Device Encryption Draft v0.1 Page 1 of 26

Device Encryption Guide

When you encrypt a device, you are encoding the information on it using a secret

key that is known only to you. This prevents unauthorised people from accessing it.

GDPR now requires device users to encrypt their devices before they can access

school/trust files, email, or data.

Devices that hold personal or sensitive information can range from you receiving

emails on your personal mobile phone to having student lists in excel on your school

laptop. Encryption removes the stress from the situation, as it ensures that data

remains secure, regardless of the device on which it is stored.

The following document outlines the market leaders in terms of devices. Please click

on your device in the contents below:

Contents

Mobile Phone/Tablet Introduction Page 2

Unsupported Devices Page 2

Android Devices Page 3

Samsung Devices Page 6

Apple Devices Page 8

Windows Laptops * Page 10

Laptops Windows 8.1 * Page 11

Laptops Windows 10 * Page 11, 12 & 13

Laptops Windows 7 * Page 15

Macintosh * Page 23 *It is recommended that you ask for help from your school Network Team before

starting the Windows and Macintosh Encryption as these are advanced tasks.

Device Encryption Draft v0.1 Page 2 of 26

Mobile Phone/Tablet Introduction To make it easier, the mobile phone/tablet guide for each manufacturer has been broken into 4 categories: Pin code, pattern, or password lock:

When it comes to mobile phone/tablet security the single most important thing is to

lock the device with either a pin, pattern or password. This is the first line of

defence for your device and is a requirement to turn on encryption.

Encryption with power on/start-up screen lock: Full encryption for most mobile devices is a quick and painless process. From start to finish it can take a few of minutes of your time (plus time for the device to perform the encryption), which is a small price to pay for the peace of mind it offers. It’s an extremely small inconvenience when compared to the security and privacy you’ll gain from encryption.

Enable erase data after a set amount of incorrect unlock attempts: The Erase Data option sounds scary, but it’s an extremely effective way to protect your device from persistent evasive attacks, such as thieves who might steal your device from a bag, backpack, or pocket. With this feature enabled your device will wipe all data if someone enters an incorrect passcode a number of times.

Optional: Hide passwords whilst typing:

In the same way that when you are out shopping you hide the pin of your credit

card as you type it, hiding passwords on your device will stop people looking over

your shoulder and seeing your password as you type.

This has been set as optional because although this is recommended, some users

may find it difficult to type passwords in without this. Due to this we recommend

you trial this for a few days first.

Unsupported Devices:

If you own one of these devices you should not use it for school/trust emails, files or

data.

Pleases see below a list of known devices that do not support encryption:

1. Huawei Mate 8 2. OPPO devices 3. Vivo devices 4. Xiaomi Mi smartphones 5. Huawei Honor 8 6. Huawei P9

Device Encryption Draft v0.1 Page 3 of 26

Android Devices

There are a number of main settings you should have on your mobile phone and

tablet devices

1. Pin code, pattern, or password lock

2. Encryption with power on/start-up screen lock

3. Hide passwords whilst typing

4. Enable erase data after a set amount of incorrect unlock attempts

Notes for Android Devices:

Newer versions of android, particularly starting with v7.0, require a start-up

passcode to make sure that your device is fully encrypted. Different device

manufacturers have varying descriptions and locations for the start-up passcode.

Most of the time, this setting is referred to as "Secure Start-up."

1. Encrypting the device can take an hour or longer. 2. Your device’s battery must be at least 80% charged. Android won’t even start

the process otherwise. 3. Your device must be plugged in throughout the entire process.

Pin code, pattern, or password lock:

1. Go to the Settings menu on your device.

2. Scroll down until you find “Security” or “Security and Screen Lock” and tap it.

This is typically located under the “Personal” section on Android 4.2 or higher.

3. Under the “Screen Security” section, tap the “Screen Lock” option. By default,

this option is set to “Slide,” which means no password or pattern is needed.

4. From here, select which lock type you want to use, whether it’s Pattern, PIN,

or Password.

a. Pattern: swipe to draw an unlock pattern you want to use. If you

messed up, hit retry. Otherwise, hit continue. It will then ask you to

draw that pattern again to confirm.

b. PIN: insert a 4-digit PIN that you’re comfortable with. Please don’t use

repeating numbers (don’t use more than two if you absolutely must).

Hit continue. Re-enter the PIN to confirm.

c. Password: type the password you’re comfortable with. The password

must be at least 4 characters, must be no more than 17 characters,

and must contain at least 1 letter. Use an alphanumerical password

with symbols that’s at least 8 characters long for ultimate security, but

anything will do. Hit continue. Re-enter the password to confirm.

Device Encryption Draft v0.1 Page 4 of 26

Device Encryption Draft v0.1 Page 5 of 26

Encryption with power on/start-up screen lock: 1. Ensure that a screen lock PIN or password has been set for your device. 2. In Settings, choose Security > Encrypt Device. (On some phones, you’ll

need to choose Storage > Storage encryption or Storage > Lock screen and security > Other security settings to find the "Encrypt" option).

3. Follow the onscreen instructions. During encryption, your device might restart several times.

Erase data after incorrect unlock attempts: Most manufacturers of Android phones automatically have this turned on without the ability to turn off. If your phone has the facility to turn on or off then it will be in:

1. Settings

2. Security

Alternatively it could be under Lock screen and security > Other security settings

Optional: Hide passwords whilst typing:

1. Tap the app drawer icon from the home screen.

2. From the displayed list, tap the Settings icon.

3. On the opened Settings window, from the left pane, tap the Security option.

4. From the right pane, under the Passwords section, uncheck the Make

passwords visible checkbox by tapping on it.

Device Encryption Draft v0.1 Page 6 of 26

Samsung Devices

There are a number of main settings you should have on your Samsung mobile

phone and tablet devices

Pin code, pattern, or password lock

Encryption with power on/start-up screen lock

Hide passwords whilst typing

Enable erase data after a set amount of incorrect unlock attempts

Pin code, pattern, or password lock:

1. Open the settings window on your Samsung device

2. Go to "Lock Screen and Security"

3. Under "Phone Security" select "Screen lock type"

4. Select either pin, pattern or password

5. Each time you use your phone you will now be asked for the pin

Encryption with power on/start-up screen lock:

The S8 and newer phones encrypt by default after a pin, pattern or password has

been set.

For earlier devices:

1. Open the app drawer.

2. Click Settings.

3. Tap the More tab.

4. Tap Security.

5. Tap Encrypt device.

Erase data after incorrect unlock attempts: 1. Open the settings window on your Samsung device

2. Go to "Lock Screen and Security"

3. Go to "Secure Lock Settings"

4. Tick "Auto factory reset"

Device Encryption Draft v0.1 Page 7 of 26

Optional: Hide passwords whilst typing:

1. Open the settings window on your Samsung device

2. Go to "Lock Screen and Security"

3. Go to "Other Security Settings"

4. Untick "Make passwords visible"

Device Encryption Draft v0.1 Page 8 of 26

Apple Devices

The steps below will work for any device running iOS 3 or newer, including iPad and iPod Touch devices.

Pin code, pattern, or password lock: 1. Open the Settings menu on your iPhone. 2. Go to Touch ID & Passcode (iTouch & Passcode in older versions of iOS) 3. Select “Turn Passcode On” option. 4. Create a strong alphanumeric password that’s at least six characters long. If

it’s too weak, the iPhone will reject it. Optionally, use the following website to generate a strong password for you.

Encryption with power on/start-up screen lock:

Your iPhone should automatically turn on encryption when a pin, pattern or

passcode is set, to test please follow the below steps:

1. Return to the Touch ID & Passcode screen. 2. Scroll to the bottom. 3. You will see “Data protection is enabled” at the bottom, meaning your iPhone

is secure.

That’s it! With data protection enabled you’ll have to enter your passcode every time you reboot or wake the device from sleep.

Erase data after incorrect unlock attempts: Enable the Erase Data feature:

1. Open the settings menu. 2. Go to Touch ID & Passcode (iTouch & Passcode in older versions of iOS) 3. Scroll down to “Erase Data” and make sure it’s switched on.

Device Encryption Draft v0.1 Page 9 of 26

Optional: Hide passwords whilst typing: Currently Apple devices do not have this feature built in Optional for iPhone users: Remotely Erase Data: Lost and stolen iPhones are surprisingly common. People know the devices are valuable, as is the information contained within. There are a few features you can enable that help protect your data if you misplace your phone, starting with Apple’s own locator service. First, enable the phone location feature:

1. Go to Settings 2. Click on “iCloud” 3. Scroll to “Find My iPhone” and enable it.

Device Encryption Draft v0.1 Page 10 of 26

Windows Laptops

Requirements:

To use BitLocker, your computer must satisfy certain requirements:

Supported operating systems:

o Windows 10 - Education, Pro, or Enterprise edition

o Windows 8 — Professional or Enterprise edition

o Windows 7 — Enterprise or Ultimate edition

For Windows 7, the Trusted Platform Module (TPM) version 1.2 or higher

must be installed. It must also be enabled and activated (or turned on).

Additional requirements:

1. You must be logged in as an administrator

2. You must have access to a printer to print the recovery key or able to save to a memory stick

Check your Trusted Platform Module (TPM) status

If the TPM does not meet the system requirements listed above, the Encryption installer displays the TPM status at the point where you choose your encryption options.

Example of TPM status message::

Contact your local IT support if you want to enable BitLocker but need assistance with enabling and activating the TPM.

Device Encryption Draft v0.1 Page 11 of 26

Windows 8.1 Pro and Windows 10

When the Control Panel opens, type BitLocker into the search box in the upper-right corner and press Enter. Next, click Manage BitLocker, and on the next screen click Turn on BitLocker.

Now BitLocker will check your PC’s configuration to make sure your device supports Microsoft’s encryption method.

BitLocker checks for the required Trusted Platform Module (TPM) If you’re approved for BitLocker, Windows will show you a message like this one (see screenshot at left). If your TPM module is off, Windows will turn it on automatically for you, and then it will encrypt your drive.

TPM:

To activate your TPM security hardware Windows has to shut down completely. Then you’ll have to manually restart your PC. Before you do, make sure any flash drives, CDs, or DVDs are ejected from your PC. Then hit Shutdown.

Once you restart your PC, you may see a warning that your system was changed. In my instance hit F10 to confirm the change or press Esc to cancel. After that, your computer should reboot and once you log in again you’ll see the BitLocker window.

Recovery key and encryption:

We’ve rebooted and the TPM is now active.

Device Encryption Draft v0.1 Page 12 of 26

After a few minutes, you should see a window with a green check mark next to Turn on the TPM security hardware. We’re almost at the point where we’ll encrypt the drive! Once ready, click Next.

Before you encrypt your drive, however, you will be asked to enter a password that must be entered every time you turn on your PC, before you even get to the Windows login screen. Windows gives you a choice of either entering the password manually or inserting a USB key. Choose whichever method you prefer, but the recommendation is to use the manual password so you aren’t dependent on a single USB key for authentication.

Next, you have to save a recovery key just in case you have problems unlocking your PC. Windows gives you three choices for saving this key in Windows 8.1 and Windows 10: Save the file to your Microsoft account, save to a file, save to a flash drive (Windows 10), or print the recovery key. You are able to choose as many of these options as you'd like, and you should choose at least two.

The author chose to save the file to a USB key and print the key on paper rather than saving the file to their Microsoft account, as unsure of who has access to the company’s servers. That said, saving your key to Microsoft’s servers will make it possible to decrypt your files if you ever lose the flash drive or paper containing your recovery key code.

Once you’ve created two different instances of the recovery key and removed any USB drives, click Next.

Choose whichever option best describes your PC.

On the following screen, encrypt the entire drive.

Click Next. We’re almost there.

Device Encryption Draft v0.1 Page 13 of 26

Windows 10 only

If you’re running Windows 10 build 1511 or later, you’ll be asked to choose your encryption mode: new or compatible. If you’re encrypting your onboard storage drive, then choose new. The compatible mode is mostly for removable drives that will be used with older versions of Windows that do not have the “new” encryption mode.

Make sure the box next to Run BitLocker system check is clicked so that Windows will run a system check before encrypting your drive. Once the box is checked, click Continue... and nothing happens.

You have to manually reboot your PC to start BitLocker’s disk encryption.

You’ll see an alert balloon in the system tray telling you that encryption will begin after you restart the PC. Restart your PC, and you’ll be asked to enter your BitLocker password or insert the USB key you created earlier.

After you log in this final time, you should see another system tray alert telling you that the encryption is in progress.

Whew! We made it to the encryption phase. You can continue to work on your PC during the encryption phase, but things may be running a little more slowly than usual. Consider holding back on anything that might tax your system during initial encryption, such as graphics-intensive programs.

Device Encryption Draft v0.1 Page 14 of 26

After all those clicks, that’s it! Just leave Windows to do its thing, and in a few hours you’ll have a BitLocker-encrypted drive. The length of time it takes BitLocker to fully encrypt your files depends on the size of your drive, or how much data you’re encrypting if you’re only encrypting existing data on a new PC.

Device Encryption Draft v0.1 Page 15 of 26

Windows 7

Enabling BitLocker:

If your computer meets the Windows version and TPM requirements, the process for enabling BitLocker is as follows:

1. Click Start, click Control Panel, click System and Security (if the control

panel items are listed by category), and then click BitLocker Drive

Encryption.

2. Click Turn on BitLocker.

3. BitLocker scans your computer to verify that it meets the system

requirements.

If your computer meets the system requirements, the setup wizard

continues with the BitLocker Startup Preferences in step 8.

If preparations need to be made to your computer to turn on

BitLocker, they are displayed. Click Next.

Device Encryption Draft v0.1 Page 16 of 26

4. If prompted to do so, remove any CDs, DVDs, and USB flash drives from

your computer and then click Shutdown.

Device Encryption Draft v0.1 Page 17 of 26

5. Turn your computer back on after shutdown. Follow the instructions in the

message to continue initializing the TMP. (The message varies, depending

on the computer manufacturer).

6. If your computer shuts down again, turn it back on.

Device Encryption Draft v0.1 Page 18 of 26

7. The BitLocker setup wizard resumes atomically. Click Next.

8. When the BitLocker startup preferences page is displayed, click Require a

PIN at every startup.

Device Encryption Draft v0.1 Page 19 of 26

9. Enter a PIN from 8 to 20 characters long and then enter it again in

the Confirm PIN field. Click Set PIN.

Note: You will need to enter your PIN each time you start your computer.

Device Encryption Draft v0.1 Page 20 of 26

10. To store your recovery key, select Print the recovery key and then

click Next.

Note: Make sure your computer is connected to a printer.

Device Encryption Draft v0.1 Page 21 of 26

11. Print a copy of your recovery key.

12. You will be prompted to restart your computer to start the encryption

process. You can use your computer while your drive is being encrypted.

Device Encryption Draft v0.1 Page 22 of 26

Logging in:

Enabling BitLocker will change the way you log in to your system. You need to enter your PIN at every startup, prior to entering your password. This is designed to provide an additional layer of security for your data.

Changing your PIN or regenerating a copy of your recovery key

Once you have created your PIN, you can change it in the BitLocker Drive Encryption control panel you can also regenerate a new copy of your recovery key if you lose the printed copy.

1. Click Start, click Control Panel, click System and Security (if the control

panel items are listed by category), and then click BitLocker Drive

Encryption.

2. In the BitLocker Drive Encryption control panel, click Manage BitLocker.

3. Follow the instructions on the screen.

Device Encryption Draft v0.1 Page 23 of 26

Macintosh Computers

Use FileVault to encrypt the startup disk on your Mac

FileVault full-disk encryption (FileVault 2) uses XTS-AES-128 encryption with a 256-

bit key to help prevent unauthorized access to the information on your startup disk.

Turn on and set up FileVault:

FileVault 2 is available in OS X Lion or later. When FileVault is turned on, your Mac

always requires that you log in with your account password.

1.

2. Click the FileVault tab.

3. Click , then enter an administrator name and password.

4. Click Turn On FileVault.

If other users have accounts on your Mac, you might see a message that each user

must type in their password before they will be able to unlock the disk. For each

user, click the Enable User button and enter the user's password. User accounts that

you add after turning on FileVault are automatically enabled.

Device Encryption Draft v0.1 Page 24 of 26

Choose how you want to be able to unlock your disk and reset your password, in

case you ever forget your password:

If you're using OS X Yosemite or later, you can choose to use your iCloud account to

unlock your disk and reset your password.*

If you're using OS X Mavericks, you can choose to store a FileVault recovery key

with Apple by providing the questions and answers to three security questions.

Choose answers that you're sure to remember.*

If you don't want to use iCloud FileVault recovery, you can create a local recovery

key. Keep the letters and numbers of the key somewhere safe—other than on your

encrypted startup disk.

Device Encryption Draft v0.1 Page 25 of 26

If you lose both your account password and your FileVault recovery key, you won't

be able to log in to your Mac or access the data on your startup disk.

Encryption occurs in the background as you use your Mac, and only while your Mac

is awake and plugged in to AC power. You can check progress in the FileVault

section of Security & Privacy preferences. Any new files that you create are

automatically encrypted as they are saved to your startup disk.

When FileVault setup is complete and you restart your Mac, you will use your

account password to unlock your disk and allow your Mac to finish starting up.

FileVault requires that you log in every time your Mac starts up, and no account is

permitted to log in automatically.

Device Encryption Draft v0.1 Page 26 of 26