File Encryption

Due to the portable nature of data stored on mobile devices, there always exists the possibility of this data being found by someone other than the intended user. For instance, if a device is lost or stolen, sensitive business information ( contacts, emails, spreadsheets, documents or other confidential data) may be found. Data can be easily retrieved from the device using a variety of file transfer methods (i.e. USB cradle, Bluetooth or Wi-Fi file transfer, or infrared beam).

MobiControl helps secure data stored on the mobile device and SD memory cards or storage media to help businesses achieve compliance with strict data storage and processing regulations.  The file encryption feature allows encrypting data stored on a device or memory card so that it can not be accessed by an unauthorized person. This protects sensitive data if an attempt is made to extract it from the mobile device and access it on another mobile device, computer or data reader by an unauthorized person.

File Encryption Policy dialog box

For assistance with Override Settings Click Here.

MobiControl’s policy-based file encryption uses FIPS 140-2 validated AES-256 encryption algorithms to secure mobile data. On-the-fly file encryption is implemented easily and transparently without affecting the end users experience and allows data to be encrypted and decrypted in memory when needed by mobile applications on the device.  MobiControl provides granular control allowing encryption of specified files and folders, including the ability to select an entire volume such as a storage card.

To enable file encryption for a device or group of devices, select File Encryption Policy from the MobiControl Security Center. User authentication must be enabled prior to enabling file encryption. (Please see the Device Security and Control page and Authentication Security page for more information.)

Use the Add and Edit buttons to bring up the Add File/Folder dialog box to create a new entry or modify an existing entry. Individual files or entire folders can be encrypted. If a folder is selected and the option to Protect files stored in sub-folders is enabled, all sub-folders within it will also be encrypted. The Exclude selected file/folder option makes it possible to exclude a file or folder from encryption. For instance, this option can be used to exclude a folder from encryption if its parent folder is encrypted, and the option to protect files stored in the parent folder's sub-folders is enabled. When the Exclude selected file/folder option is selected, the option below it changes to Exclude files stored in sub-folders. When this second option is selected, sub-folders of the selected folder will also be excluded from encryption.

      

Add File/Folder dialog box for encrypting a folder (left) and excluding a folder from encryption

Tip:

MobiControl supports the use of wildcards when entering folder/file names. The asterisk ("*") substitutes for any zero or more characters, and the question mark ("?") substitutes for any one character. For example, entering "*.doc" with Protect files stored in sub-folders enabled will encrypt any document with the .doc extension on the device.

Automatic Key Archiving for Recovery of Encrypted Data

During the encryption process, the encryption key is stored on the mobile device so that any encrypted data on the mobile device or the storage / SD memory card can be accessed on the mobile device by an authenticated user. It may become necessary in certain situations to decrypt that data for use on another device (i.e. a hardware failure on the mobile device requiring the data on the storage card to be recovered on another device). If the encryption key is saved on the mobile device only and the device is stolen or damaged, the data on the accompanying storage cards would be rendered unusable as well.

File Encryption Recovery dialog box

MobiControl automatically, and transparently to the end user, archives a backup copy of the encryption key in the MobiControl database to allow the recovery of encrypted data in exceptional scenarios.  This archiving of the encryption key takes place at the same time as it is generated to allow easy recovery of encrypted data, to deal with extraordinary situations and device failures.

Files can be decrypted using the MobiControl Manager. Click on the Recover Data button in the File Encryption Policy dialog box to recover encrypted files. The File Encryption Recovery dialog box allows you to specify the encrypted file (on a storage card or any other medium) and decrypt the file, recovering it to the destination file specified as the output file.