Device Encryption

What Is Device Encryption

Device encryption is a technology that encrypts data stored on smartphones, PCs, tablets, and other devices, making it unreadable without proper authentication (password, PIN, biometrics).

If a device is lost or stolen without encryption, data can be read simply by removing the storage and connecting it to another device. With device encryption enabled, data on the storage is stored in an encrypted state, making it indecipherable without authentication credentials.

While data encryption broadly covers data in transit and at rest, device encryption specifically refers to "full-disk encryption" or "file-based encryption" targeting the entire device storage.

Encryption Mechanisms by OS

• iOS: iPhones have hardware-based encryption automatically enabled from initial setup. AES-256 encryption is used, and the encryption key is protected simply by setting a passcode. There was a case where even the FBI could not access data without the passcode (2016 San Bernardino case).
• Android: File-Based Encryption (FBE) is enabled by default on Android 10 and later devices. It supports "Direct Boot," which allows some functions (alarms, incoming calls) to work immediately after device startup. Older Android devices used Full-Disk Encryption (FDE).
• Windows: BitLocker is available on Windows Pro / Enterprise editions. It works with the TPM (Trusted Platform Module) chip to securely store encryption keys. Windows Home edition offers a simplified version called "Device Encryption," but requires TPM 2.0 and UEFI Secure Boot.
• macOS: FileVault 2 provides full-disk encryption. On Apple Silicon (M1 and later) Macs, hardware-level encryption is always active, and FileVault provides recovery key management and an additional layer of protection.

Scope and Limitations of Device Encryption

Device encryption provides powerful protection but is not a silver bullet. It is important to accurately understand what it can and cannot protect.

What It Protects

• Prevents third parties from directly reading data from storage when a device is lost or stolen
• Makes data unrecoverable by simply destroying the encryption key when disposing of or selling a device (more reliable when combined with secure data erasure)
• Protects data when law enforcement or attackers physically obtain the device

What It Cannot Protect

• Attacks while the device is unlocked (malware, malicious apps)
• Data access through app permissions granted by the user
• Data backed up to the cloud (iCloud, Google Drive backups require separate encryption settings)
• Data in transit (requires separate protection with TLS/SSL or E2EE)

Cloud backups are an often-overlooked point. Even if data on the device is encrypted, if backups are not encrypted, data can be accessed from the cloud side. Enable iOS's "Advanced Data Protection" or Android's encrypted backup feature.

Settings to Maximize Encryption Effectiveness

Check the following settings to maximize the effectiveness of device encryption.

• Strong passcode / password: Encryption strength depends on passcode strength. A 4-digit numeric PIN is vulnerable to brute-force attacks. Set a PIN of 6 or more digits, or an alphanumeric password. Using biometrics (fingerprint, face recognition) alongside maintains convenience.
• Auto-lock settings: Configure the device to lock automatically after a period of inactivity. Since encryption protection is not effective while the device is unlocked, set the auto-lock time short (1-2 minutes).
• Enable remote wipe: Enable iOS's "Find My iPhone" or Android's "Find My Device" to remotely erase device data if lost. Combined with encryption, this provides double protection against physical loss.
• Secure storage of recovery keys: BitLocker and FileVault recovery keys are the last resort if you forget your password. Print them and store in a safe, or save in a password manager. Losing the recovery key means permanently losing access to data.

To learn more about this topic, see Device Encryption Basics: Protecting Data on Your PC and Smartphone.

Common Misconceptions

Enabling device encryption significantly degrades performance

Modern devices have hardware-accelerated encryption processing, and the performance impact is virtually imperceptible. Encryption is enabled by default on iPhones and recent Android devices, yet almost no users notice any slowdown.

Screen lock makes device encryption unnecessary

Screen lock only prevents device operation; it cannot prevent attacks that physically remove the storage to read data. Device encryption encrypts the data itself on storage, providing protection even against physical access.

Full-Disk Encryption vs. File-Based Encryption Comparison

Related Terms

Related Articles