Mobile Device Encryption

There are various pros and cons of encrypting data and devices. The most obvious pro is the added security of the data but there can be cons too, if you forget your password and any recovery passphrase/key then there is no way to recover the data. The encryption may put more load on the device making it run slower too although newer devices tend to be more than sufficient to handle the extra load. Note also recovering data from a failed machine will also be more complicated if the user files are encrypted.

The various mobile device operating systems tend to now have encryption features built in that you can turn on to encrypt some or all of the data on the device.

If you google for how to encrypt your device or data for the different systems you will typically find the latest guidance on how to do this for your needs. Below are some general details for the main systems.

From Michaelmas 2018 laptops installed by the department will be configured by default to use the system native disk encryption system.

Android

Newer android devices will often have encryption on by default. In such a case go to Settings -> Security -> Screen Lock and create a security code after which without that code the device cannot be unlocked and the data remains encrypted.

If encryption is not already on, then before doing the above first encrypt the device via Settings -> Security -> Encrypt device. This may take some time to complete so is best done with the device connected to main power.

iOS

Newer Apple iPhones and iPads will already have encryption enabled. In such a case go to Settings -> Touch ID & Passcode -> Turn Passcode On, and create a passcode or password after which without that code the device cannot be unlocked and the data remains encrypted.

Mac OS X

Mac OS X uses an encryption system called FileVault.

Click on the System Preferences icon in the Dock and select the Security and Privacy settings. Within the Filevault tab click on the Turn On FileVault button. If necessary click Enable User and provide the login password for each user account on the system to enable each account to unlock the the file vault. Note FileVault will display a recovery key and you should keep a copy of this safe somewhere as this key is needed if you forget your password or need to recover data from the underlying disk outside of the installed working system.

MS Windows

MS Windows uses an encryption system called BitLocker.

Whether you can use it and how you enable it will depend on whether you are using Windows 7, 8 or 10.

For Windows 7 data encryption see this guide.

For Windows 10 the few steps are

• Go to Start , enter 'encryption', and select 'Manage BitLocker' from the list of results.
• Select Turn on BitLocker, and then follow the instructions.
• More information at https://support.microsoft.com/en-us/help/4502379/windows-10-device-encryption

Linux

Some newer versions of Linux will offer an option at initial install time that you can tick to enable encryption of the users data and swap space. Alternatively you can encrypt the data after installation (although it is a little more complicated).

There is some useful information in this guide to disk encryption for Ubuntu.

A basic process for an encrypted home directory on an already installed Ubuntu based system is

• apt-get install ecryptfs-utils cryptsetup
• login on say a text terminal as the root user (or another user from the one you are encrypting)
• ecryptfs-migrate-home -u myrealuseraccount
• now login as that user and it will prompt you for a passphrase for the encrypted home directory (you will need this to recover the data in the future if there are problems so keep it somewhere safe and not in this encrypted home directory)
• potentially also encrypt the swap space with ecryptfs-setup-swap although note this will then mean you cannot use hibernation unless you follow the more detailed process in the fuide linked above