Mobile Encryption
Windows Mobile SupportedWindows Embedded CE Not Supported
8/28/2008

Mobile Encryption is a feature that allows users to secure sensitive information on Windows Mobile powered device's removable flash memory storage card. The data is only accessible when the card is installed in their particular mobile device. If the card is ever lost or stolen, their information remains secure because no one else can access the card's contents because it is encrypted.

Caution:
Anyone in possession of the encryption key can decrypt and access the sensitive information stored on the card.

Mobile Encryption runs as a background service on Windows Mobile powered devices. When the service is enabled, files are encrypted on–the–fly when they are written to the card, and are automatically decrypted when read back. Since this service is implemented as a File Filter Driver which runs at the file system level, Mobile Encryption is transparent to both users and applications.

Important:
OEMs should not ship Windows Mobile powered devices with Mobile Encryption enabled!

Users can enable Mobile Encryption through the Encryption Control Panel Application (CPA) which is available on under Settings > System, and on Windows Mobile 6 Standard s under Settings > Security.

The CPA just contains a check box which users can check to enable the service (and clear to disable it).

As part of a global security policy, system administrators can use Microsoft Exchange 2007 to provision Mobile Encryption on Windows Mobile powered devices across their enterprise The Policy ID is 4134, and the Policy Setting is SECPOLICY_MENCRYPT_REMOVABLE. For more information, see Security Policy Settings.

Note:
When set to POLICYVAL_MENCRYPT_REMOVABLE_NO_USER, user access to the Encryption CPA is disabled.
Example

The following XML code is an example of OMA Client Provisioning XML for provisioning Mobile Encryption.

Code
<wap-provisioningdoc>
    <characteristic type="SecurityPolicy">     <!-- Set encryption policy such that the user cannot change the setting -->
        <parm name="4134" value="0" /> 
    </characteristic>
    <characteristic type="MobileEncryption">   <!-- Turn on encryption -->
        <parm name="Enable" value="1" /> 
    </characteristic>
</wap-provisioningdoc>
Example

The following XML code is an example of OMA DM XML for provisioning Mobile Encryption.

Code
<SyncML xmlns="SYNCML:SYNCML1.1">
    <SyncBody>
        <Replace>
            <CmdID>1</CmdID>
            <Item>
                <Target>
                    <LocURI>./Vendor/MSFT/SecurityPolicy/4134</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">int</Format>
                </Meta>
                <Data>0</Data>
            </Item>
        </Replace>
        <Replace>
            <CmdID>2</CmdID>
            <Item>
                <Target>
                    <LocURI>./Vendor/MSFT/MobileEncryption/Enable</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">bool</Format>
                </Meta>
                <Data>true</Data>
            </Item>
        </Replace>
        <Final />
    </SyncBody>
</SyncML>
Remarks

Applications process encrypted files as if they were just ordinary unencrypted files, but they can determine if a file is encrypted by using GetFileAttributes, and checking for FILE_ATTRIBUTE_ENCRYPTED.

When Mobile Encryption is enabled, users experience a slight performance hit owing to the added computational overhead.

If a memory card contains unencrypted files before Mobile Encryption is enabled—they are not automatically encrypted when the service is enabled, and therefore remain unsecured. To secure them, you must copy them to a new file on the memory card after enabling the service.

Once you have used a memory card for Mobile Encryption, the encrypted files it contains are unreadable by any device other than your mobile device. If you want to use that memory card and the memory space occupied by its encrypted files, you must delete the encrypted files.

When an encrypted file is saved to a desktop computer using ActiveSync, it is decrypted by the Encryption Filter and saved on the desktop unencrypted.

You can enable encryption for the destination folder from Folder Properties > General > Advanced > Advanced Attributes > Encrypt contents to secure data.

Mobile Encryption uses a symmetric-key algorithm for encryption and decryption. This means that only one key is used for both processes. The key is created when the device is hard reset, and is accessible by Privileged application only. If the key is ever corrupted or lost, then you will not be able to decrypt any of the encrypted files, and you will have lost your sensitive information.

By default, Mobile Encryption is configured to use the AES 128 Encryption Algorithm.

You can switch between RC4 and AES by configuring DPAPI to use the algorithm you want.

Wiping Persistent Storage results in the loss of the encryption key
See Also

Concepts

Cryptography Support
Cryptography Registry Settings

Other Resources

Cryptography
File Systems
File System Encryption
Tags :


Community Content

Irina Oltu
AES 256-bit on-the-fly encryption for Windows Mobile phones - Aiko SecuBox
SecuBox provides on-the-fly transparent encryption for Windows Mobile phones and their
media cards. It creates virtual encrypted volumes, that look and feel
like usual Windows Mobile storage cards. SecuBox uses industry
standard AES 256-bit encryption to encrypt data, SHA-512 - to generate
secret key.

Encryption key backup enables users to get legitimate access to the
encrypted SecuBox volumes even if the file system failure occurs and
data gets partially corrupted. Encryption key backup enables
administrators to create proper key recovery routines, required for
such cases when users forget their passwords.

Features and highlights:

- Strong AES 256-bit encryption
- "On-the-go" data protection - secure "lock" if user becomes inactive
- Media card encryption
- Secure wiping compliant with DoD5220.22-M specifications
- Command line support

Supported Operating systems:

Windows Mobile Pocket PC, touch-screen devices:

* Windows Mobile 6.0/6.1 Professional
* Windows Mobile 6.0/6.1 Classic
* Windows Mobile 5.0 for Pocket PC Phone Edition
* Windows Mobile 5.0 for Pocket PC
* Windows Mobile 2002/2003/2003SE/2005
* Handheld PC 2000 (Windows CE 3.0)
* Pocket PC 2000/2002/2003/Phone Edition

Windows CE handhelds:

* Windows CE 3.0/4.0/4.1/4.2/5.0/5.2/6.0
* Windows Embedded CE 6.0
* Handheld PC 2000 (Windows CE 3.0)
* Windows CE 5.0 Standard SDK
* Windows CE 4.2 Standard SDK
* Windows CE 4.1 Standard SDK
* Windows CE 4.0 Standard SDK

Windows Mobile Smartphone - non-touch-screen devices:

* Windows Mobile 6.0/6.1 Standard
* Windows Mobile 5.0 Smartphone
* Windows Mobile 2003 Second Edition Smartphone
* Windows Mobile 2003 Smartphone
* Smartphone 2002

Processor types: ARM, MIPS, SH3, SH4, X86 compatible


Full-featured trial available at www.aikosolutions.com

Page view tracker