Encrypt all data on your Android phone

Martin Brinkmann
Oct 13, 2012
Updated • Jan 3, 2021
Encryption, Google Android
|
46

One of the first things that I decided to do of after getting my new Samsung Galaxy Note 2 smartphone was to protect the data stored on the phone's memory space from unauthorized access. Phones by default are only protected by the PIN, which may protect the phone just fine if it is not turned on. If the phone is turned on though, an attacker can access all of the data stored on the phone without having to enter a single password or PIN first.

Setting a lock screen password is however just one of the steps that you should undertake to protect your phone from unauthorized access. While it may keep out people who got hold of your phone in first place, it may not protect the actual data on the phone's storage device. You need to encrypt the data on the phone to make sure that the data can't be dumped by a third party.

Encrypt your Android Phone

A few requirements have to be met before you can go ahead and encrypt the data on your phone:

  • Your Android phone needs to support encryption. I'm not 100% about that but I think encryption was added in Android 3.0. You may alternatively want to check out third party encryption apps. Update: It was added earlier in Android 2.3.4.
  • You need to set a lock screen password or pin.
  • Your phone must be connected to a power source.

Setting a lock screen may be enough if you do not have overly sensitive data on the phone. Regular attackers won't get past the lock screen which leaves them with the option to reset the phone and all the custom data that was saved on it.

1. Setting the lock screen password

On the Samsung phone, you tap on the Settings button and select Lock screen >  Screen Lock from the options page. Here you need to select how you want to protect the phone when it is locked. Available for selection are protection by pin, password, pattern or other methods. Select password protection here and make sure the password has at least six characters of which one is a number. I highly suggest to increase the number of characters to the maximum number of 16 characters to improve security.

android lock screen password

Once you have set the password, you will be asked to enter it whenever you turn on the phone, or want to continue your work after a time of inactivity. This may be inconvenient but that is a small trade-off for better security.

2. Encrypting the Android phone

You need to plug in your phone and make sure that the battery is charged before you continue. The option to encrypt the phone is grayed out otherwise. A click on Security > Advanced > Encryption and credentials > Encrypt Phone under Settings opens the configuration menu where you can start the encryption process. Please note that it may take an hour or more to complete.

 

You can encrypt accounts, settings, downloaded applications, and their data, media, and other files. Once you encrypt your device, a password will be required to decrypt it each time you power it on.

Encryption takes an hour or more. Start with a charged battery and keep device plugged in until encryption is completed. Interrupting may cause you to lose some or all data.

Set an unlock password of at least 6 characters, containing at least 1 number.

setting up encryption

You are asked to enter the unlock password after tapping on the encrypt device button. The next screen offers information about the consequences, and an option to run a fast encryption instead of a full device encryption. A fast encryption will only encrypt the used memory space and not all the device space.

Encrypt device? This operation is irreversible and if you interrupt it, you will lose data. Encryption could take an hour or more, during which the device will restart several times and cannot be used.

Fast encryption: If you select this option, only used memory space will be encrypted.

android encryption

You need to wait until the encryption completes before you can start using your phone again. Make sure it is connected to a power source throughout the whole process to avoid power failures and resulting data loss. If you want to be on the safe side, consider backing up your Android phone before you start the encryption of storage space. Samsung smartphone owners can use Samsung Kies for that. Make sure the backup is stored safely as well.

If you are using external SD cards, you may want to consider encrypting those cards. The option is available under Security as well.

Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. dog said on April 27, 2018 at 4:34 pm
    Reply

    I use veracrypt for all my systems simply due to compatibility across all major OS.
    I do use this method when buying new drives or moving data or simply re-encrypting.
    One key fact is that both the source and temporary drive are full disk encrypted.

    Never ever decrypt a drive and expose your data unless you can write over the data enough times (which takes time ie days) if you are going to use the drive again or take the drive apart and destroy it if its old and being retired.

    There is also an alleged backdoor built in to Diskcryptor.
    The source files was pulled quickly by moderator and its difficult to try and replicate the scenario.
    But even so I since flagged Discryptor. Don’t touch it until it can be proven otherwise.
    https://www.reddit.com/r/crypto/comments/7axp15/alleged_diskcryptor_backdoor/
    In short words the boot sector would be able to boot another encrypted disk if you booted from disk B and A is still connected as the boot sector will look for other diskcryptor drives and act as a slave if another drive is present.
    If you type the password for disk A the password would still boot disk B.
    I tried this and failed to boot disk B but then I did not have much time to play around with this.

    1. doe said on May 1, 2018 at 3:54 pm
      Reply

      Hi update relating to this alleged issue (longtime DC forum members said it’s false):
      https://diskcryptor.net/forum/index.php?topic=5702.0

  2. Tom Hawack said on April 27, 2018 at 4:45 pm
    Reply

    No encrypted system not even drive here. I do understand the pertinence of encrypting a laptop, should it be stolen or peeked at in an unfamiliar environment, but when it comes to a home PC I linger to understand what the benefit would be.

    I do use the old TrueCrypt 7.1a, never decided myself to switch to VeraCrypt, as a simple vault for more/less confidential data, built for a 512MB only virtual drive, and I still happen to ask myself if it’s worth it. I think encryption choices depend largely on the user’s context : would Robinson Crusoe set a lock to his home-made bungalow?! :=)

    1. Sophie said on April 28, 2018 at 10:24 am
      Reply

      I never felt a great need to encrypt a whole system drive. For one thing, I know it would make me a little nervous at the result, and possible glitch.

      I also still use Truecrypt 7.1, since I simply do not mind if it has all the latest algorithms or bugfixes, as I found Truecrypt to be very settled and happy on my systems.

      For me, the idea that there could be a tiny way into one of those old Truecrypt containers just doesn’t matter, because there’s nothing in there that is the end of the world if it was broken into. And who is going to do that? It just isn’t going to happen…..so for me, its “containers only”, and not volumes….and the old software is still doing very nicely thank you.

  3. John Fenderson said on April 27, 2018 at 7:47 pm
    Reply

    “Do you encrypt your drives and system?”

    I encrypt everything on my mobile devices and on my NAS, but on my other home devices, I don’t. For my really sensitive data, I have an encrypted USB stick.

  4. Robert said on April 27, 2018 at 8:07 pm
    Reply

    I thought VeraCrypt had issues with MS updates on Windows 10 in cases where you encrypt the entire drive? Have they fixed that now?

  5. Jeff said on April 27, 2018 at 8:40 pm
    Reply

    People still use software encryption that affects performance?

    1. John Fenderson said on April 27, 2018 at 10:44 pm
      Reply

      @Jeff:

      Sure. Sometimes software encryption is the best solution, and sometimes it’s the only solution.

  6. Franck said on April 27, 2018 at 8:52 pm
    Reply

    Thank you very much for tips !

    Does VeraCrypt support Windows OS upgrades/installations ?

    1. Martin Brinkmann said on April 28, 2018 at 7:17 am
      Reply

      If it is like TrueCrypt, you need to decrypt the drive to upgrade. Don’t think that changed but have not tried with VeraCrypt.

      1. Franck said on April 28, 2018 at 9:35 am
        Reply

        Thank you very much for your answer.

        Well, that would be a big drawback compared to BitLocker unfortunately… even if I would much prefer an open source solution.

      2. tomasz86 said on April 29, 2018 at 7:16 am
        Reply

        They have been fixing the Windows 10 upgrade issue in the recent beta versions:
        https://sourceforge.net/projects/veracrypt/files/VeraCrypt%20Nightly%20Builds/

        Unfortunately, the performance impact on disk operations is still massive in comparison to BitLocker (and DiskCryptor too):
        https://github.com/veracrypt/VeraCrypt/issues/136

      3. Franck said on April 29, 2018 at 3:21 pm
        Reply

        Thanks a lot for your input !

  7. Supliment said on April 28, 2018 at 10:35 am
    Reply

    Hello, thanks for article.
    One question: How did you deal with Veracrypt PIM requirements?

    If have password shorten than 20 character, Veracrypt is unlocking drive dozens of seconds.
    If you have password longer than 20 char. you can set PIM to 1 and have instant unlock.

    Thanks

    1. Cinikal said on April 29, 2018 at 6:53 am
      Reply

      @Supliment thanks for this, I really need to read up more about the software I use.

      https://www.veracrypt.fr/en/Personal%20Iterations%20Multiplier%20%28PIM%29.html

    2. vlakoff said on May 5, 2018 at 6:06 am
      Reply

      I have opened an issue about this on GitHub, for a while: https://github.com/veracrypt/VeraCrypt/issues/204

      Sadly, the author Mounir Idrassi still hasn’t replied to it, and it seems the issue will be pending for a while… I’d love to be proven the contrary :)

      1. Supliment said on May 5, 2018 at 3:40 pm
        Reply

        I think that there are some workarounds – for example encrypt with older VeraCrypt version and after that upgrade, or use CipherShed and upgrade to Veracrypt…

        It is sad that Bitlocker is so good in compare and VeraCrypt is less usable than TrueCrypt few years ago…

  8. Ascar said on April 29, 2018 at 1:00 pm
    Reply

    Hello, all.

    Can someone tell me whether I can make image-level backups (e.g. Acronis) of encrypted partitions/disks?

  9. Ryan said on April 30, 2018 at 8:59 pm
    Reply

    @Ascar, assuming you use VeraCrypt or something similar: if you are within your OS as you make the backup, there will be no issue. The backup software, like every other software on the system (think MS Word), is reading the files in cleartext as it builds your backup archive. This is because the encryption/decryption happens at the kernel driver layer. So from Acronis’ standpoint, making a backup of your encrypted partition is no different from any other backup.

    Be aware then that if you are saving your backup to another unencrypted disk, the backup itself will also be unencrypted just as if you had copied a document to an external unencrypted USB drive (unless of course Acronis adds its own encryption to backups)

  10. Ascar said on May 1, 2018 at 1:26 pm
    Reply

    @Ryan, thanks for your input. That’s my bad – I did not ask clearly enough. If I booted off an Acronis flash drive or anything else – so my partition is encrypted and locked and I back it up sector by sector – what would be an expected outcome? If I try to restore it and then mount it in the OS assuming that I have the keys/password – will I be able to access the data?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.