Mobile Device Encryption
There are various pros and cons of encrypting data and devices. The most obvious pro is the added security of the data but there can be cons too - if you forget your password and lose any recovery passphrase/key then there is no way to recover the data. The encryption may put more load on the device making it run slower too, although newer devices tend to be more than sufficient to handle the extra load. Note also recovering data from a failed machine will also be more complicated if the user files are encrypted.
The various mobile device operating systems tend to now have encryption features built in that you can turn on to encrypt some or all of the data on the device.
If you google for how to encrypt your device or data for the different systems, you will typically find the latest guidance on how to do this for your needs. Below are some general details for the main systems.
Laptops installed by the department will be configured by default to use the system native disk encryption system.
Android
Newer Android devices will often have encryption on by default. In such a case go to Settings > Security > Screen Lock and create a security code after which without that code the device cannot be unlocked and the data remains encrypted.
If encryption is not already on, then before doing the above first encrypt the device via Settings > Security > Encrypt device. This may take some time to complete so is best done with the device connected to mains power.
iOS
Newer Apple iPhones and iPads will already have encryption enabled. In such a case go to Settings -> Touch ID & Passcode -> Turn Passcode On, and create a passcode or password after which without that code the device cannot be unlocked and the data remains encrypted.
Mac OS X
Mac OS X uses an encryption system called FileVault.
Click on the System Preferences icon in the Dock and select the Security and Privacy settings. Within the Filevault tab click on the Turn On FileVault button. If necessary click Enable User and provide the login password for each user account on the system to enable each account to unlock the the file vault. Note FileVault will display a recovery key and you should keep a copy of this safe somewhere as this key is needed if you forget your password or need to recover data from the underlying disk outside of the installed working system.
Windows
Microsoft Windows uses an encryption system called BitLocker. It is only available in Windows Pro/Enterprise, not Windows Home edition.
To enable it:
- Click the Start button
- Search for "encryption"
- Select "Manage BitLocker" from the list of results.
- Click "Turn on BitLocker"
- Follow the instructions to complete setup
For more information, see the Microsoft BitLocker Drive Encryption guide.
Linux
Some newer versions of Linux will offer an option at initial install time that you can tick to enable encryption of the users data and swap space. Alternatively you can encrypt the data after installation (although it is a little more complicated).
There is some useful information in this guide to disk encryption for Ubuntu.
A basic process for an encrypted home directory on an already installed Ubuntu based system is
apt-get install ecryptfs-utils cryptsetup
- Log in in as the root user (or another user from the one you are encrypting)
ecryptfs-migrate-home -u myrealuseraccount
- Log in as that user and it will prompt you for a passphrase for the encrypted home directory (you will need this to recover the data in the future if there are problems, so keep it somewhere safe and not in this encrypted home directory)
- Potentially also encrypt the swap space with
ecryptfs-setup-swap
, although note this will then mean you cannot use hibernation unless you follow the more detailed process in the guide linked above