Check if Android filesystem is encrypted

android security encryption filesystems

10,080

Solution 1

If your app is registered as a device admin, you can call getStorageEncryptionStatus() on DevicePolicyManager to find out the encryption status of the device, for API Level 11 and higher.

For any whole-device encryption on lower API levels, please contact the device manufacturer.

Solution 2

Just to clarify CommonsWare's answer, you can read the device encryption status without any Android permissions.

/**
 * Returns the encryption status of the device. Prior to Honeycomb, whole device encryption was
 * not supported by Android, and this method returns ENCRYPTION_STATUS_UNSUPPORTED.
 *
 * @return One of the following constants from DevicePolicyManager:
 * ENCRYPTION_STATUS_UNSUPPORTED, ENCRYPTION_STATUS_INACTIVE,
 * ENCRYPTION_STATUS_ACTIVATING, ENCRYPTION_STATUS_ACTIVE,
 * ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY, ENCRYPTION_STATUS_ACTIVE_PER_USER.
 */
@TargetApi(11)
private static int getDeviceEncryptionStatus(Context context)
{
    int status = DevicePolicyManager.ENCRYPTION_STATUS_UNSUPPORTED;

    if (Build.VERSION.SDK_INT >= 11) {
        final DevicePolicyManager dpm =
                (DevicePolicyManager) context.getSystemService(Context.DEVICE_POLICY_SERVICE);
        if (dpm != null) {
            status = dpm.getStorageEncryptionStatus();
        }
    }

    return status;
}

See the documentation for DevicePolicyManager and the encryption status flags.

It's also worth mentioning that Android has moved from full-disk encryption to file-based encryption to support Direct Boot, among other things. See File Based Encryption.

Solution 3

to clarify previous answers on API < 23 getStorageEncryptionStatus() returns ENCRYPTION_STATUS_INACTIVE when device is encrypted but passcode was't enabled.

On API >= 23 it returns ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY in this case.

10,080

Yuriy

Updated on September 15, 2022

Comments

Yuriy over 1 year

We are developing secure application for Android. It's required for users to keep filesystems of their devices encrypted, but we have to check this fact and forbid to use app. Is it possible to check if filesystem is encrypted? Also there are some devices with Android < 3.0 that supports encryption, for example Motorola RAZR. It would be interesting to know about encryption on such devices.
Patrick Brennan about 9 years

This code does not appear to work on my 2013 model Nexus 7. In this case, it appears as though even when I have taken steps to encrypt the device, dpm.getStorageEncryptionStatus() returns ENCRYPTION_STATUS_INACTIVE.
Artem Russakovskii about 9 years

Any way to figure out if the encryption is software or hardware based? At least in Android 5.1.
CommonsWare about 9 years

@ArtemRussakovskii: Beats me, sorry.
alfongj about 9 years

@ArtemRussakovskii check this developer.android.com/reference/android/security/…
David over 7 years

ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY is not being returned on Samsung devices, e.g. S7 with Android 6 if the PIN for starting the device is not defined.