Reading important emails, making online purchases with your credit card, editing and transferring important documents? If your answer is yes, then you should think about encrypting your device.

Once the encryption process is complete, you're done! Make sure to save your password in a safe place, because now you will need it every time you want to access your phone. Please note that if you forget your password, there is currently no way to recover it.

In fact, encryption of Android devices, along with obvious advantages, also has significant disadvantages:

1. Imagine that every time you want to make a call you have to dial complex password. I wonder how long it will take for you to get tired of it?
2. You will not be able to decrypt an encrypted device; this is simply not provided. To decrypt, there is only one way - to reset the phone to factory settings. In this case, of course, all your data will be lost. This will look especially interesting if you forget to make a backup copy first.

Thus, today there is a difficult choice - either you encrypt your device and put up with huge inconveniences, or you get ease of use, but at the expense of security. Which path will you choose? I don't know. Which path would I choose? I can’t answer either. I just do not know.

Vladimir BEZMALY ,
MVP Consumer Security,
Microsoft Security Trusted Advisor

I'll show you how to encrypt your device using a screen lock password.

By encrypting your Android smartphone or tablet, you will protect it from hacking and no one will be able to steal your data and photos from it. Go to Settings - Advanced.

Then click on Privacy.

Scroll below and tap on “Encrypt your device using your lock screen password.”

You can encrypt your accounts, settings, installed applications and their data, media files, etc.

• You will not be able to use the alarm when the device is turned off
• You will have to enter the password every time after rebooting the device. Rebooting will take longer
• Install New Password screen lock
• Make sure you remember your screen lock password, otherwise you will have to full reset and erase all data on the device

Click the slider next to “Encrypt device using screen lock password”

First set a password. Set a screen lock password to enable this feature. You will have to enter the password every time you reboot your device. Click Next.

Select the type of password to unlock.

• Graphic key. Create a pattern to unlock your device
• PIN. Enter 4 numbers to unlock your device
• Password. Enter 4 numbers or letters to unlock your device

Having chosen a password of letters and numbers, now create and remember it, then click “Next”. This password will need to be entered every time after a reboot.

Then confirm your created password by entering it again.

Encryption of all your data on your smartphone will begin.

Now, after rebooting your smartphone or tablet, you will need to enter the password that you came up with in order to launch the Android OS on your device. And for an iPhone, do the same through the function.

Then, after Android has started, you will need to enter an unlock password, which will already unlock your smartphone.

If you decide to disable data encryption, then simply go to “Settings - Advanced - Privacy - Encrypt device” and simply click on the slider to disable encryption. If you disable device encryption with your screen lock password, some Google services may become unavailable.

For the first time, Google allowed encryption Android devices in Android Gingerbread (2.3.x), but this function has undergone some significant changes since then. On some smartphones under lollipop control(5.X) and higher, you can use the encryption function, as they say, out of the box, while on some older or budget devices you will have to enable it yourself.

Why you might need to encrypt your Android device

Encryption stores your phone data in an unreadable form. To perform low-level encryption functions, Android uses dm-crypt, which is standard system disk encryption in the Linux kernel. The same technology is used in various Linux distributions. When you enter a PIN, password, or pattern on the lock screen, the phone decrypts the data, making it understandable. Anyone who does not know the PIN code or password will not be able to access your data. On Android 5.1 and higher, encryption does not require a PIN or password, but is highly recommended, since the absence of them reduces the effectiveness of encryption.

Encryption protects sensitive data on your phone. For example, corporations with sensitive business data on company phones want to use encryption (with a secure screen lock) to protect the data from industrial espionage. An attacker will not be able to access the data without the encryption key, although there are advanced hacking methods that make this possible.

The average user thinks that he has no important information. If your phone is stolen, the thief will have access to your email, your home address and other personal information. I agree, most thieves will not be able to access personal information if a regular unlock code is installed on the smartphone, even without encryption. And most thieves are interested in selling your device, not your personal data. But it never hurts to protect your data.

What you need to know before encrypting your Android device

Most new devices have encryption enabled by default. If you have just such a device, then you will not be able to disable encryption. But, if you are using a gadget in which encryption is not enabled, then before using this function you should know the following:

• More slow work : Once data is encrypted, it will need to be decrypted each time the data is accessed. Therefore, you may see a slight drop in performance, although this is not noticeable at all for most users (especially if you have a powerful phone).
• Disable encryption: If you enable encryption, the only way to turn it off is to reset it to factory settings.
• If the device has root rights, then they need to be removed: If you try to encrypt an Android device that has root permissions, you will encounter some problems. You need to first remove root rights, encrypt the device and gain superuser rights again.

This does not mean that we are discouraging you from encryption, we are trying to explain all the nuances of this process.

How to enable encryption on Android

Before you start, there are a few things to know:

• Encrypting your device may take an hour or more.
• The device must be charged at least 80%, otherwise Android simply will not perform the encryption process.
• Your device must be turned on during the entire process.
• If your device is rooted, be sure to remove it before continuing!

Make sure you have enough time and battery charge. If you interfere with the encryption process or complete the process yourself, you you can lose all your data. Once the process begins, it's best to just leave the device alone and let it do its thing.

Open the menu, go to settings and click on “Security”. Please note that this item may have different names on different devices. Some devices also allow you to encrypt the SD card, but by default only the internal memory will be encrypted.

If the device is not yet encrypted, you can click on the “Encrypt device” option to begin the encryption process.

There will be a warning on the next screen so you know what to expect after the process is finished. Most have already been described in this article. If you are ready to continue, click the “Encrypt device” button.

Another warning will appear asking if you really want to encrypt the device. If you have not changed your mind, then click on “Encrypt device”.

After this, the phone will reboot and the encryption process will begin. The progress bar and the time until the operation is completed will show how long you will be without your phone.

After the process is completed, the phone will reboot and you can use it again. You will need to enter your screen unlock password or PIN to complete the download process. If you did not have an unlock password or PIN enabled, the system will prompt you to set them before encrypting your Android device. To do this, go to Settings -> Security -> Screen lock and select the lock type.

Please note that if you have a fingerprint scanner installed, you still need to set a password, PIN code, or pattern, since they can be used to unlock the device upon first boot.

From now on, your device will be encrypted, but if you want to disable encryption, you can do so by performing a factory reset. If you have encryption enabled out of the box, then you can no longer disable it, even through a factory reset.

If you look at it from a security perspective, your Android smartphone is a compact box overflowing with important personal information, and you would hardly want it to fall into the wrong hands of others. To get a more realistic picture of the situation, think about your e-mail, SMS messages, saved credit card numbers, personal photos and other sensitive data.

I think no one would want to be in a situation where a stranger took possession of this data, because it’s scary to even think about the consequences of this. And this is the main reason why we come to different methods for organizing the protection of our phone or tablet, and data encryption is the main means of protecting data.

What is encryption?

Encryption is the reversible process of converting data into an unreadable form for all persons except those who know how to decrypt it. The only way To return data to readable form is to decrypt it back using the correct key.

Such things are easier to understand in simple examples, let’s say you lost your diary, and someone who finds it and knows Russian can easily read and find out your innermost secrets, but if you kept a diary in some kind of secret code, or a language that only you understand, then no one else would be able to read.

A similar approach can be applied to data stored on your Android device. A thief can take over your smartphone or tablet and gain access to personal data, but if the data is encrypted, then it will be just a bunch of useless gobbledygook that he cannot read.

We encrypt your Android

Android encryption is very simple procedure. Please note that the menus for data encryption may be located in different places on different devices. In addition, custom firmware and UI, for example Samsung TouchWiz UX, may have different requirements.

First of all, set a password or PIN code to lock the screen. This password or PIN will form part of the key to decrypt the data, so it is important to set it before you begin encryption.

Some device manufacturers install Additional requirements to security, for example on the Galaxy S3 and Galaxy S4.

After setting a PIN or password, go to the “Security” subsection of the main menu and select “Encrypt Phone” or “Encrypt Tablet”. On different devices the menu for data encryption may be located in different places, for example, in HTC One it is located in the “Memory” section in the main menu.

The encryption menu will look something like this:

The encryption process takes long time, so it's important to keep your battery fully charged. If there is insufficient battery power, you will receive a notification before encryption begins.

If everything is ready, click the button at the bottom of the “Encrypt Phone” or “Encrypt Tablet” screen. Here your phone will ask for a password or PIN code, enter it to confirm. A warning message will appear again, click the “Encrypt phone” button.

Your device will reboot and only after that the encryption will begin. You will see an encryption progress indicator on the screen. While the encryption process is running, do not play with your phone or try to perform any actions; if you interrupt the encryption process, you may lose all or part of the data.

Once encryption is complete, the phone (tablet) will reboot and you will have to enter your password or PIN to decrypt all data. After entering the password, all data will be decrypted and normal Android will boot.

Encrypting an external SD card

Some devices, such as the Galaxy S3 and Galaxy S4, allow you to encrypt data even on external storage devices - SD memory cards.

Typically, you have the option of choosing which files on the memory card to encrypt. You have the following encryption options: the entire SD card, include/exclude multimedia files, or encrypt only new files.

The data that you encrypted on the SD card will be impossible to read on another Android device. Some devices will report that the memory card is empty, or has an unknown file system.

Unlike encryption of the built-in memory, encryption of data on the SD card can be canceled. On the Galaxy S3 and Galaxy S4, you can decode data on an external microSD card using the Encrypt External SD Card menu. Be careful with encryption on SD cards, as some Android devices may destroy all data during encryption or decoding.

Like

Briefly: If you use a graphic key to access your phone, then 99% of the time this is enough to ensure that no one can access the information on your phone without your knowledge. If the data on your phone is very sensitive, then you should use the phone's built-in full encryption feature.

Today, almost all smartphones have become carriers of important personal or corporate data. Also, through the owner's phone, you can easily access his accounts, such as Gmail, DropBox, FaceBook and even corporate services. Therefore, to one degree or another, it is worth worrying about the confidentiality of this data and using special means to protect your phone from unauthorized access in case of theft or loss.

1. From whom should you protect your phone data?
2. Built-in data protection in Android.
3. Full phone memory encryption
4. Results

What information is stored on the phone and why protect it?

A smartphone or tablet often serves as a mobile secretary, freeing the owner’s head from storage large quantity important information. The phone book contains numbers of friends, co-workers, and family members. Numbers are often written in a notebook credit cards, access codes, passwords to social networks, email and payment systems.
The list of recent calls is also very important.
Losing your phone can be a real disaster. Sometimes they are stolen specifically to penetrate personal life or to share profits with the owner.
Sometimes they are not stolen at all, but are used for a short time, unnoticed, but a few minutes is quite enough for an experienced malicious user to find out all the details.

The loss of confidential information can result in financial ruin, the collapse of your personal life, and the breakup of your family.
I wish I didn't have it! - the former owner will say. - It’s so good that you had him! - the attacker will say.

And so what needs to be protected on the phone:

1. Accounts. This includes, for example, access to your gmail inbox. If you have set up synchronization with facebook, dropbox, twitter. Logins and passwords for these systems are stored in open form in the phone profile folder /data/system/accounts.db.
2. History of SMS correspondence and phone book also contain confidential information.
3. Web browser program. The entire browser profile must be protected. It is known that Web Browser(built-in or third-party) remembers all passwords and logins for you. This is all stored in open form in the program profile folder in the phone’s memory. Moreover, usually the sites themselves (using cookies) remember you and leave access to your account open, even if you did not specify to remember the password.
   If you are using sync mobile browser(Chrome, FireFox, Maxthon, etc.) with a desktop version of the browser to transfer bookmarks and passwords between devices, then you can assume that you can access all passwords from other sites from your phone.
4. Memory card. If you store confidential files on your memory card or download documents from the Internet. Typically, photos and videos taken are stored on a memory card.
5. Photo album.

Who should you protect your phone data from:

1. From random person, which will find your lost phonel because from “accidental” theft of the phone.
   It is unlikely that the data on the phone will be of value to the new owner in this case. Therefore, even simple graphic key protection will ensure data safety. Most likely, the phone will simply be reformatted for reuse.
2. From prying eyes(co-workers/children/wives), who can gain access to your phone without your knowledge, taking advantage of your absence. Simple protection will ensure the safety of your data.
3. Providing forced access
   It happens that you are voluntarily forced to provide a phone number and open access to the system (information). For example, when your wife, a government official, or an employee of the service center where you took the phone for repair asks you to look at your phone. In this case, any defense is useless. Although it is possible using additional programs, hide the fact of the presence of some information: hide part of the SMS correspondence, part of the contacts, some files.
4. From targeted theft of your phone.
   For example, someone really wanted to know what was on your phone and made an effort to get it.
   In this case, only full encryption of the phone and SD card helps.

Built-in data protection on Android devices .

1. Lock screen with Pattern Key.
This method is very effective in the first and second cases (protection against accidental loss of the phone and protection from prying eyes). If you accidentally lose your phone or forget it at work, no one will be able to use it. But if your phone purposefully fell into the wrong hands, then this is unlikely to save you. Hacking can even occur at the hardware level.

The screen can be locked with a password, PIN code and Pattern Key. You can select the locking method by launching the settings and selecting the Security -> Screen lock section.

Graphic Key (Pattern) - c The most convenient and at the same time reliable way to protect your phone.

None- lack of protection,
Slide- To unlock, you need to swipe your finger across the screen in a certain direction.

Pattern- this is a Graphic Key, it looks something like this:

You can improve security in two ways.
1. Enlarge the Graphic key input field. It can vary from 3x3 dots on the screen to 6x6 (Android 4.2 is found in some models, depending on the Android version and phone model).
2. Hide the display of the points and “path” of the graphic key on the smartphone screen so that it is impossible to peek at the key.

3. Install automatic blocking screen after 1 minute of phone inactivity.

Attention!!! What happens if you forgot your pattern key:

1. The number of incorrect attempts to draw a Graphic Key is limited to 5 times (per various models number of attempts can be up to 10 times).
2. After you have tried all your attempts but have not drawn the Pattern correctly, the phone is locked for 30 seconds. After this, you will most likely have a couple of attempts again, depending on your phone model and Android version.
3. Next, the phone requests the login and password of your Gmail account, which is registered in the phone Accounts settings.
   This method will only work if your phone or tablet is connected to the Internet. Otherwise deadlock or reboot to manufacturer settings.

It happens that the phone falls into the hands of a child - he starts playing, draws the key many times and this leads to the key being blocked.

PIN- this is a password consisting of several numbers.

And finally, Password- the most reliable protection, with the ability to use letters and numbers. If you decide to use a password, then you can enable the Phone encryption option.

Encryption of phone memory.

The function is included in Android version 4.0* and higher. for tablets. But this feature may be missing in many budget phones.
Allows you to encrypt your phone's internal memory so that it can only be accessed with a password or PIN code. Encryption helps protect the information on your phone in the event ts targeted theft. There is no way that attackers will be able to access your data from your phone.

A prerequisite for using encryption is to set a screen lock using a password.
This method achieves saving user data located in the phone's memory, such as phone book, browser settings, passwords used on the Internet, photos and videos that the user received using the camera and did not copy to the SD card.

SD card encryption is enabled as a separate option.
- Memory encryption may take up to an hour depending on the amount of memory on the device. The phone cannot be used during encryption.

What if you forgot your password?

Password recovery is not provided in this case. You can do a full RESET on your phone or tablet, i.e. reinstall Android, but user data from the phone or tablet will be erased. Thus, if an attacker does not know the password to unlock the phone, he will not be able to use it. It will also be impossible to see data from the phone’s memory using other programs by connecting the phone to a computer, because all internal memory is encrypted. The only way to get your phone working again is to reformat it.

Attention, the full encryption function is present only starting from Android OS 4.0 - 4.1 and may simply not be available on some phone models. Most often found in phones from Samsung, HTC, LG, Sony. Some Chinese models also have an encryption feature. On some phones this function is located in the “Memory” section.

Flaws:

1. You will need to constantly enter a fairly complex password (6-10 characters) even if you just want to make a call. Although it is possible to set a long time interval (30 minutes) during which the password will not be requested when you turn on the phone screen. On some phone models, the minimum password length can be 3 characters.
2. On some phone models, it is not possible to disable encryption if you want to avoid having to constantly enter a password. Encryption can only be disabled by returning the phone to factory settings and deleting all data.

Encrypting an external SD memory card

The function is included in the standard Android 4.1.1 package for tablets. Missing from many budget builds.
The function provides reliable protection data on external SD card. Personal photographs, text files with commercial and personal information can be stored here.
Allows you to encrypt files on the SD card without changing their names, file structure, with saving a preview of graphic files (icons). The function requires setting a display lock password of at least 6 characters.

It is possible to cancel encryption. When changing the password, automatic re-encryption occurs.
If the user has lost the memory card, the encrypted files cannot be read through the card-reader. If you put it on another tablet with a different password, then the encrypted data also cannot be read.
Other Encryption Properties:

• Transparent encryption. If the card is inserted into the tablet and the user has unlocked the screen with a password, any application sees the files in decrypted form.
• If you connect the tablet via a USB cable to a computer, encrypted files can also be read on the computer by first unlocking the card from the screen of the mobile device.
• If you write some other unencrypted files onto the card via the card-reader, they will also be encrypted after inserting the card into the tablet.
• If you have an encrypted card, you cannot cancel the lock password.
• Data is encrypted at the file level (the file names are visible, but the contents of the file are encrypted).

Disadvantage of the program:O missing from most Android builds.

It should be emphasized that the best safety of data is a complete copy of it on your Computer in The smartphone is quite a fragile device small sizes, which means there is always a possibility of its breakdown or loss.

Improving the usability of a secure smartphone

Full phone encryption provides the strongest level of protection, but constantly entering a 6-digit password makes it difficult to use. But there is a solution.

Select a pattern, PIN or password to set up your security.

You will be offered a choice: protection using a PIN code, password or pattern at startup. The choice is up to you, but we recommend choosing some kind of protection as it increases the security of your device.

Note that even with a fingerprint reader, you can't use your fingerprint to unlock the device the first time you boot—you'll have to enter a password, PIN, or pattern. Once the device has been decrypted using the correct method, the fingerprint scanner can already be used to unlock the screen.

From now on, your device will be encrypted, but if you want to disable encryption, you can do so by performing a factory reset. If you have a new device that automatically has encryption enabled, there is no way to disable it, not even through a factory reset.

Data encryption in the Android OS is closely related to two problems: controlling access to memory cards and transferring applications to them. Many programs contain activation data, payment information, and confidential information. Its protection requires management of access rights, which are not supported by the typical FAT32 file system for cards. Therefore, in each version of Android, approaches to encryption changed radically - from complete absence cryptographic protection of removable media before they deep integration into a single partition with on-the-fly encryption.

The special role of the memory card

Initially Android developers intended to use the memory card only as a separate storage user files. It was just a multimedia warehouse without any requirements for its protection and reliability. microSD(HC) cards with FAT32 coped well with the role of simple storage, freeing the internal memory from photos, videos and music.

The ability to transfer to a memory card not only multimedia files, but also the application first appeared in Android 2.2 Froyo. It was implemented using the concept of encrypted containers for each application, but this exclusively protected against the card falling into the wrong hands - but not the smartphone.

Moreover, it was a half-measure: many programs were transferred partially, leaving some of the data in internal memory, and some (for example, system ones or containing widgets) were not transferred to the card at all. The very possibility of transferring applications depended on their type (pre-installed or third-party) and internal structure. For some, the directory with user data was immediately located separately, while for others it was located in a subdirectory of the program itself.

If applications intensively used read/write operations, then the reliability and speed of the cards could no longer satisfy the developers. They deliberately made it impossible to transfer programs using standard means. Thanks to this trick, their creation was guaranteed to be registered in the internal memory with a large rewriting resource and high performance.

With the fourth version of Android, it became possible to choose where to place the application. It was possible to designate a memory card as a disk for installing programs by default, but not all firmware correctly supported this function. How it works in a specific device could only be determined experimentally.

Fifth Android Google I again decided to return to the original concept and did everything to make it as difficult as possible to transfer applications to a memory card. Large manufacturers caught the signal and added their own monitoring functions to the firmware, detecting user attempts to forcibly move applications to the card using root. Only the option with creating tough or symbolic links. In this case, the application was determined by the standard address in the built-in memory, but was actually located on the card. However, confusion was caused by file managers, many of which did not process links correctly. They showed the wrong volume free space, because they believed that the application supposedly takes up space both in the built-in memory and on the card at the same time.

Adapt it!

IN Android Marshmallow there was a compromise called “Adaptive Storage” - Adoptable Storage. This is Google's attempt to keep the sheep safe and the soldiers happy.

The Adoptable Storage function allows you to combine a user partition in the built-in memory with a partition on the card into one logical volume. In fact, it creates an ext4 or F2FS partition on the card and adds it to the user partition of the internal memory. It's clean logical operation union, which is vaguely reminiscent of creating a spanned volume from several physical disks in Windows.

During the process of combining with internal memory, the card is reformatted. By default, its entire capacity will be used in the merged volume. In this case, the files on the card can no longer be read on another device - they will be encrypted with a unique device key, which is stored inside the trusted execution environment.

As an alternative, you can reserve space on the card for a second partition with FAT32. The files stored on it will be visible on all devices, as before.

The method for dividing the card is set either through the Adoptable Storage menu or through the Android Debug Bridge (ADB). The last option is used in cases where the manufacturer has hidden Adoptable Storage from the menu, but has not removed this function from the firmware. For example, it is hidden in Samsung Galaxy S7 and top LG smartphones. Recently, there has been a general tendency to remove Adoptable Storage from flagship devices. It is considered a crutch for budget smartphones and tablets that do not have enough built-in Flash memory.

However, it is not up to marketers to decide how we use our devices. Via ADB on a computer with Windows function Adoptable Storage is enabled as follows.

1. We make a backup of all data on the card - it will be reformatted.
2. Java SE Development kit from the Oracle website.
3. Installing the latest version Android SDK Manager.
4. Enable USB debugging on your smartphone.
5. Launch SDK Manager and write on the command line:

   Where x:y is the memory card number.

6. If you want to leave a part for the FAT32 volume, then change the command from step 7 to this:
   

   $ sm partition disk: x: y mixed nn

   
   where nn is the remaining volume as a percentage for a FAT32 volume.

For example, the command sm partition disk:179:32 mixed 20 will add 80% of the card’s capacity to the built-in memory and leave a FAT32 volume on it with 1/5 of its capacity.

On some smartphones, this method “as is” no longer works and requires additional tricks. Manufacturers are doing everything to artificially divide their products into market niches. Top models are available with different amounts of built-in memory, and there are fewer and fewer people willing to overpay for it.

Some smartphones do not have a memory card slot (for example, the Nexus series), but support connecting USB-Flash drives in OTG mode. In this case, the flash drive can also be used to expand the internal memory. This is done with the following command:

$ adb shell sm set - force - adoptable true

By default, the ability to use USB-OTG to create custom storage is disabled because unexpected removal could result in data loss. Probability sudden shutdown Memory cards are much lower due to their physical placement inside the device.

If with added volume removable media or there are problems with partitioning it, then first remove all information about the previous logical layout from it. This can be done reliably using the Linux utility gparted, which on a Windows computer runs with boot disk or in a virtual machine.

According to official Google policy, applications can be directly installed or moved to a custom store if the developer has specified this in the android:installLocation attribute. The irony is that not all of Google's own apps allow this yet. There are no practical limits to “adapted storage” in Android. The theoretical limit for Adoptable Storage is nine zettabytes. There are not so many even in data centers, and even more so memory cards of larger capacity will not appear in the coming years.

The encryption procedure itself when creating an adapted storage is performed using dm-crypt - the same Linux kernel module that performs full-disk encryption of the built-in memory of a smartphone (see the previous article “”). The AES algorithm is used in ciphertext block chaining (CBC) mode. A separate initialization vector with salt (ESSIV) is generated for each sector. The convolution length of the SHA hash function is 256 bits, and the key itself is 128 bits.

This implementation, although inferior in reliability to AES-XTS-256, is much faster and is considered reliable enough for consumer devices. A nosy neighbor is unlikely to open an encrypted adapted storage in a reasonable time, but intelligence agencies have long learned to exploit the shortcomings of the CBC scheme. In addition, in reality, not all 128 bits of the key are completely random. Involuntary or intentional weakening of the built-in generator pseudorandom numbers- the most common problem in cryptography. It affects not only Android gadgets, but all consumer devices in general. Therefore, the most reliable way to ensure privacy is not to store confidential data on your smartphone at all.

If you perform a factory reset after merging the memory using Adoptable Storage, the data on the card will also be lost. Therefore, it’s worth making a backup of them first, or better yet, immediately assigning cloud synchronization.

Alternative encryption of data on a memory card

Now that we have figured out the features of storing files on a memory card in different versions Android, let's move directly to their encryption. If you have a device with Android 6 or newer, then with a high probability you can activate the Adoptable Storage function in it one way or another. Then all data on the card will be encrypted, just like in the built-in memory. Only the files on additional section FAT32, if you wanted to create it when reformatting the card.

In earlier releases of Android, things are much more complicated, since before version 5.0, cryptographic protection did not affect memory cards at all (except for data from ported applications, of course). “Regular” files on the card remained open. To close them off prying eyes, you will need third-party utilities (which often turn out to be just a graphical shell for built-in tools). With all the diversity existing methods There are four fundamentally different ones:

• using a universal cryptocontainer - a file with an image of an encrypted volume in popular format, with which applications for different operating systems can work;
• transparent encryption of files in a specified directory via the FUSE driver and a third-party utility for creating/mounting an encrypted partition as a file;
• encryption of the entire memory card via dm-crypt;
• using a “black box” - a separate application that stores encrypted data in own format and does not provide access to them for third-party programs.

The first option is familiar to anyone who uses TrueCrypt or one of its forks on a computer. There are applications for Android that support TrueCrypt containers, but their limitations are different.

The second option allows you to organize “transparent encryption”, that is, store all data encrypted and decrypt it when accessed from any application. To do this, all data from the selected directory is represented as the contents of a virtual file system with support for on-the-fly encryption. EncFS is usually used, which we will talk about in more detail below.

The third option is built-in dm-crypt. You can use it, for example, through LUKS Manager. The application requires root and BusyBox installed. Its interface is not for everyone.

LUKS Manager creates a crypto container on the card as a file. This container can be connected to an arbitrary directory and worked with it as with a regular one. The advantage is that this solution has cross-platform support. You can work with the container not only on an Android gadget, but also on a desktop: on Linux - through cryptsetup, and on Windows - through the program or its fork LibreCrypt. The downside is the inconvenience of using it in conjunction with cloud services. Every time in the cloud you have to resave the entire container, even if one byte has changed.

The fourth option is generally of little interest, since it greatly limits the scenarios for using encrypted files. They can only be opened by some specialized application and trust that its developer has succeeded in studying cryptography. Unfortunately, most of these applications do not stand up to criticism. Many of them have nothing to do with cryptography at all, since they simply mask files instead of encrypting them. At the same time, the description may mention strong algorithms (AES, 3DES...) and quotes from Schneier’s “Applied Cryptography”. At best, such programs will have very poor encryption implementation, and at worst, there will be no encryption at all.

There is no official client for Android for VeraCrypt and is not planned, but its authors recommend using the EDS (Encrypted Data Store) application. This is a Russian development, existing in a fully functional and lightweight version. Full version EDS costs 329 rubles. It supports crypto containers of the TrueCrypt, VeraCrypt, CyberSafe format, as well as LUKS and EncFS. Can work with local, network and cloud storage, providing other applications with transparent encryption. On-the-fly encryption requires OS kernel support for the FUSE framework and root rights. Normal work with crypto containers is possible on any firmware.

The EDS Lite version is distributed free of charge and has functional limitations. For example, it can work exclusively with containers containing a volume with the FAT file system, encrypted using the AES algorithm with a 256-bit key length and using the SHA-512 hash function. It does not support other options. Therefore, it is worth focusing on the paid version.

Crypto container is the most reliable and universal method. It can be stored in any file system (even FAT32) and used on any device. All data that you encrypted on your desktop will become available on your smartphone, and vice versa.

EncFS

In 2003, Valient Gough (a software engineer from Seattle who wrote software for NASA and later worked for Google and Amazon) released the first release of a free file system with a built-in transparent encryption mechanism - EncFS. It interacts with the OS kernel through a callback layer, receiving requests through the libfuse interface of the FUSE framework. At the user's choice, EncFS uses one of the symmetric algorithms implemented in the OpenSSL library - AES and Blowfish.

Since EncFS uses the principle of creating a virtual file system, it does not require separate section. On Android OS, you just need to install an application that supports EncFS and just point it to a couple of directories. One of them will store the encrypted content (let it be called vault), and the second - temporarily decrypted files (let's call it open).

After entering the password, the files are read from the directory vault and are stored decrypted in open(how in new point mount), where they are available to all applications. After finishing work, click the Forget Decryption button (or its equivalent) in the application. Catalog open will be unmounted, and all decrypted files from it will disappear.

Disadvantages: EncFS does not support hard links, since the data is bound not to the inode, but to the file name. For the same reason, file names up to 190 bytes in length are supported. In the catalog vault file names and contents will be hidden, but metadata will remain available. You can find out the number of encrypted files, their permissions, and the last time they were accessed or modified. There is also a clear sign of using EncFS - this is a settings file with the encfs prefix and the version number in its name. The file contains encryption parameters, including the algorithm, key length, and block size.

A paid audit of EncFS was performed in February 2014. It concludes that "EncFS is likely to be secure as long as the attacker has only one set of encrypted files and nothing more." If more data is available to the attacker (for example, two snapshots of the file system taken at different times), then EncFS cannot be considered reliable.

Once installed, EncFS will be visible as a separate userspace file system through the FUSE driver. Access to it will be realized through some third-party application - for example, the Encdroid or Cryptonite file manager. The latter is based on the EncFS source code, so we will focus on it.

Cryptonite

The latest version of the Cryptonite application is 0.7.17 beta dated March 15, 2015. It can be installed on any device with Android 4.1 and higher, but some functions work more stably in Android 4.3 and later versions.

Most operations in Cryptonite do not require root or any specific components. Creating EncFS volumes and synchronizing with Dropbox can be performed on both official and custom firmware.

Cloud synchronization of encrypted files

However, a number of operations will require mounting EncFS volumes, which requires root rights and support for the FUSE framework by the OS kernel. The use of FUSE is necessary to organize “transparent encryption”, that is, so that other applications can access encrypted data and receive it already decrypted. Most older firmwares do not support FUSE, but it is available in CyanogenMod, MIUI, AOKP and other custom ones. Starting with Android 4.4, FUSE is standardly used to emulate an SD card in the built-in memory.

Disadvantages: When you click “Decrypt” and successfully enter the password, Cryptonite creates a temporary copy of the decrypted file in /data/data/csh.cryptonite/app_open/. A copy of the file is marked as world readable (readable and executable for everyone). You can delete decrypted files by clicking the Forget Decryption button.

conclusions

The method of encrypting data on a memory card should be chosen based on two main criteria: the usage scenario and the Android version. On modern gadgets with Android 6.0 and higher, the easiest option is to use Adoptable Storage, attach the card to the internal memory and transparently encrypt everything logical volume. If you need to make files available on other devices or add encryption of data on a card in older devices, crypto containers of proven formats are suitable. Third party utilities It is better to avoid the “thing in itself” type altogether, since instead of real data protection, they often only imitate it.

Last updated by at February 18, 2017.

Recent debates in the US between law enforcement agencies and the tech giants around smartphone encryption once again puts this issue in the spotlight. No one will argue that protecting your personal data is an important topic, so we are pleased to tell you what Android offers necessary tools to encrypt your smartphone right out of the box. If you're interested and want to know where to start, this guide will tell you how to encrypt your Android smartphone or tablet.

Device encryption and what does it do?
Before you encrypt your device, it makes sense to understand what encryption is and what the pros and cons of this solution are.

Device encryption is not universal solution to protect all your data or information from prying eyes, especially when sent over the Internet. Instead, device encryption converts all data stored on the phone into a form that can only be read by the correct credentials. This solution provides better security than a password lock because data can be obtained without going through the lock screen using recovery programs, bootloaders or Android Debug Bridge.

Encrypted music, photos, apps, and credentials cannot be read without first decrypting the information, which requires a unique key. Thus, part of the procedure happens behind the scenes, where the user's password is converted into a key, which is stored in the "Trusted Environment" to remain inaccessible to third-party users in the event of a software attack. This key will be required to encrypt and decrypt files.

In Android, encryption is implemented simply from the user's point of view, since you enter your secret code whenever you unlock your device, making your files accessible. This means that if your phone falls into the wrong hands, no one else will be able to figure out the data on your phone without knowing the password.

And before you dive headfirst into encryption, there are a few things you should consider. First, opening encrypted files requires additional computing power, so encryption will impact your phone's performance. Memory read speeds may become significantly slower on older devices, but the performance hit for the vast majority of regular tasks remains very small, if noticeable at all.

Secondly, only some smartphones will offer the option to remove encryption from your smartphone. Encryption is a one-way solution for most smartphones and tablets. If your phone does not offer the ability to decrypt your phone data, the only option to perform a full rollback is to return to factory settings, which will erase all of your personal data. Check this point in advance.
Having understood the situation, let's see how to enable encryption.

Encrypting my device

Device encryption works the same on all Android devices, although the methods used to implement it may change slightly over time. Some devices come with active encryption out of the box, such as the Nexus 6 and Nexus 9, and if your device is not encrypted, do so with using Android very simple.

Android 5.0 or higher...

For Android smartphones and tablets under Android control 5.0 or later, you can go to the Security menu under Settings. The path here may vary slightly depending on your OEM, but with pure Android You will find encryption in the Settings > Personal > Security section.

Here you should see an option to Encrypt Phone or Encrypt Tablet. You'll be prompted to plug your device into a charger while encryption is happening to make sure your phone doesn't turn off during the process, causing errors. If you haven't already done so, you'll be prompted to set a screen lock PIN or password, which you'll need to enter when you turn on your smartphone to access your encrypted files. Be sure to remember your password!

Android 4.4 and older...

If you are using a smartphone running Android 4.4 KitKat or older, you must set a PIN or password before starting the encryption process. Fortunately, this is not difficult, go to Settings - Security - Screen Lock. Here you can either choose a pattern, enter a PIN or a mixed password to lock the screen. You will use the same password after encryption, so pay attention to it.

Once you're done with this, you can return to the Security menu and click "Encrypt phone." You'll need to plug your device into a charger and read warning messages, and you'll almost always have to confirm your PIN or password one last time for the encryption process to begin.

Encrypting your phone may take an hour or more, depending on how powerful your smartphone is and the large amount of data stored on the device. Once the process is finally completed, you can enter your PIN and continue working with your encrypted device as if nothing had happened.

Returning to the Security menu, you will also likely learn about the ability to encrypt files on the card MicroSD memory. This is a recommended step if you want to keep all your data safe, but not really necessary if you only use MicroSD to store music or movies that have no personal value.

With this decision comes several caveats. Firstly, you will no longer be able to use MicroSD cards with other devices without complete removal encrypted data since other computers/devices will not know the encryption key. And while an encrypted MicroSD card can still be used to move files, this will only last as long as you access the encrypted files from the phone used to encrypt them. Additionally, if you reset your device before decrypting your files, the key will be lost and you will not be able to access the protected files on your MicroSD card. So think through the situation carefully.

When you've finished...

That's all you really need to encrypt your Android device. This great way protect your data much more reliably. There is a minor trade-off in terms of performance, but any differences should be very difficult to notice on modern mobile phones.

Additional options with third party applications

If you don't want to go through the wringer of encryption on all of your device's data, there are a small number of Android apps in the store Google Play, which offer a variety of selective features, including encryption of a single file, text, or folder.

SSE – Universal Encryption Application
version: 1.7.0 (Pro) (downloads: 163)
SSE has been in this market for quite a long time and still seems to be gaining small updates. Instead of implementing bulk encryption of your phone, SSE can be used to protect and decrypt separate files or directories you need if you want to protect multiple items selectively. You can set a password that will serve as a decryption key, and you can also create encrypted copies of files or completely replace them.

The app also has a text encryptor and password storage. Text editor can be used to store encrypted notes that can be shared across platforms. The vault is designed to store and manage all your passwords, PINs, and notes in one secure place, protected by a master password. The feature works similar to LastPass.

Final Thoughts
Given the amount of sensitive personal information we contain on our mobile devices today, including bank details, encrypting Android devices becomes a smart solution. There are quite a few options that provide different levels of security, from a wide system Android encryption to applications dedicated to encryption specific files. Please note, encryption is not provided full protection from everything, but offers excellent protection in case the device is stolen.