With every major Android release comes a new version of Google's not-so-famous Android Compatibility Definition Document. As reading goes, it is roughly between the excitement level of "doing your taxes" and "doing somebody else's taxes." Which is to say, I am well-caffeinated this morning. Anyway, the newest version of the CDD for Android 6.0 contains a change we've been on the lookout for since Lollipop was announced last year: mandatory full-disk encryption.
Since the announcement of encryption being enabled by default of the Nexus 6 and Nexus 9, Google has been on the encryption warpath (rightfully so!), and did in fact attempt to make this change in the initial Lollipop CDD back in January. Two months later, Google revised the CDD and decided it would no longer mandate encryption, merely "strongly recommend" it. But they did make it clear that the change was almost definitely coming, just not yet, saying at the time:
While this requirement is stated as SHOULD for this version of the Android platform, it is very strongly RECOMMENDED as we expect this to change to MUST in the future versions of Android.
"Future versions" of Android turn out to be 6.0 and onward. The new language in the 6.0 CDD is below.
For device implementations supporting full-disk encryption and with Advanced Encryption Standard (AES) crypto performance above 50MiB/sec, the full-disk encryption MUST be enabled by default at the time the user has completed the out-of-box setup experience.
As long as devices meet a given performance target for AES and support full-disk encryption out of the box, they will now be required to encrypt by the time device setup is complete. Devices that launched with a version of Android prior to 6.0 are exempt from this unless they already used encryption by default, which was pretty much "none" aside from the Nexus 6 and Nexus 9.
If a device implementation is already launched on an earlier Android version with full-disk encryption disabled by default, such a device cannot meet the requirement through a system software update and thus MAY be exempted.
Google is not requiring you to set a lockscreen out of the box, however, and instead is asking that if a manufacturer will allow a user to forego setting up a secure lockscreen during setup that the encryption be secured with a "default passcode" instead. The reasoning behind this is twofold. First, many manufacturers likely don't want to "force" their users to set up a secure lockscreen, because some people find them inconvenient. I think that's kind of dumb, but whatever.
But second, by mandating full-disk encryption out of the box even without a secure encryption key in place, that means when a user does decide to secure the lockscreen, there's no need to fully re-encrypt the disk (since the device has only set a default key) again... which would take forever.
There have been complaints that full-disk encryption reduces device performance, but there is little denying the security benefits. While I think it's a bit silly that we do allow people not to secure their lockscreens, in mandating full-disk encryption by default perhaps Google will encourage manufacturers to do exactly that.