WP8 whole device encryption?

Nov 18, 2012
6
0
0
Visit site
I've seen it listed as a feature, but I'm not sure how to implement it. Is it as easy as turning on a lock screen password like in IOS, or is there more to it? I've searched everywhere and can't find any details. Are there hardware level encryption chips in WP8 devices (920 in my case) or is it software based? What encryption algorithm is in place? Strength?
 
Nov 18, 2012
6
0
0
Visit site
Here is the important part of the PDF regarding encryption:

Device encryption
To help keep everything from documents to passwords safe, Windows Phone 8 includes a device encryption feature.
6
Device encryption in Windows Phone 8 utilizes BitLocker technology to encrypt all internal data storage on the phone with AES 128. Encryption is enabled by either EAS policy (RequireDeviceEncryption) or device management policy, and once enabled, BitLocker conversion automatically begins encrypting the internal storage. The encryption key is protected by the Trust Platform Module (TPM) which is bound to UEFI Trusted Boot to ensure the encryption key will only be released to trusted boot components.
With both PIN-lock and BitLocker enabled, the combination of data encryption and device lock would make it extremely difficult for an attacker to recover sensitive information from a device.


ALSO:

Although the Windows Phone 8 operating system and user data partitions are encrypted, files on SD cards that are inserted in the phone are not encrypted.


So it appears that you need to connect the WP8 device to your Exchange ActiveSync network, AND toggle "RequireDeviceEncryption" for your details to be secured. I'm not sure what they're talking about RE: device management policy, because unless it's another facet of EAS, it is just a set of rules you set in place within your company like don't take pictures inside the lab. So there isn't whole device encryption for the average user, and only having a 4 digit pin is easily crackable via computer or simply looking at fingerprints. Why there's no option for a keyboard to make more secure passwords is also lost on me. Another caveat to encryption is that it does not secure files on removable SD cards. I always liked that feature on Android, even though my 920 doesn't have one. This is all a bit concerning and has made me less trusting of my 920 in the months I've had it. I've resorted to using my iPad as my primary device, and only using my 920 for phone calls and to check WPCentral because the apps awesome. One last off topic thing/rant keeping me from using my phone is the Bing search button. I love it when I need it, but the other dozen times a day or more I hit it (or look at it, or breathe near it, or think "I hope I don't hit the Bing button while I'm 30 minutes in to recording an hour concert") literally frazzles my nerves.
 

manicottiK

New member
Nov 24, 2011
660
0
0
Visit site
Yes, activating whole device encryption is something done by your Exchange server or "mobile device management" administration -- it is not a user-selectable option. Those administrators can also set the screen timeout, pin length, and pin type (numeric only or full range of characters from the regular keyboard).

One of the unusual things about WP8 is that the SD card is read-only. This means that apps can read data from the card, but not copy things to it or modify what's there. Because it can't be written to, it can't be encrypted (which would need to read the existing data, encrypt it, and write it back). Because the card can't be encrypted, the Exchange Active Sync policy that requires card encryption fails on WP8 devices.

For you, assuming that you use Exchange, you can try to convince your admin to create a security policy for you (and other WP8 users) that turns on full device encryption while not requiring removable storage encryption. The work involved is fairly minimal. The risk to the business (let's pretend that it's one governed by strict data leakage laws, like medicine or finance) is that you'd have two devices, one WP8 and another that does have removable storage. Since the Exchange security policy is set per user rather than per device type, the new policy that you had set up could allow unencrypted data to leak out of the organization via the SD card on the non-WP8 device.

Microsoft can address this in different ways. It could have phone models that lack an SD slot "lie" to the server, saying that the card is encrypted and justifying it on the basis of there being no actual risk since there is no actual card. It could have all models "lie" to the server, saying that the card is encrypted when it isn't, justifying it on the basis of not creating a risk for data to "leak" from the phone to the outside world. It could create a new policy that says "force encryption on writeable removable card" and advise administrators to switch to that. I would go on, but won't.
 
Nov 18, 2012
6
0
0
Visit site
I'm more concerned about the every day user. I'm disappointed that Microsoft doesn't allow non exchange users the ability to set more secure passwords I.E. with a full keyboard, and doesn't automatically encrypt user data (when you set up a pin code).
 

Bogdan Verbenets

New member
Jul 25, 2013
2
0
0
Visit site
How do I know if my phone is encrypted or not without knowing the policy details? Is there a screen anywhere in the settings that can show this? Or maybe an artifact by which I can infer this?
 

Staff online

Members online

Forum statistics

Threads
322,736
Messages
2,242,597
Members
427,978
Latest member
Duouser3