FBI, keep out! How to encrypt everything

26.02.2016
The FBI’s inability to crack a terrorist’s iPhone 5c shows the strong protection you can get for your private information on a mobile device. That same encryption is also available on your computer, at least in some cases.

Given the increasing access to personal and corporate data sought by the U.S. government, as well as by other politicians, unscrupulous businesses, and criminal hackers, people should up their game on what they protect. Fortunately, it's not hard to do. (But be sure to back up your data before you encrypt your devices, in case a power failure occurs during the encryption process and makes your data unavailable.)

On your mobile devices, be sure to do the following:

Upgrade to iOS 9 or Android 5 or 6 on all your smartphones, tablets, and data-storing devices like iPod Touches to get their hardware-assisted encryption capabilities. Then enable encryption on those devices.

In iOS, all you have to do is turn on password protection, which you do in the Settings app's Touch ID & Passcode section; encryption is in play once a password is required. When you unlock your device (whether it is asleep, turned off, or restarted), entering the password decrypts the device.

On Android, you enable encryption in the Settings app as well; the location varies from vendor to vendor and version to version, but you can typically find it within the Security area or Lock Screen and Security area. Look for an option called Encrypt Device or Encrypt Phone and tap it. If your Android device has an SD card installed, you should also see the Encrypt SD Card option to encrypt that external storage.

Although the use of encryption requires you enter a password on your device, it does so only when you restart or turn on the device -- not to unlock a sleeping device. You should also set an unlock password for your Android device. You do that in the Settings app: Tap Security or the equivalent option, then tap Screen Lock or the equivalent option. Then choose PIN, Password, or Fingerprints (if your device supports fingerprint IDs) and set up your password. Be sure to set the lock time for how long the device can be idle before a password is required to unlock it; look for an option called Automatically Lock or something similar, again in the Security section of the Settings app.

Don't back up to cloud services like iCloud or Google Drive; the government can get warrants to access those backups. Instead, in iOS back up to your PC or Mac via iTunes, with the Encrypt iPhone/iPad Backup option turned on for each device in iTunes' summary pane. Now your backups are safe from prying eyes, too. Unfortunately, Android users don’t have a similar option for secure, encrypted backup.

Use encrypted services like Apple’s iMessage and OpenWhisper’s TextSecure where possible. SMS service from your phone company is not secured from government agencies.

If you use a BYOD unit that mixes corporate and personal information, I suggest you stop accessing it for work -- especially if your company employs mobile device management (MDM) software, because it can help unlock your device and provide access to its contents. Some companies use MDM-managed containers for corporate data and apps, which might provide the separation you need to keep doing BYOD. Beware: If they can unlock your device, they then have access to your personal data as well. It's safer to carry separate personal and work devices.

On your computer, be sure to turn on encryption. Note that you'll need administrator privileges to do so.

On a Mac, do so using the Security & Privacy system preference to enable Apple's FileVault encryption. If you have multiple user accounts on the Mac, be sure to enable encryption on each one that you want to protect. I suggest you choose a different FileVault password than what you use for your iTunes or iCloud account; if an agency gets Apple to reveal that password, it won't decrypt your Mac.

Also be sure to encrypt your Time Machine backups and any external drives. When setting your backup drive, you can encrypt it in the Time Machine system preference by clicking Select Disk, selecting the backup drive, enabling the Encrypt Backup option, and clicking Use Disk. In OS X El Capitan, you can encrypt any external drives, including your Time Machine backup drive, by right-clicking or Control-clicking it in the Finder and choosing Encrypt from the contextual menu that appears. In older OS X versions, you can use Disk Utility to encrypt a drive; select the drive in its Sidebar, then choose File > Encrypt or File > Lock, depending on your OS X version.

On a PC, enabling Microsoft's BitLocker encryption is a little trickier. Your PC will likely need to have a Trusted Protection Module (TPM) on its motherboard, but it's often missing on cheaper PCs and even expensive older PCs. And you must be running a Pro, Ultimate, or Enterprise edition of Windows Vista or later. If your PC is BitLocker-compatible, you'll find the BitLocker Drive Encryption settings (called Manage BitLocker in Windows 10) in the Security control panel. In some cases, you can also encrypt external drives.

Enterprise editions of Windows can encrypt attached USB drives and thumb drives, using the BitLocker to Go tool. But consumer editions can't, so your backups won't be encrypted.

If your PC doesn't support BitLocker, use a third-party encryption tool like VeraCrypt.

Encryption works very nicely on your mobile devices and computers, for the data they directly store. But we increasingly store data on cloud services such as iCloud Drive, OneDrive, Dropbox, Box, and so on -- and they are susceptible to access by government agencies. Don't use those services for anything you want to keep truly secret. If you must go with them, consider adopting a tool like VeraCrypt to encrypt their contents.

For your communications, use encrypted communication tools, such as those recommended by InfoWorld's Fahmida Rashid. They'll protect your messages and Web data -- most of the time. Government agencies have hinted that they can access some of these services' encrypted data, but won't say which ones, so there's no 100 percent guarantee of privacy.

(www.infoworld.com)

Galen Gruman