What you need to know about encryption on your phone - CNET

Posted: 10 Mar 2016 12:00 AM PST

The heated and very public confrontation between the FBI and Apple has spurred a lot of talk about encryption, the technology that shields data on phones and other gadgets.

The feds are pushing Apple to find a way to prevent an iPhone 5C from erasing itself after 10 successive incorrect guesses at the passcode. The user of that phone, San Bernardino shooter Syed Farook, used a PIN code to secure his device, and without bypassing that code, the data stored on it is unreadable, thanks to encryption.

If Apple were to disable the auto-erase feature, the FBI could then connect the iPhone to a computer and quickly and repeatedly attempt to guess the passcode -- a technique commonly referred to as a brute force attack -- until the device is unlocked.

Should the FBI prevail and the courts force Apple to comply, the decision could have widespread implications for our daily lives. Apple and fellow technology companies would be forced to create permanent solutions for law enforcement to get around encryption, using what's commonly referred to as a back door.

Alternatively, companies could very well decide the financial burden of maintaining encryption and abiding by law enforcement requests is too much, and give up on adding security features to the devices we've come to rely upon.

With our personal devices carrying more and more of our lives than ever before, it's a good time to look at what is and isn't encrypted and what you can do to ensure your information is safe.

What is encryption?

A fancy word for a basic concept, encryption is the science behind protecting any information stored on an electronic device, be it a phone, a laptop or a server. On a phone that means your photos, text conversations, emails and documents.

Encryption stores information in a scrambled format, typically unreadable by computers or people without a key (which only the device's owner should know) to unlock the data. PIN codes (of numbers, letters or a combination of both) and fingerprints are just two of many examples of keys used to unlock an encrypted device.

Indeed, the practice of encryption is far more technical than requiring a PIN code or fingerprint to unlock a device. Some phone manufacturers, such as Apple, require multiple pieces of information -- one known to the device owner, another embedded in the processor inside the device unknown to anyone -- to unlock data stored within the device.

It's important to note, regardless of the device you're using, data created by third-party applications store information on their own servers, which may or may not be encrypted. Even then, the rules for decrypting data stored on a server are often different than data stored on a phone (see iCloud section below for more information).

In other words, most of what we do on a phone is backed up to a server at some point. That means a copy of your Facebook posts or photo albums, Snapchat conversations, or Twitter direct messages are stored on your device but also on the respective servers for each service.

Essentially, any information stored within an app on your phone that forgoes any sort of connection to a server is encrypted and inaccessible by law enforcement on a locked phone. For example, if an iOS user wanted to keep Notes or Contacts off of Apple severs, he or she would need to disable iCloud sync for the respective app in Settings.

If you've opted not to sync your contacts or calendars through Google or a similar service, relying instead on a local copy of information on your device, that data is encrypted and presumably inaccessible by law enforcement.

How does iOS handle encryption?

Apple began encrypting iOS devices in 2014 with the release of iOS 8. Prior to iOS 8, iOS users were able to set a PIN or passcode to prevent unauthorized access, but some of the data stored on the device was still accessible by Apple when law enforcement presented the company with a valid warrant. A total of 84 percent of iOS devices are running iOS 8 or later.

With iOS 8 and beyond, Apple no longer has the tools required to bypass a device's lock screen and gain access to any data stored on your iOS device. That means items such as call logs, photos, documents, messages, apps and notes are inaccessible to anyone without a device's PIN.

This is an important detail, as it has led to the current situation playing out in public view between the FBI and Apple.

How does iCloud factor in?

Another topic that's come up in the battle between the FBI and Apple is what data stored in an iCloud backup of an iOS can and cannot be accessed by Apple.

Apple's Legal Process Guidelines state iCloud backups are encrypted and stored on the company's servers. However, unlike an encrypted device, Apple can access information stored within a backup. Specifically, it's possible for Apple to provide authorities with "photos and videos in the users' camera roll, device settings, app data, iMessage, SMS, and MMS messages and voicemail," as detailed in Section J.

What about encryption on Android?

As with all things Android, there's a long list of caveats regarding encryption on an Android device.

Android manufacturers use different processors and components, each requiring custom software and backup services outside of what Google originally designed Android for. It's the key selling point of Android over iOS, as Android fans are quick to espouse. And they're not wrong. However, each change can introduce unintended security issues outside of Google's control.

Google first provided the option for users to opt into encrypting their devices in 2011. At the time, the option was strictly up to the user, leaving the manufacturer out of the equation.

Toward the end of 2014, though, the company released Android 5.0 Lollipop with the default setting of encryption turned on. But phone makers didn't have to enable encryption to be default when they made phones; it wasn't a requirement of Google, and in the end, most OEMs left the setting turned off, citing performance issues as the reason.

Then, with the release of Android 6.0 Marshmallow in 2015, Google started requiring manufacturers to enable encryption on all devices out of the box. There is, of course, an exception to the rule: Google allows phone makers to disable the feature on what amounts to entry level, and thus often slower devices. For those who want a more technical explanation, read section "9.9 Full-Disk Encryption" of this document.

Once an Android device is encrypted, all data stored on the device is locked behind the PIN code, fingerprint, pattern, or password known only to its owner.

Without that key, neither Google nor law enforcement can unlock a device. Android security chief Adrian Ludwig recently took to Google+ to refute a claim of a back door into Android: "Google has no ability to facilitate unlocking any device that has been protected with a PIN, password, or fingerprint. This is the case whether or not the device is encrypted, and for all versions of Android."

Nevertheless, each phone manufacturer is able to alter Android, customizing its look, adding or removing features, and in the process potentially introducing bugs or vulnerabilities authorities can use to bypass Android's security features.

So how do you know if you've got encryption working?

Android users can check the encryption status of a device by opening the Settings app and selecting Security from options. There should be a section titled Encryption that will contain the encryption status of your device. If it's encrypted, it will read as such. If not, it should read similar to "encrypt device." Tap on the option if you want to encrypt your device, but make sure to set aside some time -- encrypting a device can take upwards of an hour.

Google's backup service for Android devices is optional for device manufacturers and application developers. As with Apple's iCloud Backup practices, data within a backup stored on Google's servers is accessible by the company when presented with a warrant by law enforcement. However, because the backup service is opt-in by developers, it may not contain data from every app installed on your device.

What can you do to better protect your data?

Android users should enable encryption and set a PIN code or alphanumeric passcode. iOS users, setup Touch ID and use an alphanumeric passcode containing at least six digits. The longer password is a hassle, yes, but with Touch ID enabled, you shouldn't have to enter it too often.

If the FBI succeeds in forcing Apple to bypass a device's lock screen timeout, it would take five and a half years for a computer to crack a six-digit alphanumeric passcode, according to Apple's iOS Security Guide (see page 12).

As for protecting data stored in backups on Apple's or Google's servers, you can start by disabling iCloud backups by opening the settings app, selecting iCloud, followed by Backup and sliding the switch to the Off position. Apple also allows you to delete iCloud backups from your account through the iCloud settings on your iOS device by opening Settings > iCloud > Storage > Manage Storage.

On Android, the process for disabling backups will depend on the device you're using, but generally the setting is found in Settings app under Backup & Reset. You can remove backed-up data from Google's servers under the Android section in your Google Dashboard.

Best encryption software for business in 2020: BitLocker, FileVault, Guardium, and more - ZDNet

Posted: 08 May 2020 12:00 AM PDT

When mass data collection and big data analysis exploded on the technology scene, security and encryption, unfortunately, took a back seat.

In a world where data breaches are commonplace -- involving everything from device theft to vulnerability exploitation and open AWS buckets exposed to the world -- businesses both large and small must now educate themselves and employ encryption software to enhance the data they have become controllers of.

Encryption can help protect information stored, received, and sent. Readable information is scrambled through the use of encryption keys, algorithms that can sort through this text and return it to a readable format. Today, the Advanced Encryption Standard (AES) using 128- and 256-bit key lengths, the successor to DES, is in common use worldwide.

If strong encryption and security practices are not in place, businesses are not only opening themselves up to potential cyberattacks, but also the loss of corporate and customer information, fines for non-compliance with laws including HIPAA and GDPR, financial damage, and the loss of reputation.

Below, we list our favorite encryption solutions, suitable for users, SMBs, and enterprise players.

Disclosure: ZDNet may earn an affiliate commission from some of the products featured on this page. ZDNet and the author were not compensated for this independent review.

Free

Best suited for: Windows users who need onboard device encryption

Microsoft's BitLocker, available on business editions of the OS and server software, is the name given to a set of encryption tools providing either AES 128-bit or AES 256-bit device encryption.

The Redmond giant's solution is focused on the encryption of drives on a device out of the box and can also be used to protect removable drives through BitLocker To Go. Recovery keys can also be set to retrieve data should firmware issues or errors prevent IT administrators from accessing encrypted drives.

A set of administration tools, including features such as enabling the encryption of full drives and other media, as well as domain or Microsoft account linking, are included.

BitLocker's hardware specifications require an onboard Trusted Platform Module (TPM) chip and Modern Standby support, two elements generally supported on modern Windows PCs.

BitLocker is built into the Windows operating system but only a limited set of tools are included with Home editions, the standard OS that many PCs consumers purchase. Instead, users must upgrade to Windows 10 Pro or Windows 10 Enterprise to take full advantage of Microsoft's encryption.

Interested in BitLocker? You can check out our user guide here.

View Now at Microsoft

Subscription

Best suited for: Enterprise users who need flexible encryption across multiple environments

IBM Guardium is a data protection platform that pulls together a suite of security tools in an effort to streamline data management and reduce vendor product disparity.

Encryption services are included for corporate data, alongside data discovery and classification, vulnerability scans, data activity monitoring, analytics, and compliance reports, among other features.

IBM Guardium for File and Database Encryption can be used to encrypt on-premise files and databases by leveraging the hardware encryption capabilities of host CPUs including Intel and AMD AES-NI, PowerPC 8 AES, and SPARC.

Data can be encrypted on-the-go without taking business applications offline, levels of encryption can be enabled to match user access rights, and keys can be managed from a central platform.

A useful accompaniment to IBM encryption is access policies that can be set to identify anomalous behavior such as mass copy and deletion of files and directories. Compliance reports can also be generated to adhere to legal requirements set by GDPR, CCPA, HIPAA, PCI-DSS, and SOX.

The solution requires a virtual data security module (DSM) virtual appliance deployed on a VMWare hypervisor. IBM says some clients achieve an ROI of up to 343%.

IBM Guardium is a subscription-based service provided on request and is most suitable for enterprise companies willing to invest in a one-stop-shop solution for data management and protection.

View Now at IBM

Free

Best suited for: Mac users who want on-device encryption.

Apple's FileVault is built-in to the macOS operating system. Apple first introduced FileVault in 2013, later upgrading to FileVault2 on macOS Lion and later versions. The onboard system can be enabled to encrypt all information stored on disk to prevent the theft of data by anyone without access or account credentials. iMac Pro and users of devices with Apple T2 chips will have their information encrypted automatically.

Modern CPU power is leveraged to provide AES 128/256-bit encryption. Users can choose to leverage their iCloud account credentials or generate a recovery key to unlock disks if they forget their standard device password.

However, businesses should not consider FileVault to be a full, robust solution for data security; rather, it is a useful addition for ensuring a basic level of encryption and protection.

View Now at Apple

Subscription

Best suited for: Protecting information on machines used by multiple individuals, collaboration

AxCrypt is an encryption solution that has been widely adopted and should be considered if more than one individual is using the same machine on a regular basis.

Files are secured with AES 128/256-bit encryption on Mac and Windows machines through simple one-click functionality. Once files and directories are secure they can be accessed with a password, of which more than one AxCrypt user can open if they have been given permission to do so. In addition, information can be locked down across mobile devices and encryption standards can be extended to cloud services, such as Google Drive or Dropbox.

Business users can manage passwords through a central platform.

A free, limited version of AxCrypt is available. Yearly subscriptions for premium and business versions, including extended features and licensing for more than one machine, are also on offer.

View Now at AxCrypt

Subscription

Best suited for: Users who need strong encryption across multiple operating systems and the cloud

Kruptos 2 is a professional encryption suite for Windows, Mac, and Android. The strength of the software lies in its versatility, with encryption for content including files and financial data across operating systems, mobile, portable storage, and cloud services including Dropbox, Microsoft OneDrive, Apple iCloud, and Google Drive.

Information is protected with AES 256-bit encryption and files can be shared across compatible platforms. You can also use Kruptos 2 as a strong password generator as well as a sensitive information vault by taking advantage of the secure note editor.

The software also includes a file shredder for securely wiping data.

Kruptos 2 operates on a license model in which you only need to purchase the software once. The cheapest option is a single license for macOS and Windows machines at $39.95.

A cross-platform bundle is on offer for $64.95 and an additional solution, the Kruptos 2 to Go USB vault, can be purchased as a bolt-on for $24.95 -- or together with the cross-platform option for a total of $79.95.

$40 at Kruptos2

Subscription

Best suited for: Users that need enterprise-wide encryption

Trend Micro's Endpoint Encryption software, part of the Smart Protection Suites range, can be used across Macs, Windows machines, and removable media to encrypt either full disks or individual files and folders.

AES 128/256-bit encryption is on offer through passwords and multi-factor authentication across endpoints. Multiple user and administrator accounts can be set for individual devices.

Other functionality includes the release of one-time passwords to access endpoint data, the remote wipe or lock of stolen devices, lockouts automatically enabled in response to failed authentication attempts, and the support of consumer-grade encryption services including BitLocker and FileVault.

The management console for the software and keys can be integrated with other Trend Micro software. In addition, the suite is FIPS certified.

Trend Micro's Endpoint Encryption solution is priced based on request.

View Now at Trend Micro

Subscription

Best suited for: Those who need end-to-end encryption for cloud storage services

Businesses that mainly employ cloud storage rather than on-premise services should investigate Boxcryptor as a possible encryption solution of value.

Boxcryptor is a cloud-focused encryption software supporting a total of 30 cloud services including Dropbox, Google Drive, and Microsoft OneDrive. A combination of AES 256-bit encryption and RSA encryption is utilized.

Boxcryptor calls itself a "zero-knowledge provider" and aims to make spreading encryption across multiple services and mobile devices as easy as possible.

Passwords, password keys, and file keys are kept on user devices, while business user keys, group keys, and company keys are encrypted and stored on the Boxcryptor server.

The vendor uses a data center in Germany that is ISO/IEC 27001:2013 certified.

Boxcryptor has a limited, free option available for up to two devices. A personal subscription costs $48 per year, whereas an account for business use is priced at $96 for a yearly subscription.

View Now at Boxcryptor

Subscription

Best suited for: Users who require real-time management of encryption and applications

Sophos SafeGuard Encryption should be considered by enterprise users that want to ensure content is encrypted the moment it is created.

The SafeGuard Management Center connects to BitLocker and FileVault for the control of access credentials and keys and the AES 128/256-bit encryption of either full disks or individual files. Users and applications are verified in real-time to protect data, and passwords can be created on the fly for sharing content.

Mac, Windows, and Android are supported.

Sophos SafeGuard Encryption is on offer through different licensing models depending on whether a client requires web, on-premise, disk encryption, or a central management platform.

View Now at Sophos

Subscription

Best suited for: Financial data holders

TokenEx is an encryption offering that specializes in the management and security of financial data.

This data protection suite offers tokenization as a data steward -- the substitute of sensitive information, such as card numbers and PII, with other data "tokens" removing its intrinsic value -- to enhance the security of customer records.

Batch processing of customer financial data takes place through browser platforms and mobile software without the need to store customer information on-premise. AES 256-bit encryption is overlaid across the tokenized data.

TokenEx, which is PCI compliant, is available as a licensed product with a range of payment options.

View Now at TokenEx

What we look for in encryption software

ZDNet's recommendations are based on major themes: Strength, flexibility of use, and multi-device and OS support.

While some users and SMBs may need no more than simple, standalone encryption offerings to protect content on PCs, today's encryption solutions in the enterprise space -- especially important for larger firms -- must also keep hybrid environments and remote working in mind.

Made even more crucial at present due to COVID-19, there is a high demand for encryption solutions able to protect corporate, sensitive data that may be accessed remotely by workers and hosted either in the cloud or in company networks. Strong encryption is now necessary when files must be shared with others not only to maintain your privacy but also to ensure data does not end up in the wrong hands.

Search This Blog

Android Full Encryption