Device encryption for Android

In organizations embracing enterprise mobility, it is more than likely that employees use personal and/or corporate devices to get work done, on a daily basis. In order to ensure the security of personal data and sensitive business data present within these devices, device encryption is the go to solution. This article will explain everything you need to know about device encryption for Android and how mobile device management solutions like Mobile Device Manager Plus(MDM) ensures data security by enforcing storage as well as SD card encryption for Android devices.

What we'll cover

What is device encryption?

Device encryption for Android ensures that data present in Android devices are scrambled and rendered unreadable to unauthorized users. The data present in encrypted devices is decrypted only when the user provides the decryption key tied to the PIN, passcode, or pattern which is entered on the device's lockscreen. 

Evolution of device encryption for Android

Android has been gradually moving on from full-disk encryption (FDE) to file-based encryption (FBE) in most of the newer Android phones. Full-disk encryption is primarily a hardware centered mode of encryption. Without the sole authentication key for the entire device, unauthorized users cannot get their hands on the data, even if the storage disk is inserted into other devices. However, FDE comes with a downside - after every device reboot, certain functionalities like incoming calls/messages, and alarms do not work unless the device is unlocked by providing the passcode.

To overcome this limitation, File-based encryption was introduced from Android 7.0 which ensured file-specific encryption - i.e, different files are encrypted using different keys. Along with FBE, came the Direct Boot mode, a feature which allows certain functions to run before providing the passcode. This ensures two types of storage spaces are available to the user:

  • Credential Encrypted storage (CE) - the default storage space available only after the passcode has been provided by the user.
  • Device Encrypted storage (DE) - the storage space available both, before and beyond the lockscreen.

This ensures users can receive calls, notifications, and accessibility-related features such as TalkBack, Mono audio can function before providing the passcode. Most newer devices running Android 7.0 or later are encrypted by default, right out-of-the-box. With Android 10, Google has deprecated FDE and permanently moved to FBE.

How can Mobile Device Manager Plus help enforce device encryption for Android?

Prerequisites

  • Device must be charged upto 80% for encryption to begin.
  • Device must be secured using a passcode to begin encryption. If not, configure a passcode policy before enforcing device encryption.

Mobile Device Manager Plus supports an extensive list of restrictions for managed Android devices, with which you can allow or restrict various features or functionalities on the devices. Besides these, MDM also supports the following restrictions exclusive to device encryption for Android.

  • Enforce Storage Encryption
  • Enforce SD Card Encryption (Samsung devices only)

Mobile Device Manager Plus supports these restrictions for Android devices running OS versions 4.0 or later. On enabling encryption, MDM notifies and prompts users to encrypt their device. Once users provide their consent, the device is successfully encrypted. With regards to enforcing SD card encryption (Samsung devices only), the data present within these external storage drives cannot be accessed even if inserted into other devices without decrypting.

In order to disable encryption, the device must be factory reset. However newer devices from OEMs which offers encryption out-of-the-box, there's no way it can be disabled.

In addition to device encryption for Android, MDM supports encryption for iOS as well as macOS devices. iOS devices are encrypted by default, given a passcode is configured on them. Learn more about configuring a passcode policy for apple devices. However, MDM lets you configure FileVault Encryption to secure macOS devices.