Categories
Android Apple Developer Linux

How to encrypt everything in your life

Big warning before we begin

Encryption is only as strong as the schema that supports it. If the software has a vulnerability then your encrypted data may be as good as unencrypted data in the hands of adversaries. So make sure you keep all of your software up to date and follow best practices. I’m not a security expert, so don’t sue me if you get locked up in a prison cell for speaking out against your government.

iOS

Device requirements: iPhone 3GS or later, iPod touch 3rd-gen or later, all iPads

iOS requirements: iOS 4 and above (iOS 8 apparently uses more secure methods of encryption, so do not trust encryption on iOS 4 to 7, and you should not be using these old devices anyway)

Create a passcode. If there’s an option to enable 6-digit passwords (on old iOS versions) choose it. With iOS 9 it defaults to 6-digit passcodes.

If you see the phrase “Data protection is enabled” in the passcode menu, that means your iOS device is protected.

Android

‘Tis a complicated beast.

Full-disk encryption (FDE) was only introduced with Android KitKat (4.4), but because Android is super fragmented, most manufacturers have put in extremely weird implementations. That being said, if you have a modern device it should not be that bad.

FDE became mandatory with Android 6 (Marshmallow) as long as the phone launches with it and it has decent specs (if it’s a low-memory device, like 512MB, it is exempt). So if your device launched with Marshmallow and it’s not a steaming pile of garbage chances are it’s good to use.

Then Google changed course and introduced file-based encryption (FBE), starting from Android 7 (Nougat). It is now mandatory with devices launching with Android 10 (Q).

So how do you actually encrypt your device? Simple. Set a password lock (this depends on your Android version, but recent versions let you use pattern or PIN) and then click on “Encrypt Device” in the Security page.

If you do not see the “Encrypt Device” button, chances are your device is already encrypted straight from the factory. In that case you only need to set a strong passcode.

To check using adb, run:

adb shell getprop ro.crypto.state

If it returns a 1, your device is encrypted. If it returns 0 or nothing your device is unprotected.

Windows

Users with Windows 10 Pro can use Bitlocker. The argument about governments having backdoors into Microsoft’s encryption schema is not that far-fetched, but for the average Joe it should be enough to prevent thieves from decrypting and stealing data.

If you’re a whistleblower currently residing in a country with less-than-ideal whistleblower protection and human rights you may consider not using Bitlocker and moving on to VeraCrypt.

For those of you thinking about using VeraCrypt, there’s a huge caveat – you must decrypt your device between every Windows update. Or else it may result in a borked computer. Personally, this is a deal-breaker for me as I believe all security measures should not come at the cost of extremely degraded user convenience. Because an extremely degraded user convenience causes you to be irritated at the entire affair and may cause you to stop protections completely. So one step at a time, and don’t go too far. Find where you are most comfortable with and use that spot.

Quite honestly if you’re already using Windows you don’t have any privacy, so to preserve what little privacy you have left without having it be too cumbersome I suggest going the easy route and using Bitlocker.

Mac

On newer Macs encryption is enabled at the hardware level. Think T2 chips.

On older Macs enable FileVault. Done.

Linux

On installation most distro installers have a checkbox to encrypt your drive. This will probably also set up LVM. On boot you will have to decrypt your disk by supplying a password.


Let me know if I missed any prominent operating systems or encryption techniques.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.