Solved: Galaxy Tab A7 - How to encrypt internal storage?

Dangermouse · ‎07-12-2020

I've just bought a Tab A7 and there's an option to encrypt an external SD card (which I'm not using at the moment) but there doesn't appear to be any way to encrypt the internal storage, which seems a bit strange as I've been able to do that on every other Android device I've ever owned.

With recent devices, just setting a PIN seems to enable it as then it prompts me for the PIN after I switch it on, before it boots to the OS but on the A7 it boots to the Home screen without asking me for the PIN.

Dangermouse · ‎14-12-2020

A long time ago, enabling encryption took hours as the hardware wasn't available to make it instant and as I recall, disabling it involved formatting the storage but for some years now, devices have had chips that make it possible to instantly enable/disable encryption. It's not true that the storage is encrypted regardless of whether a PIN or password is set though. If you think about it, it would be pretty useless security if anyone could decrypt a device by just turning it on, without needing a PIN/password.

I did a Google search too and found that apparently since Android 7 they have been moving towards File-Based Encryption (FBE) rather than Full-Disk Encryption (FDE), which means that the device can boot to the OS but the user's files are encrypted and inaccessible until the PIN/password is entered.

https://source.android.com/security/encryption/file-based

I've never seen this on any previous device, even recent Android 9 phones that I've bought which still use FDE and can't boot without the PIN. I can see there are benefits for multi-user devices from using FBE but personally I don't share my devices with anyone else and FBE raises concerns about whether its actually encrypting all the files containing my personal data, or whether some of those files might be stored on the unencrypted partitions. So it would be better if devices offered the choice of enabling FDE instead of only offering FBE, especially with tablets where the concerns about phones rebooting themselves and being unable to receive calls until the user enters the password don't apply.

View solution in context

FlyingKiwi · ‎12-12-2020

If you want to make the Tab A7 need a PIN when its booted, if its anything like my Tab A (2018 10.5) device, under Settings, you should find an option called Lock Screen where you can set this up. Be sure to write down or securely store any PIN you do use so you can never accidentally be locked out of your own device if you forget it (especially important for any account details that were used when initially setting up the device too).

Dangermouse · ‎12-12-2020

I've set a PIN but like I said, it boots to the Home screen without asking me for it, so it obviously hasn't encrypted the internal storage, because it wouldn't be able to boot without asking me for the PIN if it was encrypted. I just have to enter the PIN after its booted to unlock the screen, like I have to do if I leave it inactive and it locks the screen.

FlyingKiwi · ‎12-12-2020

I don't know why you think its obvious that because its not asking for a pin, its not encrypting the storage (or that the opposite is true). What I can tell you is that on my tablet with Samsungs newest Android 10 ROM if I set a pin using the Lock Screen option setting option, when I next boot the tablet, it asks for the pin in order to get in. If I then go back into the Lock Screen settings and change back to 'none', when I next boot, it goes straight in without any interrogation.

As they say on the IT Crowd (a UK TV Sitcom) have you tried turning it off and then on again (the request to use a pin in the Lock Screen settings)? What does the screen pictured say where mine reads none? What have you tried (specifically) to resolve this?

Dangermouse · ‎12-12-2020

Because it is obvious. If the internal storage was encrypted then it would need me to provide the code (i.e. the PIN or password) to decrypt it. That's how my current phone and my previous tablets work. They request the PIN shortly after turning them on and then it boots into the OS. If the Tab A7 was encrypted, it couldn't boot without me providing the code to decrypt it. Are you saying that with your tablet it asks for the PIN before it boots into the OS, or does it boot into the OS and then ask you for the PIN to unlock the screen (which is what my A7 is doing)?

My screen lock setting is set to PIN. There's no separate "Encrypt device" option and it was my understanding that all Android devices automatically encrypted themselves whenever a PIN/password was set, as there's no performance penalty from enabling encryption these days. So there's no downside and it provides valuable protection for portable devices and the data they hold, as it makes it impossible to boot the device or access the data stored on it without the code.

FlyingKiwi · ‎12-12-2020

I think one person's idea of whats obvious must differ to another person's then. It was not obvious to me how a 32 GB internal storage drive can be encrypted in next to no time and then decrypted the same (the time it took me to do my little test run as described above). A Google search came to the rescue and explained that Android 10 (and presumably newer) devices have to have their internal storage data encrypted by default. This means that irrespective of whether a pin is used, the hardware has its own key so the process works invisibly in the background. Indeed my tablet asks for a pin as its booting (and before it'll let me in). Now getting back to what they'd say on the IT Crowd, have you tried turning it off and then on again (as in the Pin screen lock) with a reboot in between?

Dangermouse · ‎14-12-2020

A long time ago, enabling encryption took hours as the hardware wasn't available to make it instant and as I recall, disabling it involved formatting the storage but for some years now, devices have had chips that make it possible to instantly enable/disable encryption. It's not true that the storage is encrypted regardless of whether a PIN or password is set though. If you think about it, it would be pretty useless security if anyone could decrypt a device by just turning it on, without needing a PIN/password.

I did a Google search too and found that apparently since Android 7 they have been moving towards File-Based Encryption (FBE) rather than Full-Disk Encryption (FDE), which means that the device can boot to the OS but the user's files are encrypted and inaccessible until the PIN/password is entered.

https://source.android.com/security/encryption/file-based

I've never seen this on any previous device, even recent Android 9 phones that I've bought which still use FDE and can't boot without the PIN. I can see there are benefits for multi-user devices from using FBE but personally I don't share my devices with anyone else and FBE raises concerns about whether its actually encrypting all the files containing my personal data, or whether some of those files might be stored on the unencrypted partitions. So it would be better if devices offered the choice of enabling FDE instead of only offering FBE, especially with tablets where the concerns about phones rebooting themselves and being unable to receive calls until the user enters the password don't apply.

FlyingKiwi · ‎14-12-2020

So have you managed to get the pin prompt to come up before letting you in after turning it to none and then setting a pin ( rebooting as required to test it out)? Glad we've both learnt from this.

Dangermouse · ‎14-12-2020

The PIN prompt always came up after it booted to the OS, as I said before " I just have to enter the PIN after its booted to unlock the screen". Now I know that they're using FBE instead of FDE, I understand why it doesn't need a PIN to boot but I'm not particularly happy about it!

The tablet seems to have an intermittent fault with the touchscreen not responding properly anyway, so I'll have to return it and get a replacement. I'd probably get a different tablet if I could find one that still offers FDE as an option but that seems unlikely.

FlyingKiwi · ‎26-12-2020

If your touchscreen isn't responding properly, there are several things you can try before going down the path to seek a replacement. Just the other day I discovered there's a useful test function within the Samsung Members App. If you tap on Get help -> Tablet Care -> Interactive Help -> Touch Screen, how does that test go? Do all the blocks fill with colour? As a last resort before trying for a replacement device, you should always try a factory data reset (after backing up your important stuff first) - afterall, what do you have to loose and it could save you unnecessary packaging, travels, phonecalls, form filling etc.

As far as why I responded to your thread initially you mentioned in your first post in this thread that 'With recent devices, just setting a PIN seems to enable it as then it prompts me for the PIN after I switch it on, before it boots to the OS but on the A7 it boots to the Home screen without asking me for the PIN.' Which to me implied you weren't getting the PIN prompt and wanted it - I'm glad you now seen to be getting that (always?).

Regarding encryption, I think its fair enough to say that although encryption technologies have changed with time, its generally for the better and you can rest assured that your data is all fully encrypted on this device.

Galaxy Tab A7 - How to encrypt internal storage?

1 Solution