decrypt</code> to <code>trigger_reset_main</code>, which causes <code>init.rc</code> to do <code>class_reset main</code>. This stops all services in the main class, which allows the tmpfs <code>/data</code> to be unmounted. </p>
312
313  <li><strong>Mount <code>/data</code></strong>
314
315<p><code>vold</code> then mounts the decrypted real <code>/data </code>partition and prepares the new partition (which may never have been prepared if
316it was encrypted with the wipe option, which is not supported on first
317release). It sets the property <code>vold.post_fs_data_done</code> to 0 and then sets <code>vold.decrypt</code> to <code>trigger_post_fs_data</code>. This causes <code>init.rc</code> to run its <code>post-fs-data</code> commands. They will create any necessary directories or links and then set <code>vold.post_fs_data_done</code> to 1. Once <code>vold</code> sees the 1 in that property, it sets the property <code>vold.decrypt</code> to <code>trigger_restart_framework</code>. This causes <code>init.rc</code> to start services in class <code>main</code> again and also start services in class <code>late_start</code> for the first time since boot.</p>
318
319  <li><strong>Start full framework</strong>
320
321<p>Now the framework boots all its services using the decrypted <code>/data</code> filesystem, and the system is ready for use.</p>
322</ol>
323
324<h3 id=failure>Failure</h3>
325
326<p>A device that fails to decrypt might be awry for a few reasons. The device
327starts with the normal series of steps to boot:</p>
328
329<ol>
330  <li>Detect encrypted device with a password
331  <li>Mount tmpfs
332  <li>Start framework to prompt for password
333</ol>
334
335<p>But after the framework opens, the device can encounter some errors:</p>
336
337<ul>
338  <li>Password matches but cannot decrypt data
339  <li>User enters wrong password 30 times
340</ul>
341
342<p>If these errors are not resolved, <strong>prompt user to factory wipe</strong>:</p>
343
344<p>If <code>vold</code> detects an error during the encryption process, and if no data has been
345destroyed yet and the framework is up, <code>vold</code> sets the property <code>vold.encrypt_progress </code>to <code>error_not_encrypted</code>. The UI prompts the user to reboot and alerts them the encryption process
346never started. If the error occurs after the framework has been torn down, but
347before the progress bar UI is up, <code>vold</code> will reboot the system. If the reboot fails, it sets <code>vold.encrypt_progress</code> to <code>error_shutting_down</code> and returns -1; but there will not be anything to catch the error. This is not
348expected to happen.</p>
349
350<p>If <code>vold</code> detects an error during the encryption process, it sets <code>vold.encrypt_progress</code> to <code>error_partially_encrypted</code> and returns -1. The UI should then display a message saying the encryption
351failed and provide a button for the user to factory reset the device. </p>
352
353<h2 id=storing_the_encrypted_key>Storing the encrypted key</h2>
354
355<p>The encrypted key is stored in the crypto metadata. Hardware backing is implemented by using Trusted Execution Environment’s (TEE) signing capability.
356Previously, we encrypted the master key with a key generated by applying scrypt to the user's password and the stored salt. In order to make the key resilient
357against off-box attacks, we extend this algorithm by signing the resultant key with a stored TEE key. The resultant signature is then turned into an appropriate length key by one more application of scrypt. This key is then used to encrypt and decrypt the master key. To store this key:</p>
358
359<ol>
360  <li>Generate random 16-byte disk encryption key (DEK) and 16-byte salt.
361  <li>Apply scrypt to the user password and the salt to produce 32-byte intermediate
362key 1 (IK1).
363  <li>Pad IK1 with zero bytes to the size of the hardware-bound private key (HBK).
364Specifically, we pad as: 00 || IK1 || 00..00; one zero byte, 32 IK1 bytes, 223
365zero bytes.
366  <li>Sign padded IK1 with HBK to produce 256-byte IK2.
367  <li>Apply scrypt to IK2 and salt (same salt as step 2) to produce 32-byte IK3.
368  <li>Use the first 16 bytes of IK3 as KEK and the last 16 bytes as IV.
369  <li>Encrypt DEK with AES_CBC, with key KEK, and initialization vector IV.
370</ol>
371
372<h2 id=changing_the_password>Changing the password</h2>
373
374<p>When a user elects to change or remove their password in settings, the UI sends
375the command <code>cryptfs changepw</code>  to <code>vold</code>, and <code>vold</code> re-encrypts the disk master key with the new password.</p>
376
377<h2 id=encryption_properties>Encryption properties</h2>
378
379<p><code>vold</code> and <code>init</code> communicate with each other by setting properties. Here is a list of available
380properties for encryption.</p>
381
382<h3 id=vold_properties>Vold properties </h3>
383
384<table>
385  <tr>
386    <th>Property</th>
387    <th>Description</th>
388  </tr>
389  <tr>
390    <td><code>vold.decrypt  trigger_encryption</code></td>
391    <td>Encrypt the drive with no
392    password.</td>
393  </tr>
394  <tr>
395    <td><code>vold.decrypt  trigger_default_encryption</code></td>
396    <td>Check the drive to see if it is encrypted with no password.
397If it is, decrypt and mount it,
398else set <code>vold.decrypt</code> to trigger_restart_min_framework.</td>
399  </tr>
400  <tr>
401    <td><code>vold.decrypt  trigger_reset_main</code></td>
402    <td>Set by vold to shutdown the UI asking for the disk password.</td>
403  </tr>
404  <tr>
405    <td><code>vold.decrypt  trigger_post_fs_data</code></td>
406    <td> Set by vold to prep /data with necessary directories, et al.</td>
407  </tr>
408  <tr>
409    <td><code>vold.decrypt  trigger_restart_framework</code></td>
410    <td>Set by vold to start the real framework and all services.</td>
411  </tr>
412  <tr>
413    <td><code>vold.decrypt  trigger_shutdown_framework</code></td>
414    <td>Set by vold to shutdown the full framework to start encryption.</td>
415  </tr>
416  <tr>
417    <td><code>vold.decrypt  trigger_restart_min_framework</code></td>
418    <td>Set by vold to start the
419progress bar UI for encryption or
420prompt for password, depending on
421the value of <code>ro.crypto.state</code>.</td>
422  </tr>
423  <tr>
424    <td><code>vold.encrypt_progress</code></td>
425    <td>When the framework starts up,
426if this property is set, enter
427the progress bar UI mode.</td>
428  </tr>
429  <tr>
430    <td><code>vold.encrypt_progress  0 to 100</code></td>
431    <td>The progress bar UI should
432display the percentage value set.</td>
433  </tr>
434  <tr>
435    <td><code>vold.encrypt_progress  error_partially_encrypted</code></td>
436    <td>The progress bar UI should display a message that the encryption failed, and
437give the user an option to
438factory reset the device.</td>
439  </tr>
440  <tr>
441    <td><code>vold.encrypt_progress  error_reboot_failed</code></td>
442    <td>The progress bar UI should
443display a message saying encryption completed, and give the user a button to reboot the device. This error is not expected to happen.</td>
444  </tr>
445  <tr>
446    <td><code>vold.encrypt_progress  error_not_encrypted</code></td>
447    <td>The progress bar UI should
448display a message saying an error
449occured,  no data was encrypted or
450lost, and give the user a button to reboot the system.</td>
451  </tr>
452  <tr>
453    <td><code>vold.encrypt_progress  error_shutting_down</code></td>
454    <td>The progress bar UI is not running, so it is unclear who will respond to this error. And it should never happen anyway.</td>
455  </tr>
456  <tr>
457    <td><code>vold.post_fs_data_done  0</code></td>
458    <td>Set by <code>vold</code> just before setting <code>vold.decrypt</code> to <code>trigger_post_fs_data</code>.</td>
459  </tr>
460  <tr>
461    <td><code>vold.post_fs_data_done  1</code></td>
462    <td>Set by <code>init.rc</code> or
463    <code>init.rc</code> just after finishing the task <code>post-fs-data</code>.</td>
464  </tr>
465</table>
466<h3 id=init_properties>init properties</h3>
467
468<table>
469  <tr>
470    <th>Property</th>
471    <th>Description</th>
472  </tr>
473  <tr>
474    <td><code>ro.crypto.fs_crypto_blkdev</code></td>
475    <td>Set by the <code>vold</code> command <code>checkpw</code> for later use by the <code>vold</code> command <code>restart</code>.</td>
476  </tr>
477  <tr>
478    <td><code>ro.crypto.state unencrypted</code></td>
479    <td>Set by <code>init</code> to say this system is running with an unencrypted
480    <code>/data ro.crypto.state encrypted</code>. Set by <code>init</code> to say this system is running with an encrypted <code>/data</code>.</td>
481  </tr>
482  <tr>
483    <td><p><code>ro.crypto.fs_type<br>
484      ro.crypto.fs_real_blkdev      <br>
485      ro.crypto.fs_mnt_point<br>
486      ro.crypto.fs_options<br>
487      ro.crypto.fs_flags      <br>
488    </code></p></td>
489    <td> These five properties are set by
490      <code>init</code> when it tries to mount <code>/data</code> with parameters passed in from
491    <code>init.rc</code>. <code>vold</code> uses these to setup the crypto mapping.</td>
492  </tr>
493  <tr>
494    <td><code>ro.crypto.tmpfs_options</code></td>
495    <td>Set by <code>init.rc</code> with the options init should use when mounting the tmpfs /data filesystem.</td>
496  </tr>
497</table>
498<h2 id=init_actions>Init actions</h2>
499
500<pre>
501on post-fs-data
502on nonencrypted
503on property:vold.decrypt=trigger_reset_main
504on property:vold.decrypt=trigger_post_fs_data
505on property:vold.decrypt=trigger_restart_min_framework
506on property:vold.decrypt=trigger_restart_framework
507on property:vold.decrypt=trigger_shutdown_framework
508on property:vold.decrypt=trigger_encryption
509on property:vold.decrypt=trigger_default_encryption
510</pre>
511