Encrypting Devices

Most electronic devices come with the ability to encrypt the internal drive. Encrypting your data adds an extra protection to your files by minimizing the risk of a breach in the event your device is lost or stolen. This is because an encrypted and password protected device, provided the password and/or the encryption key aren’t with the device, is considered unreadable and therefore not a breach.

Currently, the standard for encryption is 128-bit. This refers to the length of the encryption key. It is estimated it would take a billion, billion years for a supercomputer to perform a brute force attack on a device that is protected using 128-bit encryption.¹

What Encryption Is

Encryption is the way that you protect your devices from what we call, offline attacks. This means that someone has taken your device, has removed the drive, and is trying to access your information from another machine or boots from another operating system. Essentially, this makes your drive unreadable unless you have the decryption key for the device. This means your IT professional can rescue your data, but no one else has access to your device.

What Encryption Is Not

Encryption is not for protecting your device from online attacks. This is where your firewalls and your anti-malware software comes in.

In this blog, we have some tips for encrypting your computers, smartphones, and tablets.

Computers

Windows Operating System

BitLocker Drive Encryption is the program built into the Windows Operating system. This program protects your files by encrypting your entire drive. Turning on BitLocker doesn’t affect your day to day usage of your device. You can still sign in to Windows and use your files as you normally would. New files are automatically encrypted when added  to a drive that uses BitLocker. However, if you copy these files to another drive or a different PC, they’re automatically decrypted.

For flash and external drives, there is a program called BitLocker to Go. This program will allow you to encrypt these devices using the same encryption protocol that you use on your internal devices.

Note: BitLocker Drive Encryption is only available in Windows 7 Ultimate, Windows 7 Enterprise, Windows 8.1 Pro, Windows 8.1 Enterprise, Windows 10 Pro and Windows 10 Enterprise editions. Windows 10 Bitlocker supports 128-bit and 256-bit XTS-AES keys (FIPS-compliant), but earlier versions use the AES-CBC 128-bit and AES-CBC 256-bit algorithms.

Warning: When you turn on BitLocker for the first time, make sure you create a recovery key. Otherwise, you could permanently lose access to your files. If you use a screen reader app, you won’t be able to see BitLocker Screens that appear before the Welcome Screen, such as the BitLocker PIN entry screen or the BitLocker recovery screen.

Turning on BitLocker Drive Encryption:

1. Open BitLocker Drive Encryption by swiping in from the right edge of the screen, tapping Search (or if you’re using a mouse, pointing to the upper-right corner of the screen, moving the mouse pointer down, and then clicking Search), entering BitLocker in the search box, tapping or clicking Settings, and then tapping or clicking BitLocker Drive Encryption.
2. Tap or click Turn on BitLocker.  You might be asked for an admin password or to confirm your choice.
3. The BitLocker Drive Encryption setup dialog box opens.
4. Follow the instructions.

Macintosh Operating System

MacOS has FileVault 2 built into the operating system. FileVault 2 uses full disk, XTS-AES 128 encryption to help keep your data secure.

FileVault 2 requires OS X Lion or later version and Recovery HD installed on your startup drive, which the OS X installer will attempt to create at installation. Recovery HD is normally present after installation. In rare situations, you may receive an alert that no Recovery HD could be created but continued to install OS X (in this unlikely scenario, you will be unable to use FileVault 2).

Turning on FileVault 2

FileVault 2 is managed via the Security & Privacy preferences in System Preferences. Click the FileVault tab in the Security & Privacy preferences and you can enable or disable FileVault.

Upon selecting Turn On FileVault, if your Mac has multiple user accounts, you will be asked to identify the user accounts that will be allowed to unlock the encrypted drive (to start the computer or recover from sleep or hibernation)

1. Users not enabled for FileVault 2 unlock will only be able to login to that Mac after an unlock-enabled user has started or unlocked the drive. Once unlocked, the drive remains unlocked and available to all users until the computer is shut down.
2. You will need to enter the password, or have users enter their passwords, for each account you wish to allow to unlock FileVault 2.
3. After enabling users for disk unlock, you will be shown your recovery key.

This key is a backup-unlock method provided to you in case the unlock-enabled user password is forgotten.

1. You can highlight and copy this key to print it out, email it or otherwise copy it. Remember that maintaining a copy of this key on your computer will do you no good if you forget your login password because it will be encrypted and inaccessible along with the rest of your data. Make an external copy or write it down and store it in a secure, but physically retrievable, location.
2. You are also given the opportunity to store your recovery key with Apple.
3. When you’ve completed the process of turning on FileVault 2, you will be prompted to restart your Mac. After restarting, you will notice the login screen appears very quickly, then an Apple logo with spinning gear appears after typing in your password. With FileVault 2 enabled, you are now logging in at EFI which unlocks the drive and begins the normal OS X startup process.
4. The user account that unlocked the drive will be logged into their own account after start up completes, without needing to log in again.
5. If you want to make the Mac available to a user that does not have unlock capabilities, login, then when you see your own desktop, choose “Log Out (user name)” from the Apple menu. Also, you can unlock the disk, then choose the other user’s name from the Fast User Switch (appears as the currently-logged in user’s name) menu bar item in the upper-right part of the screen.

FileVault 2 should finish the initial encryption of your entire hard disk within a few hours. This happens in the background, and won’t interrupt normal usage of your computer. In addition to using your computer, you can sleep, log out and even turn off your computer during this time.

Smartphones and Tablets

iPhones and iPads

iPhone and iPads are natively encrypted. However, make sure that you have your Touch ID and Passcode set for every time you use the device.

1. Go to Settings
2. Select Touch ID & Passcode
3. Press the Turn Passcode On option
4. Create a strong passcode or password

Android Devices

Most Android devices running Android 5.0 Lollipop or newer follow the same directions to encrypt the phone or tablet. Check whether or not the the device encryption is already turned on. Under settings you will see whether or not the device is encrypted.

If you see your device isn’t encrypted, make a full backup of your system, and make sure this is stored securely. Also, once you begin the encryption process, you can’t stop it. If you do interrupt the process, this can make your phone unusable. We recommend that you run the encryption overnight since this process may take a while to complete.

Here are a couple of examples of how to turn on encryption for frequently used devices. If you have questions about a device not listed here, a quick Google search will give you specific instructions for your device.

Google Nexus and Pixel devices are encrypted by default.

Moto Z

1. From home, press Apps -> Settings -> Security & Screen Lock > Encrypt phone
2. You will be prompted to set up a screen lock.
3. Press Screen lock. Select the type of screen lock you prefer. For data encryption, PIN and Password are supported.
4. Choose your PIN or Strong Password
5. From the Security & Screen Lock menu, select and press Data encryption again

Samsung Galaxy S7 & S7 Edge

1. Go to Settings
2. Press Security
3. Select Screen Lock
4. Create a security code

LG G4

1. Go to Settings
2. Press the Security Option
3. Press the Encrypt Phone Option
4. Read the Warning
5. Press the Encrypt Phone Button at the Bottom

Samsung Galaxy Tab 4

1. From home, press  Apps ->  Settings -> General tab.
2. Select Security for options.
3. Press Encrypt device to encrypt data stored in your tablet.

Amazon Fire

1. Connect the Fire tablet into a power outlet.
2. Swipe down from the top of the screen and then press Settings.
3. Tap Security & Privacy, and then select Encryption.
4. Select Encrypt tablet. If your battery is not charged to at least 80%, or the Fire tablet isn’t plugged in, you won’t be able to select this option.
5. Enter your lock screen password or PIN, and then press Next. If a lock screen password or PIN has not been created, you’ll be asked to create one.
6. Create an encryption password or PIN.
7. Press Continue. The device will restart and start encrypting data. If it is unplugged or turned off during the encryption process, the data will be lost.

Conclusion

Encrypting the internal drive is a great way to keep all ePHI on your devices secure. As theft continues to be a main cause of data breaches, local encryption can help to prevent unauthorized access.² It is important to keep in mind that encryption on its own is not enough to prevent a breach. However, these steps for local encryption can help organizations and individuals remain secure.

1. http://www.eetimes.com/document.asp?doc_id=1279619

2. http://healthitsecurity.com/news/breaking-down-hipaa-health-data-encryption-requirements

Sharing is caring!