Mobile Encryption
4/8/2010
Mobile Encryption is a feature that allows users to secure sensitive information on Windows Mobile device's removable flash memory storage card. The data is only accessible when the card is installed in their particular mobile device. If the card is ever lost or stolen, their information remains secure because no one else can access the card's contents because it is encrypted.
Warning
Anyone in possession of the encryption key can decrypt and access the sensitive information stored on the card.
Mobile Encryption runs as a background service on Windows Mobile devices. When the service is enabled, files are encrypted on–the–fly when they are written to the card, and are automatically decrypted when read back. Since this service is implemented as a File Filter Driver which runs at the file system level, Mobile Encryption is transparent to both users and applications.
Important
OEMs should not ship Windows Mobile devices with Mobile Encryption enabled!
Users can enable Mobile Encryption through the Encryption Control Panel Application (CPA) which is available on under Settings > System, and on Windows Mobile Standard s under Settings > Security.
.gif "Bb416357.fd8290ec-18f8-43fe-badf-3a3a5ad237e7(en-us,MSDN.10).gif")
The CPA just contains a check box which users can check to enable the service (and clear to disable it).
.gif "Bb416357.fab008f4-dbff-4fcd-a663-92b61c258a99(en-us,MSDN.10).gif")
As part of a global security policy, system administrators can use Microsoft Exchange 2007 to provision Mobile Encryption on Windows Mobile devices across their enterprise The Policy ID is 4134, and the Policy Setting is SECPOLICY_MENCRYPT_REMOVABLE. For more information, see Security Policy Settings.
Note
When set to POLICYVAL_MENCRYPT_REMOVABLE_NO_USER, user access to the Encryption CPA is disabled.
Example
The following XML code is an example of OMA Client Provisioning XML for provisioning Mobile Encryption.
Code
<wap-provisioningdoc>
<characteristic type="SecurityPolicy"> <!-- Set encryption policy such that the user cannot change the setting -->
<parm name="4134" value="0" />
</characteristic>
<characteristic type="MobileEncryption"> <!-- Turn on encryption -->
<parm name="Enable" value="1" />
</characteristic>
</wap-provisioningdoc>
Example
The following XML code is an example of OMA DM XML for provisioning Mobile Encryption.
Code
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/SecurityPolicy/4134</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/MobileEncryption/Enable</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Replace>
<Final />
</SyncBody>
</SyncML>
Remarks
Applications process encrypted files as if they were just ordinary unencrypted files, but they can determine if a file is encrypted by using GetFileAttributes, and checking for FILE_ATTRIBUTE_ENCRYPTED.
When Mobile Encryption is enabled, users experience a slight performance hit owing to the added computational overhead.
If a memory card contains unencrypted files before Mobile Encryption is enabled—they are not automatically encrypted when the service is enabled, and therefore remain unsecured. To secure them, you must copy them to a new file on the memory card after enabling the service.
Once you have used a memory card for Mobile Encryption, the encrypted files it contains are unreadable by any device other than your mobile device. If you want to use that memory card and the memory space occupied by its encrypted files, you must delete the encrypted files.
When an encrypted file is saved to a desktop computer using ActiveSync, it is decrypted by the Encryption Filter and saved on the desktop unencrypted.
You can enable encryption for the destination folder from Folder Properties > General > Advanced > Advanced Attributes > Encrypt contents to secure data.
Mobile Encryption uses a symmetric-key algorithm for encryption and decryption. This means that only one key is used for both processes. The key is created when the device is hard reset, and is accessible by Privileged application only. If the key is ever corrupted or lost, then you will not be able to decrypt any of the encrypted files, and you will have lost your sensitive information.
By default, Mobile Encryption is configured to use the AES 128 Encryption Algorithm.
You can switch between RC4 and AES by configuring DPAPI to use the algorithm you want.
Wiping Persistent Storage results in the loss of the encryption key
See Also
Concepts
Cryptography Support
Cryptography Registry Settings