If you’re slightly paranoid about data privacy on your smartphone, you may have heard that Android can encrypt your device since 4.0.

As I am doubly paranoid, I also use the community driven version of Android, CyanogenMod, as my operating system.

Encrypt your phone

Go to Settings > Security > Encryption > Encrypt phone

Type in a password and let your phone apply the magic for the best part of an hour (if you have a lot of data). After the reboot, you will be asked to enter your password.
Please note that you have to choose a screen lock method: either a 4 to 8 digits pin or a longer passphrase.

Accessibility or security?

To encrypt your phone, you must provide a strong password. You’d better choose a long one, then.
But Android doesn’t allow you to unlock your screen with a different password. As you will have to type this password roughly 30 times a day, you’ll probably want to keep it rather short.

So: short or long?

That’s where CryptFs comes in handy, allowing you to decouple both passwords: this app lets you set a strong password for the encryption layer, while keeping the password to unlock your screen short. You will only need to type the first one at every reboot, while using the second on a regular basis.

For a more detailed explanation, see changing Android’s disk encryption password.

Upgrade CyanogenMod on an encrypted device

However, CyanogenMod updates and full encryption refuse to work hand in hand: as you try to install the latest version (say 10.2 on a good ol’ 10.1.2), your phone boots into recovery mode but is unable to mount the SD card where the update archive lies. Because it is encrypted, darn!

That’s what it took me to bend its will:
1. install the adb tools (for the Nexus4, look for Nexus4Root)
2. download the latest CyanogenMod version at get.cm
3. reboot your phone under recovery mode (volume down + power buttons pressed simultaneously on my Nexus 4)
4. connect your phone to the computer
5. on the phone, select “update from sideload”: it should display it’s waiting for you to load the update archive
6. navigate to the adb tools folder and type the following as root:

./adb-linux usb
./adb-linux sideload cm-update-version.zip

7. reboot when the installation is complete

Install the app package for paranoids

Having a rooted phone allows me to install some privacy aware apps (a firewall and a global adblocker), and CyanogenMod to restrict access to my personal data (call log, sms and contact data) for most applications.

Phone security:

• AFWall+
• Bluebox Security Scanner

Privacy

• AdAway (requires root): blocks advertisements by blocking requests towards ads servers
• RedPhone for encrypted calls: you won’t need it to call your grandma, but as your innocent calls are sent through the wires, eavesdropper have it harder to spot the really important encrypted calls (where people’s lives could be endangered).
• TextSecure to send encrypted messages to your contacts
• Kontalk, a Whatsapp-like messaging app with end-to-end encryption
• Orbot, the TOR client on Android. If your phone is rooted, you also have the possibility to redirect all its traffic through TOR.
• Gibberbot for OTR (off the record) instant messaging through the TOR network.

(to be completed)