We hear about this all the time – encrypt your phone, your computer, use these encrypted apps, ensure encryption is turned on, and so forth. But what actually is encryption and what is it used for? Considering we’ve referred to it in some of our articles already, it’s time we explained it.
What is encryption?
Simply put encryption is used to convert information into a secret code that hides that information’s true meaning. This information can be on your phone, laptop, or server, and can be things like photos, emails, documents, and text message conversations.
What encryption does is store that information in a format that is unreadable by computers without a key. The key should only be known by you, the device owner, and is typically in password or code format. The key is what is needed to unscramble encrypted information to make it readable again.
It’s important to distinguish the difference between password protection and encryption as the two no doubt sound similar to many readers. We’ll put this into an analogy; consider your information (the photos, emails, messages, etc) being put into a draw when you save it and the draw locked with a padlock. The padlock is like the password on your laptop or phone that gives you access to the contents of the draw. However bad actors have ways to navigate around this padlock and break into the draw using other, relatively easy, means (such as tools available online to boot your computer with).
With encryption the information is still in the draw (saved on your device) and your draw still has a padlock on it (your password). However, the information in the draw has gone through a shredder first and shredded it into billions of pieces. That way if someone gets access to your draw by cracking your password for example, the information is useless and unreadable without access to the encryption key. Once you enter your encryption key though, the magic of encryption happens, and your information is ‘unshredded’ and returned to a readable, usable format.
Encryption is widely used to secure sensitive data, when you purchase something online for example, the payment portal must encrypt your card information. Even the smallest items such as the fob that opens your car or garage needs to be encrypted to prevent bad actors intercepting readable information (transmitted code) to gain access to your property.
Historical examples of early encryption include The Caesar Cipher, The Zimmerman Telegram and The Enigma Code.
Encryption terminology to be aware of
If you do look more into encryption here is some related technical jargon to be aware of which we’ve avoided as much as possible in this article:
The science of encrypting (and decrypting) information is called ‘cryptography’. Unencrypted data is known as ‘plaintext’ and encrypted data is known as ‘ciphertext’.
‘Symmetric encryption’ uses a single password to encrypt and decrypt data. ‘Asymmetric encryption’ uses two keys for both encryption and decryption. The first key is a public key, shared amongst users and a private key, held but the owner which is not shared and is used to decrypt the data.
‘Military-grade encryption’ is often used by companies to try and show how strong their encryption is. Be aware this isn’t anything but a marketing tactic, ‘military-grade encryption’ is not a unique level of security and often the encryption standard used is widely adopted or commonplace. Your best bet is to check what their encryption standard actually is and see how that stacks up against ‘AES-256’ which is considered the strongest and most secure encryption standard on the market as of this writing.
How does it serve my privacy & security?
Your devices are a treasure trove of valuable data that is far beyond that which organisations collect about you as discussed in Challenging the way you imagine data & privacy. An unencrypted device in the hands of even an amateur bad actor could ruin your life and reputation at worst (read Doxing 101 for more on this) and cause you modest financial loss and some mental distress at best.
The advantages of encryption are:
- It’s currently considered very strong! As defined in Password Hygiene 101 a brute force attack is one where every possible combination of a password is tried by a computer to gain access (usually standardised by how long it will take). With encryption such as the highly rated 256-bit AES mentioned earlier, this process would take more time than the Earth has left to crack (rather than minutes or hours as it does for a password). See here on page four for the math, it’s truly astounding! The last dot point in our disadvantages list below is also relevant to this point
- If your unencrypted laptop or phone is stolen the password can be relatively easily navigated around to gain access to the data in your device. Encryption therefore serves as a security net for device loss or theft
- It’s considered easy to implement, have a look at some of the linked guides toward the end of this article
- It is the data itself that is encrypted so there is a separation of security from the device or the means of transmission. If either of the latter two are breached the data is still encrypted and thus secured
- Takes the fight to governments using downstream surveillance such as PRISM. Encryption also means authorities need permission to access your device, as we saw with the FBI vs Apple case.
What are the disadvantages?
There are a few things you need to be aware of before jumping to encrypting all of your devices:
- If you forget or lose your key (your encryption password) the information is gone forever. There is no back-door retrieval of the data unless you have backed it up in unencrypted format elsewhere (such as a USB stored in your home safe). Again, this is well demonstrated by the FBI vs Apple Encryption Dispute
- Data created by third-party apps is stored on your device but also stored on the servers of the third-party app provider which may or may not be encrypted. Therefore, it’s important to note the full advantages of encryption are only enjoyed if the information has no connection to another server. So for example, to encrypt your contacts list you would need to disable iCloud sync on iPhone to keep that list off Apple servers (and a similar process for Andriod phones and Google). When transmitting data, you need to use ‘end-to-end’ encryption services to ensure no other server participation
- Performance of your device can be affected, especially if you have an older device or require the most your machine has to offer for certain tasks. Encryption is a very sophisticated mathematical operation so naturally puts more pressure on a system’s processor. However modern devices have the computing power to make this performance penalty virtually unnoticeable to the average user, so this point is becoming less and less relevant
- Encryption is a one-way process with most systems, such as Android for example, in that you can’t change your mind about encryption later. If you wanted to permanently decrypt your Android phone you need to back up all important data first before decrypting. When decrypting the device, you will lose your important data as you will need to do a factory reset as part of the process. So, the best advice is, once a device is encrypted – keep it that way or check if the system allows for full decryption later before doing anything
- Its power can create a false sense of security and cause users to take security for granted as soon as something is labelled as ‘encrypted’. An example of this is highlighted in our Operation Ironside / Trojan Shield article
- Some countries require you to decrypt devices on arrival as part of ‘digital searches’. Check each country’s laws before travelling if you are storing encrypted sensitive information
- As alluded in the first point in the advantages list, encryption cannot be guaranteed to be future proof. Advances in cryptography and even quantum computing threaten the power of today’s encryption standards. Simply put quantum computing or the development of supercomputers may one day mean the time to crack encryption is greatly reduced. This point however can be said about almost every privacy or security related precaution- it will always be a cat and mouse game.
Finally, and not so much a disadvantage rather than a reminder in that encryption is not a one-stop solution for protecting data from prying eyes. Encryption only protects what is encrypted but cannot prevent against other online threats. Using a VPN to encrypt your internet connection can still leave unencrypted online accounts (such as your email) at risk. Encryption can stop emails from being intercepted and read but it won’t stop you receiving a phishing link or malware file through email, for example.
How do I encrypt?
There are a number of guides and tutorials online, no doubt we will create ours (and hopefully in different formats) as Privacy Rightfully grows. For now simply search “How to encrypt” followed by either your device or operating system.
If you’re unconvinced or intimidated by encrypting your device you can still make some changes to which apps you use to get the benefits of encryption while supporting developers who are ‘privacy-first’. Below are a few to consider but remember full encryption can only happen if both parties use the service. Note: these are not affiliates we’re not getting paid or receiving any benefit for listing them:
- Signal: For encrypted text messaging, video calls, and voice calls. There are others but Signal is one of few that assure they do not log metadata of who is talking to who.
- Wire, Threema, or Wickr: These are also messaging apps like Signal however you can sign up without linking your account to a phone number. Wire allows for multiperson voice calls (Signal as of this writing doesn’t)
- Ricochet: Is a desktop messaging app that uses Tor’s onion services with encryption
- Mailvelope: Is a browser plugin for encrypting messages in Gmail
- Protonmail: Is an encrypted email platform but emails are only fully protected between Protonmail users.
Those listed above are among the highest rated or most widely adopted, but by no means an exhaustive list. WhatsApp, Apple iMessage, and Facebook Secret Conversations offer encryption but do not give assurances that they don’t log metadata like Signal does, for example. Websites which apply encryption are easily identified with ‘HTTPS’ instead of ‘HTTP’ at the start of the address.
Below are guides for device encryption which we have tested successfully. However, please note as per our Terms & Conditions we do not take responsibility for any adverse effect/s or loss you may experience based on these guides or their accuracy. This isn’t a guide we’ve written so following it is at your own risk, as always, we have no relationship with these sources.
If you’re confident and don’t need too much help the following article from DuckDuckGo has quick guides for iPhone, Mac, Windows and Android:
More thorough guides and can be found for:
iPhone & iPad: https://support.apple.com/en-au/HT205220
There are other types of encryption which we haven’t touched on today within the various operating systems on the market (Apple OS, Microsoft, Andriod, Linux, etc) with each having differing encryption options, standards, and limitations. A comprehensive article on the all options with accompanying pros and cons would fill a book. However that level of detail was not the purpose of this article, we hope after today you’re at least comfortable to:
- Explain to someone what encryption is
- Consider encrypting your devices
- Use encryption as a filter when assessing which apps, programs, software, or service providers, you are looking at using
Encrypting your devices and using apps which offer end-to-end encryption is just another relatively small and simply change you can make to protect your privacy and security. Let the low hanging fruit remain unencrypted.
Choosing between hardware and software encryption is important. We haven’t written about it in this article as its purpose was to introduce and define the concept and process of encryption. However, read some of these links:
This article is written in line with our Terms & Conditions and Disclaimer. As such all content is of a general nature only and is not intended as legal, financial, social or professional advice of any sort. Actions, decisions, investments or changes to device settings or personal behaviour as a result of this content is at the users own risk. Privacy Rightfully makes no guarantees of the accuracy, results or outcomes of the content and does not represent the content to be a full and complete solution to any issue discussed. Privacy Rightfully will not be held liable for any actions taken by a user/s as a result of this content. Please consider your own circumstances, conduct further research, assess all risks and engage professional advice where possible.