Does the lock screen on a encrypted device provide different security than an unencrypted device?

Question

I am wanting to encrypt my phone and SD card. I have been reading around about it all week and still don't understand a few things. I though that the encryption was like blackberry encryption, where you put the password in every time you turn the phone on to the screen lock. After a bit of reading, I understand that the "decryption" is only done at boot up by putting the password in once. After that, you have to put the same password in at the screen lock simply because of a limitation of Android not allowing two different passwords. I do know that there are new ways to use a different password on the screen lock, and even a pattern lock, that's not my issue.

Here are my questions....

1. If the device is technically decrypted after boot up, is the screen lock the only security on the phone once it's turned on?
2. Does the screen lock of an encrypted device have any stronger security than that of an unencrypted device? If not, it seems like the phone is just as vulnerable to data theft as an unencrypted device if someone steals it while it is turned on. I understand that it will encrypt again if they turn it off, but if it's on, what good is encryption?
3. If someone pulls the SD card out (which is encrypted) they can't read it with a card reader, but if they put it back in the phone while it's still on, won't the decrypted phone just mount it again so they can read it from the phone?
4. Finally, on a Blackberry, a wipe is performed by erasing the encryption key. This makes an almost instant wipe of the whole phone and SD card. I know an encrypted device has to be wiped the same as an unencrypted device, but is Android programmed in a way that the encryption key is wiped first, in case someone pulls a battery or forces a phone off during a wipe? I know that's far-fetched, just curious about how it works.

Not sure if it makes a difference, but I am using a Razr Maxx HD, rooted on OTA 4.1.1

Answer 1

Yes, the lock screen is the only barrier on an encrypted but booted Android device; Android keeps the encryption key in memory and transparently decrypts all files read by applications in the background.

Of course, that is far from ideal (iOS uses a much more complicated scheme, where some classes of encryption keys are dropped the moment the screen is locked), but it is a very simple model which is still fairly effective against many kinds of attacks.

You can find more details on the implementation and the threat model on SE crypto.

Answer 2

Although lock screen is the only security barrier on an encrypted but booted Android device, it is still almost equivalent to the device bootup decryption process - bar exploiting possible lockscreen or other running processes vulnerabilities, - considering the password is the same, that is the same entropy.

One wrong move while fiddling with the screen lock and the device forces you through the whole boot process.

Same goes with reading an encrypted sdcard on a booted phone: you need the same strength password, either for unlocking the lockscreen or for booting the device afresh for getting to the filemanager to read the files from sdcard.