Though this series has primarily focused on encrypting desktop operating systems, protecting your phone is perhaps even more important. Your phone goes quite literally everywhere with you. Phones are at much greater risk for loss or theft than laptops, all other things being equal. This post will discuss Android full disk encryption and how to implement it.
Android Full Disk Encryption
First, the ins, the outs, the what-have-yous: Android-powered phones and tablets have the ability to be encrypted. Unfortunately, only a small percentage of these devices come from the factory with this encryption enabled (Google’s flagship Nexus being one such device). An article published earlier this year estimated that only about 10% of Android devices is encrypted (compared to 95% of iPhones, iPads, and iPods). There is a huge caveat to that, however: devices that ship with Android 6/Marshmallow installed are required to ship will encryption enabled – as long as the device meets certain speed requirements. However, there are plenty of Androids in use that will never be eligible to upgrade to Marshmallow.
If you have an device running an older version of Android, or if you bought a new device that is not encrypted by default you have the option to do it yourself. There may be some slow-down of your system; full disk encryption does impart a performance penalty. The performance issue is the reason Google quietly backed away from a promise to begin encrypting all Androids by default. Further, major percentage of Android handsets have a vulnerability that makes their full disk encryption much weaker. Still, it is far and away better than nothing and you should enable it.
Enabling Android Full Disk Encryption
The good news about Android full disk encryption is how easy it is to enable. Before you begin, you should first passcode protect the device. I do not recommend using an unlock pattern. Instead you should use a passcode or password. A numeric passcode will be your most usable option, and if it is of sufficient length (~10 characters and up) it will provide sufficient security.
Next, make sure you phone is charged and plugged in. Before the phone will let you begin you must have a full battery AND be connected to a power source. Some devices will begin with the battery at 80% while others require a 100% charge. This is for good reason. If the process is interrupted the phone will be “bricked” and be rendered completely inoperable.
Open your device’s settings. The specifics may vary somewhat between models. Navigate to the “Security” category. Tap “Encrypt phone”. If this option is greyed out, your phone is already encrypted. You will be asked to confirm that you wish to encrypt the device. Confirm your decision and the encryption process will begin. As the phone warns, encryption may take up to an hour. During this time you should use your phone as little as possible so processor resources can be devoted to encrypting the device as quickly as possible.
You should also note that encryption is a “one way” function. Once you encrypt the device, the only way to decrypt it is to perform a factory reset. Some Android devices will allow you to encrypt the SD card, as well (and some will not). If this is the case, you will have to encrypt it separately. If you do have the option, I strongly recommend encrypting it. If I were an Android user I would also strongly consider this in my next device purchase; storage that cannot be encrypted is essentially worthless to me.
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.