• General
  • Device admin lock, BFU, AFU and encryption keys

Hello everyone! I couldn't find an answer to one specific question, so I had to register and ask. I have an app that has the status of a device administrator app. If I lock my smartphone with it, then I can only unlock it with the pin code, and unlocking via fingerprints is disabled. Just like after a reboot. But technically, does this locking count as BFU (Before First Unlock) mode, or is it still AFU (After First Unlock) mode, which is more vulnerable to attacks? What happens to the encryption keys during this lock?

    xecomos139 No this kind of locking doesn't count as a BFU state nor does it put your owner profile in a BFU state. Only rebooting the phone fully purges the encryption keys of the owner profile. This is because the owner profile also encrypts system-wide OS data.

    Encryption keys of secondary user profiles can be fully purged by pressing on the "End session" button and therefore putting the secondary user profiles into a BFU state at rest.

    More information including the one I provided in my answer can be found here:

    https://grapheneos.org/faq#encryption