Windows Mobile 6.1 – How do I encrypt my device?

You might have read in white papers and product sheets that Windows Mobile 6.1 supports local device encryption. (Windows Mobile 6.0 featured encryption of storage cards, which is still also supported.) And you might have wondered – where is the setting for enabling it? Well, unless the device manufacturer has provided an interface, you can’t enable it. At least not in an easily accessible way.

The reasoning behind this is probably that it’s considered an “Enterprise feature”. Many enterprises are requesting encryption, but you don’t hear that many concerned end-users requesting it. So to use this feature you may for instance use Exchange 2007 SP1 on the server side, and ActiveSync configured on your device.

The following is a screenshot from the Exchange Admin Console:

image

You’ll notice that it’s not very fine-grained – you either have encryption enabled or you have it disabled. (The encryption ties in with the password requirements though as you need to password protect your device to encrypt it.)

The other option from the Microsoft perspective is System Center Mobile Device Manager 2008, (or SCMDM for short), where you can also enable encryption on the device. This is specified through Group Policies:

image

You’ll notice that this also gives you the additional option to specify inclusions and exclusions which is handy if you have a few gigabytes of mp3 files you don’t want to waste cpu cycles encrypting.

So this is all nice and dandy. If you have servers installed that is. What if you want to use this without servers, or you want to perform some testing without connecting to the servers? The encryption functionality is a feature of Windows Mobile 6.1, and the server tools just enable it. It’s all on the device – you just need a front-end.

With this in mind I created a small utility/application for this purpose.

Note: This tool is not designed for deployment in Enterprise environments. I recommend that in a deployment either the server solutions above, or similar third-party products, are used. This utility is intended for lab purposes, and single users who don’t have the opportunity/possibility of using said server products.

Disclaimer:
This is not an implementation of encryption itself. It uses the encryption that is built into Windows Mobile 6.1, and merely provides an interface for controlling this feature. I take no responsibility for the actual implementation or the details thereof. Currently the encryption in Windows Mobile is based on AES-128.

The use is sort of self-explanatory;
– “Encryption On/Off” refers to whether the feature itself is enabled or disabled.
– “Exclusions” means you can exclude certain files/folders or file types from being encrypted. – “Inclusions” means you can include additional files for encryption. This does however bring up another question – isn’t the entire device encrypted already? No, it isn’t…

The following items are encrypted by default:
– User documents
– Email
– PIM data
– Email attachments and related data
– Internet cache
For more info: http://msdn.microsoft.com/en-us/library/bb964600.aspx

Now, there’s two ways around this: modify the system default (items that will be encrypted when encryption is enabled), or add inclusions after the device is encrypted. This application does not modify the system default, and thus relies on you to enable encryption first.

The exclusion list actually works the same way, you have a system default, and you have the exclusions you add later. I don’t recommend you exclude any of the items from the list above however, with the exception that you might be storing your mp3s under “\My Documents\”.

A few hints when it comes to exclude/include;
– Do not encrypt \…\* (entire device)! You’ll also encrypt the system files that are needed for booting…bad thing.
– Special formatting “…” = all subdirectories, “*” = all files, “*.ext” = all files with specified extension.
– All items must start with “\”; so to exclude all mp3s you would add “\…\*.mp3”. Adding a single file would be “\file.txt”.

So what does it look like?
image
“Encryption On/Off”-tab.
Either it’s enabled or it’s not. Please note – before you add inclusions/exclusions, encryption should be enabled first.

image
“Exclusion”-tab.
Either browse to select individual files or type in file/folder/extension. Remember to add the “\” in front.

image
“Inclusion”-tab.
Works pretty much the same way as the aforementioned tab.

Known issues:
– No icon and/or shortcut yet. Must be started from “\Program Files\DojoCrypt”.
– I do some simple error checking, but if you try you may be able to crash the app. It should however not be able to do any harm other than you having to start the program over again.
– No regexing or parsing checking that your inputs are correct when it comes to exclusions & inclusions. If you type it wrong, it will not work 🙂
– Applying an ExcludeList or IncludeList will require you to reboot the device between each list applied. (Technically you can choose “Later” to postpone it – results untested yet but probably no worries). So you can’t setup both lists and then be prompted to reboot. No biggie, but I am aware of it.
– No possibility to see what currently is on your lists – might implement this later on.
– It’s designed for portrait mode. It will work in landscape mode but does look kinda unoptimized. Fully aware of this, and considering a more slick solution (knowing that one often types with the qwerty keyboard in landscape mode).
– Only tested on Windows Mobile 6.1 Professional. Don’t know if it will work on Windows Mobile 6.1 Standard (probably not because of UI elements).
– Versions prior to Windows Mobile 6.1 is not, and will not be supported.
– While not an issue with this utility itself you may have problems on some devices if there’s a two-tier lock on the device, or some other security restrictions imposed that prevents this utility from working like designed.

I have not had the opportunity to do extensive bug testing, but I’ll replace the link in the download if I make any improvements/fixes.

If there’s any bugs you are welcome to post them in the comments section, but I make no guarantee when I will get around to fixing it 🙂

Download: http://mobilitydojo.net/files/DojoCrypt_090.cab

19.nov.2008 Update:
There’s a new version that fixes some of the known issues.
Download: http://mobilitydojo.net/files/DojoCrypt_10.cab

39 thoughts on “Windows Mobile 6.1 – How do I encrypt my device?”

  1. Hi!

    Is it possible to get the source code from your example.

    I assume that you do this all by configuring the internal device encryption using xml files. Getting your souce/demo code would speed up my programming time.

    Questins:
    Is it possible to change the encryption algorithm?
    Is it possible to set an encryption key?

    Regards … Helmut

  2. I am indeed using xml that I provision to the device. As far as I know it is not possible to change encryption algorithm (AES-128 is being used), and not possible to set your own encryption key. I do however trust that Microsoft has implemented this in a proper way.
    I am not releasing source code to my projects currently. I don’t have anything against open source, and I might release it at a future time, but I am still considering how/if I should do it. (I’ll admit that it’s no rocket science I am doing here so it’s not super-secret or anything.) I have linked to the MSDN article I used for getting the xml, and if you have played around with xml-provisioning before it should be easy to adapt.

  3. The operating system will prompt you to set a password as this is used when generating the encryption/decryption key. The reboot is needed to perform the initial encryption. This is handled automatically, and not something one needs to worry about (or something you can avoid).

  4. Hi Andreas!

    I use the following command to enable the device encryption!

    L””
    L””
    L” 200-SetEnableTrue”
    L” ”
    L” ”
    L” ./Vendor/MSFT/DeviceEncryption/EnableLocal”
    L” ”
    L” true ”
    L” ”
    L””
    L””;

    This is set by using “DMProcessConfigXML”.
    NO_ERROR is reported but nothingshappens !?

    Whats my fault?
    Is the xml wrong od must i do some additional work?

    … Helmut

  5. Ooops … the code i posted was “eaten” by your postings softeware!? I now removed the ”
    Replace>
    CmdID>200-SetEnableTrue
    Item>
    Target>
    LocURI>./Vendor/MSFT/DeviceEncryption/EnableLocal
    /Target>
    Data>true
    /Item>
    /Replace>
    /wap-provisioningdoc>;

  6. Ok, this means you are using the OMA DM code. I haven’t researched the details of provisioning the DM code, but when using DMProcessConfigXML you must use characteristic/parm (OMA CP).
    This is illustrated in the sample that you linked to.
    The html-sanitizer will strip it away, so I can’t copy-paste it into this comment.

  7. Thanks very much!
    It works now and its much more simple than i thought ….

    And now …. this should even work with my own LAP.
    Lets try and see ….

    … Helmut

  8. I’m not sure if anyone can help but after activating encryption with Dojocrypt on my phone, Wifi and Internet email has been disabled by some “company policy”..

  9. That’s weird. There are policies that can disable WiFi and POP3/IMAP-mail, but DojoCrypt shouldn’t be touching these. DojoCrypt triggers the Power-on-Password lock as this is required by the encryption, but nothing else that I can think of.

    What kind of device are you using? Is this a “clean” device or do you have other thrid-party applications running as well?

  10. I’m using a Samsung i780, just updated with WM 6.1 from Samsung. Outlook is running.. just that my previously configured email account has been locked and it prompts “Company policy prohibits use of Internet e-mail on this device”.. very strange, I can’t seem to remove this policy after disabling encryption but Wifi works after that..

  11. I installed DojoCrypt on my HTC Touch Diamond with the newest ROM now. It was no problem configuring a POP account, (couldn’t test doing a sync since I don’t have a valid POP account). WLAN also worked like a charm. So although I still cannot explain it, it seems to be an issue isolated to your Samsung so far.

    It is possible to create a cab/cpf that will attempt to allow WLAN and POP/IMAP – made that would work as a workaround. Don’t know if you are familiar with creating such files? I can’t attach the necessary xml to this comment, as the comment system strips out xml code.

  12. I’m familiar with OMA client provisioning. Do you know which is the policy for enabling POP/IMAP. I can’t seem to find this information in MSDN.

  13. Thanks 4148 worked for me with encryption turned on. The Wifi actually enabled just that I cannot configure any new wireless profiles and my previous profiles are somehow ‘deactivated’. So I’m basically missing the Wifi tab when I select “Wi-fi Settings”.

  14. That Samsung sounds like a fun device to do experiments with 🙂

    I haven’t run into having to do multiple soft resets after changing policies, but I suppose that’s just one of the quirky things present in the Windows Mobile platform. Happy that you got it working though 🙂

  15. It does not work 🙁 on HTC Touch HD (WM6.1).
    I add test.txt file from microSD card to inclusion. Restart. Remove microSD card and read it on PC. File doesn’t be encrypted.

  16. Not sure why that would happen. Only thing I can think of is that there’s something wrong with the path, and since there is no checking that the path is valid the file isn’t encrypted. Have you tried both with the “Browse”-button, and typing the folder/filename in manually? (If it works when specified manually there might be something wrong with the info I get from the filebrowser dialog.)

    I have seen issues enumerating drives properly if there is both an internal HDD/memory card, and external storage, but I can’t remember the Touch HD having internal storage.

  17. I try somthing and receive next results:

    MicroSD card in my HTC is named as ‘microsd’
    I created folder TEST and file TEST.txt on it.
    When I add it to Inclusion \microsd\TEST\TEST.tst, and doing check, programm say TEST.txt: Unencrypted 🙁

    When I by mistake write wrong file name in Inclusion (\microsd\test.txt – there is not such file) and Check this – program say test.txt – Encrypted

  18. I’ll have to step through the code tomorrow in debug mode to see if there might be a bug in there. I had some problems with memory cards initially, but I thought I had resolved those issues. Will look into it.

  19. Andreas, could you post registry keys and/or XML files that your utility change. May be I can do or check all change manually ?

  20. It’s not registry based, and it’s not possible to post the xml directly here (it will be automatically mangled by the input validator).
    However if you are familiar with xml provisioning you can find the necessary details here: http://msdn.microsoft.com/en-us/library/cc563008.aspx

    I loaded up my debugger and stepped through the bits on an emulator using the host hard drive as a storage card, and I am able to reproduce the behaviour. (This is on a Windows Mobile 6.5 emulator, but it should be similar to your Touch HD with 6.1.) However as far as I can see the storage card is mounted with an attribute of temporary, and I’m guessing that might affect its willingness to be encrypted.

    So far I unfortunately have no workaround.

  21. On the same HTC touch mobile:
    a file was encrypted with WM5 –> ROM upgraded to WM6.1; is it possible to decrypt the file?

  22. Do you still have the file?

    I mean, a ROM upgrade will usually delete all files…

    I do not know any devices that have official upgrades from WM 5 to WM 6.1. (And I can’t remember an HTC Touch with WM 5.)

    My utility only works on WM 6.1 since that was when MSFT included encryption in the OS. (There are of course other third party apps that will let you encrypt WM 5 devices as well, and I don’t know what rules apply to those.)

    So in short – I don’t think you can decrypt the file after a ROM upgrade.

  23. DojoCrypt and Exchange Encrypt policies were both breaking Wifi on my Treo 800w. But I fixed it.

    In DojoCrypt, add exclusion for “\palmVol.vol”.
    Then encrypt with Dojocrypt as normal.

    The other hardware vendors (Samsung) probably have their own .vol file. Try excluding that in Dojocrypt, and see if it resolves the Wifi and other vendor-specific problems.

  24. Hi, I installed dojocrypt and when next reboot it apears a new screen before even letme enter the device password. It said “Company Policy has enabled Device Encryption. Startup is suspended. Select Unlock to contine.” Even after disabling encryptation and uninstallin dojocrypt this initial screen keeps coming. Any idea of how take back my device to the purest unencrypted state, with no anoying screen at the begining?
    thanks in advance for your help.
    MB

  25. It is by design from the OS that this extra screen is presented after enabling encryption (don’t ask me why – the user shouldn’t really have to care about this feature), and of course the power-on-password is also enabled when using encryption. When disabling encryption the initial screen should however be disabled. The power-on-password might still be present, but should be possible to turn off again manually if you like.
    I would try to disable the power-on-password to see if that gets rid of it – if it doesn’t it might be a bug in the OS build. (DojoCrypt just provides a graphical interface to features provided by Windows Mobile itself.)

  26. Andreas,

    I’m currently using DojoCrypt on my T-Mobile Touch Pro 2 running WM6.5 Professional.
    I’ve since discovered that with device encryption enabled, I can no longer access the default HTC People in the Phone UI (replaces Contacts). When I look up contacts in HTC People, all I see is an “A”.
    Do you know what this is about?
    I tried to exclude pim.vol to test but it does not seem to work. Checking the status after a reboot indicates that it is still encrypted.
    Any ideas where I can start to troubleshoot?

  27. That’s weird. I have an HTC Touch Pro 2 here which should be similar to your T-Mobile branded version but obviously with some minor differences in firmware. I added a contact through the Sense UI. I installed DojoCrypt and enabled encryption. Forced to reboot, and device encrypts itself. Still able to use People/Contacts. Able to view the contact I created before encrytion, and able to add new ones as well. So I’m not able to reproduce your issue. And being honest with you – I do not know what is going on either… Are you adding contacts locally, or are these contacts added through an ActiveSync partnership with Exchange?
    I know there are some bugs related to Exchange policies and shell protection in some firmware versions of the Touch Pro 2, but I don’t feel there’s enough indicators here to immediately pin it down as an HTC issue…

  28. Andreas,

    Thanks for testing your TP2.
    My TMO TP2 (HardSPL) is running the stock HTC Asian WWE 2.07.707.1 ROM (SenseUI 2.5.20121225) & Security unlocked. I sync my contacts through AS-Exchange.
    It was working fine before DE but after DE, I discovered this issue. I have about 1000 contacts in the contact list so I’m not sure if this is related.
    I am still able to add a new contact via the new incoming number or number dialed using the Phone UI but I’m not able to search for contacts using HTC People.
    This is very strange indeed.

  29. Andreas,

    You mentioned that “there are some bugs related to Exchange policies and shell protection in some firmware versions of the Touch Pro 2”. Can you specify which bugs they are & how these bugs can be reproduced?
    Thanks!

  30. I have seen an issue where the device was encrypted and using Power-on-Password, when for no apparent reason the device complained that the password entered was incorrect (when it was double-checked that it was indeed correct). No idea how to reproduce it – it’s something that may or may not occur after using the device for a while.

  31. I don’t know if this discussion is still monitored (I came through a search), but I want to encrypt only a few document files with confidential information; this can be by specified filename, by directory, or by extension (I will organise my confidential data accordingly). Looking at using WM6.1 encryption, it seems that one needs to enable full encryption, with many potential pitfalls, and I suppose exclude everything, then include the desired locations. Is this a practical thing to do, without risk of bricking the device or disabling functions I need?

    If not, can anybody suggest a WM method of encrypting specified files? For example, there is a desktop Windows encrypted editor program that creates an encrypted .EXE file from a text file; the program acts like NOTEPAD.EXE, but with a password.

  32. The proper approach to encrypting files out-of-the-box is as you say to encrypt the device itself, and then add exclusions (and inclusions for that matter) to get it the way you like it.

    I am not aware of a desktop program that will create encrypted exe-files or something similar.

    There are other third-party apps for encrypting WM itself – some of them will still require a sort of “system encryption” even if it’s intended for single files. (It’s usually preferred to not have the encryption keys embedded in the file itself.) While I haven’t tested all of these I was not happy with the ones I did test, and they didn’t offer much improvement over what was already in the OS.

    Now, depending on the devices you’re using, and the amount of data you’re encrypting it might not be such a bad experience using the encryption mechanism in the OS itself. Have you tested it some way, and found it to not be decent? There’s some low-end devices that struggled with it, but for devices with enough RAM and CPU it should work fairly ok.

Leave a Reply

Your email address will not be published. Required fields are marked *

*