Direct Boot Mode

Android 7.0 and up supports a secured boot mode which lets application access device encrypted storage while the device is locked. This addressed an edge case caused by full disk encryption (available from Android 5.0) where alarms and SMS notifications were missed after device reboot (without device unlock). In full-disk encrypted devices with secure start-up, applications don’t have access to storage until users unlock devices and can affect business logic should the device reboot and stays locked. The only work around to ensure basic functions was to opt out of secure start-up which compromises data protection of a lost device.

Direct boot mode offers best of both worlds ensuring basic functions (with app support) and providing user data protection on a lost device. File-based encryption offers file specific encryption and this is leveraged to provide access to a limited storage even if the device is locked. This device encrypted storage is available both during Direct Boot mode and after the user has unlocked the device. Unlocking the device gives access to credential encrypted storage. This is why it is recommended not to save user specific data on device encrypted storage.