What is Storage Card Encryption ?
Microsoft Windows Mobile 6 Storage Card Encryption on Windows Mobile 6 based Pocket PCs and Smartphone devices supports encryption of data stored on an external removable storage card, more specifically encrypting data written from the mobile device to a removable media.
The encrypted data can be then used only only the encrypting device itself. Users can enable "Over the Air" provisioning of the encryption code via Microsoft Exchange or other OTA Device management solution. The encryption is transparent to the user - minus the performance impacts. The encrypted data files can be accessed on desktop via Microsoft ActiveSync® (AS) file explorer. The user has all control over mobile encryption configuration.
How to use Storage Card Encryption ?
Windows Mobile 6 based devices support encryption of data stored in external removable storage cards and also provide the means to remotely wipe the data on the device. The encryption can either be enabled by the user or enforced through an Exchange 2007 policy. If the device is Hard Reset or Cold Booted, the encryption keys will be permanently deleted and cannot be retrieved to decrypt the data on the card!
When you enable the Storage Card Encryption on your mobile device, the decryption key (DPAPI Master key) is saved in its internal flash memory. If the device is hard reset or cold booted, the encryption key is lost and cannot be retrieved. User attempting to do a hard reset or cold boot on a device with Storage Card Encryption enabled, is warned to backup his files from the card so they are able to retrieve them once the encryption key is lost during the hard reset process.
To enable the Storage Card Encryption on the device follow these steps:
- Insert the storage card into your mobile device.
- Go to Start → Settings → System Tab → Encryption.
- Check the “Encrypt files placed on the storage card” box.
- Press OK.
After this process is completed, all new files copied or created on the storage card are encrypted. Files that were on the storage card before the encryption was enabled will not be encrypted. To encrypt these files, you have to move them from the card and copy back.
How to determine which files are encrypted ?
You can see the difference after you have removed the storage card from the device it was encrypted on, to another one or into a card read. The encrypted files will be displayed with the MENC file extension and will follow this filename convention:
[filename].[extension].[GUID].menc
The [GUID] is the encryption key which determines if the file can be decrypted on the present device. The MENC file extension is added just to make it easier for the user to recognize the file is encrypted and that you cant open the file. A lock icon is also associated with the encrypted .menc files. If you insert the storage card back to your device you will not see the MENC file extension, because the [GUID] on the card matches the [GUID] on the files and these files can be opened.
How to decrypt encrypted files ?
The easiest way to decrypt the encrypted files is to transfer them out of the storage card to a computer via ActiveSync or Windows Mobile Device Center and to disable the Storage Card Encryption on the device. Then just copy the files back to the device. To disable Storage Card Encryption follow these steps:
- Go to Start → Settings → System Tab → Encryption.
- Uncheck the “Encrypt files placed on the storage card” box.
- Press OK.