Encrypt all data on your Android phone

One of the first things that I decided to do of after getting my new Samsung Galaxy Note 2 smartphone was to protect the data stored on the phone's memory space from unauthorized access. Phones by default are only protected by the PIN, which may protect the phone just fine if it is not turned on. If the phone is turned on though, an attacker can access all of the data stored on the phone without having to enter a single password or PIN first.
Setting a lock screen password is however just one of the steps that you should undertake to protect your phone from unauthorized access. While it may keep out people who got hold of your phone in first place, it may not protect the actual data on the phone's storage device. You need to encrypt the data on the phone to make sure that the data can't be dumped by a third party.
Encrypt your Android Phone
A few requirements have to be met before you can go ahead and encrypt the data on your phone:
- Your Android phone needs to support encryption. I'm not 100% about that but I think encryption was added in Android 3.0. You may alternatively want to check out third party encryption apps. Update: It was added earlier in Android 2.3.4.
- You need to set a lock screen password or pin.
- Your phone must be connected to a power source.
Setting a lock screen may be enough if you do not have overly sensitive data on the phone. Regular attackers won't get past the lock screen which leaves them with the option to reset the phone and all the custom data that was saved on it.
1. Setting the lock screen password
On the Samsung phone, you tap on the Settings button and select Lock screen >Â Screen Lock from the options page. Here you need to select how you want to protect the phone when it is locked. Available for selection are protection by pin, password, pattern or other methods. Select password protection here and make sure the password has at least six characters of which one is a number. I highly suggest to increase the number of characters to the maximum number of 16 characters to improve security.
Once you have set the password, you will be asked to enter it whenever you turn on the phone, or want to continue your work after a time of inactivity. This may be inconvenient but that is a small trade-off for better security.
2. Encrypting the Android phone
You need to plug in your phone and make sure that the battery is charged before you continue. The option to encrypt the phone is grayed out otherwise. A click on Security > Advanced > Encryption and credentials > Encrypt Phone under Settings opens the configuration menu where you can start the encryption process. Please note that it may take an hour or more to complete.
You can encrypt accounts, settings, downloaded applications, and their data, media, and other files. Once you encrypt your device, a password will be required to decrypt it each time you power it on.
Encryption takes an hour or more. Start with a charged battery and keep device plugged in until encryption is completed. Interrupting may cause you to lose some or all data.
Set an unlock password of at least 6 characters, containing at least 1 number.
You are asked to enter the unlock password after tapping on the encrypt device button. The next screen offers information about the consequences, and an option to run a fast encryption instead of a full device encryption. A fast encryption will only encrypt the used memory space and not all the device space.
Encrypt device? This operation is irreversible and if you interrupt it, you will lose data. Encryption could take an hour or more, during which the device will restart several times and cannot be used.
Fast encryption: If you select this option, only used memory space will be encrypted.
You need to wait until the encryption completes before you can start using your phone again. Make sure it is connected to a power source throughout the whole process to avoid power failures and resulting data loss. If you want to be on the safe side, consider backing up your Android phone before you start the encryption of storage space. Samsung smartphone owners can use Samsung Kies for that. Make sure the backup is stored safely as well.
If you are using external SD cards, you may want to consider encrypting those cards. The option is available under Security as well.
Advertisement
I use veracrypt for all my systems simply due to compatibility across all major OS.
I do use this method when buying new drives or moving data or simply re-encrypting.
One key fact is that both the source and temporary drive are full disk encrypted.
Never ever decrypt a drive and expose your data unless you can write over the data enough times (which takes time ie days) if you are going to use the drive again or take the drive apart and destroy it if its old and being retired.
There is also an alleged backdoor built in to Diskcryptor.
The source files was pulled quickly by moderator and its difficult to try and replicate the scenario.
But even so I since flagged Discryptor. Don’t touch it until it can be proven otherwise.
https://www.reddit.com/r/crypto/comments/7axp15/alleged_diskcryptor_backdoor/
In short words the boot sector would be able to boot another encrypted disk if you booted from disk B and A is still connected as the boot sector will look for other diskcryptor drives and act as a slave if another drive is present.
If you type the password for disk A the password would still boot disk B.
I tried this and failed to boot disk B but then I did not have much time to play around with this.
Hi update relating to this alleged issue (longtime DC forum members said it’s false):
https://diskcryptor.net/forum/index.php?topic=5702.0
No encrypted system not even drive here. I do understand the pertinence of encrypting a laptop, should it be stolen or peeked at in an unfamiliar environment, but when it comes to a home PC I linger to understand what the benefit would be.
I do use the old TrueCrypt 7.1a, never decided myself to switch to VeraCrypt, as a simple vault for more/less confidential data, built for a 512MB only virtual drive, and I still happen to ask myself if it’s worth it. I think encryption choices depend largely on the user’s context : would Robinson Crusoe set a lock to his home-made bungalow?! :=)
I never felt a great need to encrypt a whole system drive. For one thing, I know it would make me a little nervous at the result, and possible glitch.
I also still use Truecrypt 7.1, since I simply do not mind if it has all the latest algorithms or bugfixes, as I found Truecrypt to be very settled and happy on my systems.
For me, the idea that there could be a tiny way into one of those old Truecrypt containers just doesn’t matter, because there’s nothing in there that is the end of the world if it was broken into. And who is going to do that? It just isn’t going to happen…..so for me, its “containers only”, and not volumes….and the old software is still doing very nicely thank you.
“Do you encrypt your drives and system?”
I encrypt everything on my mobile devices and on my NAS, but on my other home devices, I don’t. For my really sensitive data, I have an encrypted USB stick.
I thought VeraCrypt had issues with MS updates on Windows 10 in cases where you encrypt the entire drive? Have they fixed that now?
People still use software encryption that affects performance?
@Jeff:
Sure. Sometimes software encryption is the best solution, and sometimes it’s the only solution.
Thank you very much for tips !
Does VeraCrypt support Windows OS upgrades/installations ?
If it is like TrueCrypt, you need to decrypt the drive to upgrade. Don’t think that changed but have not tried with VeraCrypt.
Thank you very much for your answer.
Well, that would be a big drawback compared to BitLocker unfortunately… even if I would much prefer an open source solution.
They have been fixing the Windows 10 upgrade issue in the recent beta versions:
https://sourceforge.net/projects/veracrypt/files/VeraCrypt%20Nightly%20Builds/
Unfortunately, the performance impact on disk operations is still massive in comparison to BitLocker (and DiskCryptor too):
https://github.com/veracrypt/VeraCrypt/issues/136
Thanks a lot for your input !
Hello, thanks for article.
One question: How did you deal with Veracrypt PIM requirements?
If have password shorten than 20 character, Veracrypt is unlocking drive dozens of seconds.
If you have password longer than 20 char. you can set PIM to 1 and have instant unlock.
Thanks
@Supliment thanks for this, I really need to read up more about the software I use.
https://www.veracrypt.fr/en/Personal%20Iterations%20Multiplier%20%28PIM%29.html
I have opened an issue about this on GitHub, for a while: https://github.com/veracrypt/VeraCrypt/issues/204
Sadly, the author Mounir Idrassi still hasn’t replied to it, and it seems the issue will be pending for a while… I’d love to be proven the contrary :)
I think that there are some workarounds – for example encrypt with older VeraCrypt version and after that upgrade, or use CipherShed and upgrade to Veracrypt…
It is sad that Bitlocker is so good in compare and VeraCrypt is less usable than TrueCrypt few years ago…
Hello, all.
Can someone tell me whether I can make image-level backups (e.g. Acronis) of encrypted partitions/disks?
@Ascar, assuming you use VeraCrypt or something similar: if you are within your OS as you make the backup, there will be no issue. The backup software, like every other software on the system (think MS Word), is reading the files in cleartext as it builds your backup archive. This is because the encryption/decryption happens at the kernel driver layer. So from Acronis’ standpoint, making a backup of your encrypted partition is no different from any other backup.
Be aware then that if you are saving your backup to another unencrypted disk, the backup itself will also be unencrypted just as if you had copied a document to an external unencrypted USB drive (unless of course Acronis adds its own encryption to backups)
@Ryan, thanks for your input. That’s my bad – I did not ask clearly enough. If I booted off an Acronis flash drive or anything else – so my partition is encrypted and locked and I back it up sector by sector – what would be an expected outcome? If I try to restore it and then mount it in the OS assuming that I have the keys/password – will I be able to access the data?