1. Are you ready for the Galaxy S20? Here is everything we know so far!

Under Android Ver 10 Can You Encrypt Phone?

Discussion in 'Android Lounge' started by persistentone, Apr 9, 2021.

  1. persistentone

    persistentone Well-Known Member
    Thread Starter

    I have a Samsung tablet A7 SM-T500 running Android 10. Under "Security" settings, there is an option to "Encrypt or Decrypt SD Card" but I no longer see any option to "Encrypt Phone". I want to encrypt the user data on the tablet's built-in storage. Has this feature been removed from Android 10? If it is still there, where do I find it?
     


    #1 persistentone, Apr 9, 2021
    Last edited: Apr 9, 2021

    1. Download the Forums for Android™ app!


      Download

       
  2. Hadron

    Hadron Smoke me a kipper...
    VIP Member

    The internal storage has been encrypted by default for many years - I think it might even have been for devices originally released with Android 5, or perhaps 6. Certainly a device released in the last few years will be encrypted automatically.
     
    ocnbrze and Dannydet like this.
  3. persistentone

    persistentone Well-Known Member
    Thread Starter

    But with the original Encrypt Phone feature, you could not boot the device without supplying the decryption PIN. That feature prevented the phone from even loading the OS. What good is the current encryption feature if to break into the phone the thief just needs to iterate through 1000 PIN codes?
     
    #3 persistentone, Apr 9, 2021
    Last edited: Apr 9, 2021
  4. Hadron

    Hadron Smoke me a kipper...
    VIP Member

    If you only use a 4-digit PIN that's actually 10,000 codes (and you can use longer). But phones usually have mechanisms to frustrate such iteration (timeouts of increasing length or factory resets when too many incorrect attempts are made).

    I assume you mean the original "encrypt phone" option though, since "encrypt SD" could surely be subverted by just removing the SD card, granting access to the phone itself? Encrypting internal storage is more like encrypting a laptop's drive: it stops anyone accessing the storage without the credentials to unlock the device (admittedly with a phone's storage removing the chip and reading it with another device is in a different league of difficulty from removing a laptop's SSD and plugging it into another computer), and prevents data from being recovered after a factory reset (including one triggered remotely if you have such anti-theft software enabled). And the auto-generated encryption key will be much stronger than a short encryption PIN that you have to remember, so that aspect of the protection will be stronger.
     
    mikedt and ocnbrze like this.
  5. persistentone

    persistentone Well-Known Member
    Thread Starter

    Yes, I mean the original Encrypt Phone feature and I corrected the original text sorry.

    So why did Google or Samsung remove "Encrypt Phone" from Android 10?
     
  6. mikedt

    mikedt 你好

    AFAIK that was a feature of older versions of Android, where the devices didn't usually have encrypted internal storage. I believe default encrypted storage for devices was introduced with Android 5 or 6, and so "Encrypt phone" is superfluous. How securely you lock your phone is up to you, like using longer PINs or passwords, or more complex pattern unlocks, that's in addition to things like time-outs, and unlock attempt limits.

    Some manufacturers offer a vault type feature in their systems, which is basically a password or PIN locked folder, that operates in addition to a device's own encrypted internal storage and locks. and And there are third-party apps that can do it as well.
     
    #6 mikedt, Apr 9, 2021
    Last edited: Apr 9, 2021
    Hadron likes this.
  7. Hadron

    Hadron Smoke me a kipper...
    VIP Member

    I genuinely see no advantage in a decryption key you have to remember and enter yourself over a PIN or password of the same length. Both do the same thing: enter them and you have access to the device.

    Now you might argue that you are happier setting up a longer decryption PIN than a lockscreen PIN or password because you only have to enter that once when you boot the phone. But (a) if the thief steals the phone when it's powered on there is no difference at all, because it's only your (presumably short) lockscreen PIN that is preventing them from gaining access, and (b) if you use a fingerprint instead you will only have to enter the PIN/password on startup and occasionally when the phone wants to confirm your ID (every few days in my case), so the extra inconvenience of that is not large.

    But as Mike says, there would be no point in keeping an "encrypt phone" option once all phones were encrypted anyway, so it probably died around Android 5 or 6.
     
    mikedt likes this.
  8. persistentone

    persistentone Well-Known Member
    Thread Starter

    So how is Android implementing that default encrypted storage? Is some private key created at the factory when the OS is loaded? And this private key is itself encrypted by some key shared by all users and known only to Android? At some point, there must be a key that is well known within a small community that could unlock the data? It is fine to have such encryption, but it would never substitute for encryption that uses a key only known to me (forgetting for a second that Android intentionally crippled the feature by allowing the PIN to be only four characters, a password length that could be brute-forced in less than a millisecond by any computer).
     
    #8 persistentone, Apr 26, 2021
    Last edited: Apr 26, 2021
  9. Davdi

    Davdi Android Expert

    NO, the key is generated by the phone, initially when it's first powered on, and then each time there's a Factory Data Reset. Each phone's generated key is unique to that device. It's aloo a new unique key generated with each Factory Data Reset. AFAIK only government agencies have the resources to break these keys, and then only after (probably) months of computing effort.
     
    Hadron likes this.
  10. persistentone

    persistentone Well-Known Member
    Thread Starter

    How the private key gets created is not the important detail. What's important is how is that key protected from someone who gets the device, assuming they have a way to read the file system. Normally you would expect the private key to itself be encrypted. But encrypted by what? How could that additional encryption key be made unique to each tablet?
     
  11. Davdi

    Davdi Android Expert

    Because the device itself generates a new key each time it's Factory Data Reset. I don 't know what it uses for entropy (Randomness) when generating a key, someone with more knowledge of Android would probably be able to say.
     
  12. persistentone

    persistentone Well-Known Member
    Thread Starter

    Is that key stored on the file system in the clear? If yes, anyone who reads the file system has the key needed to read the user data.

    I assume the key is not stored in the clear, which is why I ask how is it being protected?
     
  13. Hadron

    Hadron Smoke me a kipper...
    VIP Member

    Davdi likes this.
Loading...

Share This Page

Loading...