All new iPhones are now encrypted by default, which is something that has alarmed law enforcement services the world over. Google also announced that it would start encrypting Android phones by default, and although it has reneged somewhat on this promise, it still strongly recommends that manufacturer’s ship their phones with full-disk encryption pre-enabled.
Regardless, it is a simple matter for owners of unencrypted Android phones (Gingerbread 2.3.4+) to encrypt their both their phone and any SD cards they use. Note also that if you are interested in improving your privacy and security on your Android device, you should also check out our Best Android VPN guide.
Why do I want to encrypt my phone?
Most of us these days keep a vast amount of personal information on our smart phones – photos, contact numbers and addresses, passwords, bank details, emails, etc. In addition to this, business users often keep sensitive information on their phones that is vulnerable to corporate espionage.
While a standard lock-screen code will deter casual theft of your data if you lose your phone, to a determined tech-savvy adversary the lock-screen offers little real protection.
Encrypting your phone, on the other hand, makes it secure against almost all forms of attack, and will probably foil even the NSA.
Reasons not to encrypt your phone
Encryption/decryption takes processing power, and will therefore slow down your phone a little*. On faster phones you are very unlikely notice a difference, but users of slower phones may want to think twice before encrypting them (this is likely the main reason Google dropped its requirement that all new phones be encrypted by default.)
*Note that both of these articles test performance using a Google Nexus 6, which as Android Central notes, “causes a greater discrepancy in performance than we’d see with most other devices, thanks to Qualcomm’s crypto engine.” We therefore decide to perform our own tests using our Samsung Note 4 and the AndEBench-Pro 2015 industry-standard benchmarking tool.
Before phone encryption
As we can see, encrypting the phone caused a 9% performance hit. Such is the price of security, but we have to say that we didn’t notice a real difference in practice.
Another issue is that it is not easy to reverse the encryption process should you change your mind. It can be done by factory resetting your phone, but this will mean that you lose all data stored on the phone.
Is it legal?
Encrypting your phone is legal pretty much everywhere. In Canada, the Court of Appeal for Ontario has issued ruled that although police can legally search a phone that is not protected by a password, a warrant is required if the phone is protected by a password.
Of course, even with a warrant, an encrypted phone cannot be accessed unless you divulge your Master Password. US citizens are probably protected from doing this by the Fifth Amendment right against self-incrimination, but UK citizens (for example) can be legally compelled to disclose their passwords under the Key disclosure law.
If these issues are important to you, then we strongly suggest researching the legal situation regarding mandatory decryption of data in your country.
How secure is Android full disk encryption?
Android full disk encryption is based on dm-crypt, an open source transparent disk encryption subsystem used in Linux. It uses cipher mode 128-bit AES-cbc with essiv:sha256, and the Master Password is protected using AES-128. Android versions 4.4+ further harden the Mater Password against brute-force attacks with 2000 iterations of PBKDF2.
A detailed discussion on the encryption used is available here, but the long and the short of it that accessing encrypted data on your phone is pretty much impossible (without knowing your Master Password.)
How to encrypt your phone
For this tutorial we are using an unrooted Samsung Galaxy Note 4 running Android 5.1.1, but the process should be very similar for all Android phones (and other Android devices.)
- Plug your phone into a power source. The process can take an hour or more (depending on how much data requires encrypting), and you really don’t to run out of juice half way through!
- Ensure that you have backed-up all your important data.
- Go to Settings -> Lock Screen -> Screen Lock -> [enter current password] -> Password and create a password that is at least 6 characters long, and contains at least 1 number. Unfortunately there is a limit of 16 characters, which makes using strong passphrases more or less impossible.
If you do not perform this step first, you will be sent back to do it when you start to encrypt your device
- Go to Settings -> System -> Security -> Encrypt device
- Select “Encrypt Phone” to confirm encryption. You will be asked once more to confirm your password, then sit back and relax as Android does its thing…
For us, this took around 45 minutes
Once done, you need to enter your master password each time you reboot your phone
Unfortunately, with encryption enabled, pattern and PIN unlock are disabled on the lock screen. This could be something of a nuisance, and is worth bearing in mind when deciding whether or not to encrypt your phone. Fortunately for us, it is possible to re-enable the fingerprint scanner on the Note 4 after encryption.
The only way to reverse phone encryption is to reset the phone to its factory-default settings. If you do this, all data stored on the phone will be erased. You will also be permanently unable to access encrypted data on your SD card (as the SD card encryption keys will be deleted), so make sure you decrypt an encrypted SD card before performing a factory reset of the phone.
To factory reset you phone go to Settings -> Personalisation -> Backup and reset ->Factory data reset.
How to encrypt your SD card
In addition to encrypting the phone itself, it is possible to encrypt external SD cards (on phones that still support this very handy feature.)
Cards can only be used on the phone on which they are encrypted, but unlike phone encryption, SD card encryption can be fairly easily reversed. As noted above, if you factory reset your phone without first decrypting encrypted files on your SD card, these files will be lost.
To encrypt an SD card, simply go to Settings -> System -> Security -> Encrypt external SD card -> Enable, and follow the instructions.
You will be offered the choice of whether to exclude multimedia files from the encryption process (in order to save time) and asked to confirm your Master Password. Note that you will need around 2GB free space on the SD card before it can be encrypted.
The process can take a while, depending on how much data needs to be encrypted (but you can use your phone while this happens)
SD card encryption is completely transparent in use, as long as you access encrypted files from the password-protected phone you encrypted them on. The files cannot now be accessed in any other way.
Unlike with full-disk-encryption, SD card encryption can be easily reversed. Simply go to Settings -> System -> Security -> Encrypt external SD card -> Disable (you will be asked to confirm your master password)
Encrypting Android Conclusion
Making your phone more secure by encrypting it is very easy, and we find the added security a more than acceptable trade-off for the 9% performance hit this incurs for us (which in real-like use we don’t notice anyway.)
We do think that having to use the same master password used to secure the phone in order to disable the lock screen could be an issue. Thanks to the Note 4’s fingerprint scanner this is not a problem for us, but we can see those without such a scanner becoming pretty frustrated at having to enter a secure password every time they unlock their phone.