My colleague Jason Langridge wrote a post about the storage card encryption feature in WM6. This is one of the features I worked on, so I’d like to host some FAQs about it here.
What scenario is the feature designed to mitigate?
It’s fairly easy to remove a storage card from a device, so this mitigates the threat that a storage card with sensitive data is stolen out of a device.
What if the device and the storage card are both stolen?
The best practice is to use a PIN or strong password and local wipe to protect the data on the internal flash. Issue a remote wipe via OWA to wipe out the data on a stolen device as soon as possible. In WM6, a local or remote wipe will also wipe any inserted storage card.
What if I forget the PIN to my device?
(This is only tangentially related to storage card encryption, but here goes) You can escrow a recovery pin up to the exchange server. Retrieve the recovery pin via OWA and use that to locally reset the password on the device.
What happens if the device is cold booted?
If the device is reset and internal flash is cleared, the decryption keys are lost. If the keys were preserved, it would be easy to access the storage card of a stolen device by just cold booting the stolen device and clearing its storage, then re-inserting the stolen card.
What about key escrow and recovery?
There isn’t any key escrow or recovery in this release. We realize this is very important to many enterprise customers. Feel free to add your comments about how important this is to your organization as it helps us prioritize the work for the future. If you don’t want key escrow, that would also be good to hear.
What algorithm is used?
The encryption filter uses DPAPI to encrypt files. By default, this will use AES-128.
Where are the encryption keys stored?
The DPAPI master key is currently stored on the internal flash. It’s unreadable by untrusted applications.
What is the performance impact?
Encryption isn’t free, so we expect there to be some performance impact. In most of my scenario testing however, I found the impact to be minimal because the disk I/O was more expensive than the CPU hit for encryption. The one that was most affected in my testing was probably syncing lots of media files via media player to the encrypted storage card. If you are seeing a severe performance degradation, I would like to hear about it. Please e-mail via the contact form on this blog or leave a comment below.
What is the storage overhead?
Encrypted files take up one additional page for the header, plus one page for about every 200K of data. For a very small file, there will be 8K of overhead. For a ~600K file, there will be 16K of overhead.
What’s with the MENC extension?
The files are stored on disk with a MENC extension – this lets the encryption filter know quickly which files are encrypted and if they match the key on the device. If you put the storage card in a desktop card reader, or put it in another device, you will see that the files have a MENC extension. The point of the extension is that you can’t read those files, so the extension makes it harder for you to try to load those files into an application that won’t be able to read them anyway. We also were able to associate a lock icon with the extension to add an additional hint.
If the encryption filter on the device is able to read and decrypt the files, it hides the MENC extension so the file looks like normal.
What’s the 7726325a in test.txt.7726325a.menc?
The random data there is part of a GUID that is generated for decryption keys on the device. That GUID lets the encryption filter know at a glance whether or not it will be able to decrypt a given file. For files where the GUID matches, the filter will strip the GUID.MENC extension off of the file and show it to the operating system as the original filename. You can edit the filename on disk to change the GUID of a file so that the encryption filter thinks it can decrypt it, but when the file is actually opened the encryption filter won’t be able to decrypt it and you’ll get an error.
How can I tell if my files are encrypted on the device?
You can call GetFileAttributes(). Encrypted files will have FILE_ATTRIBUTE_ENCRYPTED. You can also take out the card and put it in another device or card reader. The encrypted files will show up as .MENC files.
Which files are encrypted by this feature?
Once encryption is enabled, all new files on the storage card will be encrypted. Files that already existed on the card stay unencrypted. So if there is a file on the storage card that you know you want to share with someone else, you can create the file on the desktop or create it before enabling encryption. The file will stay unencrypted. If you want to cause an existing file to be encrypted, you can copy it off the storage card and then copy it back again.
I turned on encryption in the control panel, but nothing is happening. What gives?
Only new files on the storage card are encrypted, so your existing files won’t change. Did you create a new file? If you did and you’re still not seeing the files as encrypted, it’s possible that the encryption filter isn’t installed on the storage profile that you’re using. This shouldn’t happen on any retail WM6 device, but if you’re seeing that situation please let me know!
How do I migrate an encrypted storage card to a new device?
The easiest way in my opinion is to copy all the encrypted files off the card to an attached desktop machine via Activesync. Then copy them back to the card in the new device.
My files were encrypted and I lost my phone or hard reset it. Can Microsoft help me recover the files?No, the keys are lost and the files cannot be recovered.
Feel free to send me any further questions about the feature or post your comments below.