Skip to content

Most visited

Recently visited


Supporting Direct Boot

Android 7.0 runs in a secure, Direct Boot mode when the device has been powered on but the user has not unlocked the device. To support this, the system provides two storage locations for data:

By default, apps do not run during Direct Boot mode. If your app needs to take action during Direct Boot mode, you can register app components that should be run during this mode. Some common use cases for apps needing to run during Direct Boot mode include:

If your app needs to access data while running in Direct Boot mode, use device encrypted storage. Device encrypted storage contains data encrypted with a key that is only available after a device has performed a successful verified boot.

For data that should be encrypted with a key associated with user credentials, such as a PIN or password, use credential encrypted storage. Credential encrypted storage is only available after the user has successfully unlocked the device, up until when the user restarts the device again. If the user enables the lock screen after unlocking the device, this doesn't lock credential encrypted storage.

Requesting Access to Run During Direct Boot

Apps must register their components with the system before they can run during Direct Boot mode or access device encrypted storage. Apps register with the system by marking components as encryption aware. To mark your component as encryption aware, set the android:directBootAware attribute to true in your manifest.

Encryption aware components can register to receive a ACTION_LOCKED_BOOT_COMPLETED broadcast message from the system when the device has been restarted. At this point device encrypted storage is available, and your component can execute tasks that need to be run during Direct Boot mode, such as triggering a scheduled alarm.

The following code snippet is an example of how to register a BroadcastReceiver as encryption aware, and add an intent filter for ACTION_LOCKED_BOOT_COMPLETED, in the app manifest:

  android:directBootAware="true" >
    <action android:name="android.intent.action.ACTION_LOCKED_BOOT_COMPLETED" />

Once the user has unlocked the device, all components can access both the device encrypted storage as well as credential encrypted storage.

Accessing Device Encrypted Storage

To access device encrypted storage, create a second Context instance by calling Context.createDeviceProtectedStorageContext(). All storage API calls made using this context access the device encrypted storage. The following example accesses the device encrypted storage and opens an existing app data file:

Context directBootContext = appContext.createDeviceProtectedStorageContext();
// Access appDataFilename that lives in device encrypted storage
FileInputStream inStream = directBootContext.openFileInput(appDataFilename);
// Use inStream to read content...

Use device encrypted storage only for information that must be accessible during Direct Boot mode. Don't use device encrypted storage as a general-purpose encrypted store. For private user information, or encrypted data that isn't needed during Direct Boot mode, use credential encrypted storage.

Getting Notified of User Unlock

When the user unlocks the device after restart, your app can switch to accessing credential encrypted storage and use regular system services that depend on user credentials.

To get notified when the user unlocks the device after a reboot, register a BroadcastReceiver from a running component to listen for unlock notification messages. When the user unlocks the device after boot:

If the user has unlocked the device, you can find out by calling UserManager.isUserUnlocked().

Migrating Existing Data

If a user updates their device to use Direct Boot mode, you might have existing data that needs to get migrated to device encrypted storage. Use Context.moveSharedPreferencesFrom() and Context.moveDatabaseFrom() to migrate preference and database data between credential encrypted storage and device encrypted storage.

Use your best judgment when deciding what data to migrate from credential encrypted storage to device encrypted storage. You should not migrate private user information, such as passwords or authorization tokens, to device encrypted storage. In some scenarios, you might need to manage separate sets of data in the two encrypted stores.

Testing Your Encryption Aware App

Test your encryption aware app with Direct Boot mode enabled. There are two ways to enable Direct Boot.

Caution: Enabling Direct Boot wipes all user data on the device.

On supported devices with Android 7.0 installed, enable Direct Boot by doing one of the following:

An emulated Direct Boot mode is also available, in case you need to switch modes on your test devices. Emulated mode should only be used during development and may cause data loss. To enable emulated Direct Boot mode, set a lock pattern on the device, choose "No thanks" if prompted for a secure start-up screen when setting a lock pattern, and then use the following adb shell command:

$ adb shell sm set-emulate-fbe true

To turn off emulated Direct Boot mode, use the following command:

$ adb shell sm set-emulate-fbe false

Using these commands causes the device to reboot.

Checking Device Policy Encryption Status

Device administration apps can use DevicePolicyManager.getStorageEncryptionStatus() to check the current encryption status of the device. If your app is targeting an API level lower than 24.0 (Android 7.0), getStorageEncryptionStatus() will return ENCRYPTION_STATUS_ACTIVE if the device is either using full-disk encryption, or file-based encryption with Direct Boot. In both of these cases, data is always stored encrypted at rest. If your app is targeting an API level of 24.0 or higher, getStorageEncryptionStatus() will return ENCRYPTION_STATUS_ACTIVE if the device is using full-disk encryption. It will return ENCRYPTION_STATUS_ACTIVE_PER_USER if the device is using file-based encryption with Direct Boot.

If you build a device administration app that targets Android 7.0, make sure to check for both ENCRYPTION_STATUS_ACTIVE and ENCRYPTION_STATUS_ACTIVE_PER_USER to determine if the device is encrypted.

This site uses cookies to store your preferences for site-specific language and display options.


This class requires API level or higher

This doc is hidden because your selected API level for the documentation is . You can change the documentation API level with the selector above the left navigation.

For more information about specifying the API level your app requires, read Supporting Different Platform Versions.