デバイス暗号化の完全ガイド - スマホ・PC のデータを守る

About 15 min read

What happens to the data on your smartphone or laptop if you lose it? With device encryption enabled, stored data remains protected in an unreadable state even if the device falls into someone else's hands. Without encryption, simply removing the storage and connecting it to another device makes all data - photos, emails, passwords, financial information - viewable. This article explains the mechanisms and configuration of iOS/Android storage encryption, Windows BitLocker, and macOS FileVault, providing a practical guide to reliably protecting your data when devices are lost.

Smartphone Storage Encryption

iOS Encryption Architecture

All iPhones and iPads have storage encryption enabled by default since iOS 8. Apple's hardware security module (Secure Enclave) generates and manages device-unique encryption keys, encrypting the entire storage with AES-256. The user-set passcode (or Face ID / Touch ID) functions as part of the encryption key, making data decryption impossible without the passcode. This design means even Apple itself cannot access data on a locked iPhone.

The key to maximizing iOS encryption is passcode strength. A 4-digit numeric passcode offers low resistance to brute force attacks, so set at least 6 digits, ideally a custom alphanumeric passcode. Also, enabling the "Erase Data" option (Settings > Face ID & Passcode) automatically erases device data after 10 incorrect passcode attempts. Always enable remote wipe via "Find My iPhone" for lost device scenarios.

Android Encryption Settings

On Android, file-based encryption (FBE) is enabled by default on devices running Android 10 and later. Unlike iOS's approach, FBE encrypts each file with a different key. This allows some functions like alarms and call notifications to work while the device is locked, while personal data remains protected. However, devices running Android 9 or earlier, and some budget models, may have encryption disabled. Check the current status in Settings > Security > Encryption and enable it if disabled.

PC Disk Encryption

Windows BitLocker Setup and Operation

Windows BitLocker is a full-disk encryption feature available in Pro, Enterprise, and Education editions. It works with the TPM (Trusted Platform Module) chip to automatically decrypt the drive at startup, so it doesn't affect daily usage. Enable it from Settings > Privacy & Security > Device encryption. Even if a laptop with BitLocker enabled is lost, reading the drive contents without correct login credentials is virtually impossible.

The most critical aspect when enabling BitLocker is safely storing the recovery key. The recovery key is a 48-digit number needed when the TPM detects anomalies or hardware changes occur. Automatic saving to a Microsoft account is the easiest method, but carries risk if the Microsoft account itself is compromised. We recommend redundancy through multiple methods - saving to a USB drive stored in a safe, printing on paper kept in a secure location, etc. Note that losing the recovery key means even you cannot access your data.

macOS FileVault Setup

macOS FileVault encrypts the entire Mac storage with XTS-AES-128. On Macs with Apple Silicon (M1 and later), hardware-level encryption is always active, and FileVault serves to tie that encryption to the user's login password. Enable FileVault from System Settings > Privacy & Security > FileVault. The initial encryption process runs in the background, so you can continue normal work.

FileVault offers two recovery methods: iCloud account recovery and recovery key (24 alphanumeric characters). Choosing iCloud recovery lets you unlock the disk with your Apple ID password, but carries risk if the Apple ID is compromised. Choosing a recovery key requires safely storing that key. Either way, proper operation as encryption at rest key management is essential.

How Encryption Works and Protection When Lost

Why Encryption Protects Data

An encrypted storage appears as nothing but meaningless data without the correct key (passcode, password, biometric authentication). Even if an attacker physically removes the storage and connects it to another computer, they cannot decrypt the encrypted data. Breaking modern AES-256 encryption through brute force would require more time than the age of the universe even with current supercomputers. In other words, properly encrypted devices maintain data security even when physically stolen.

However, encryption is only effective when the device is locked. If the device is stolen while unlocked (e.g., a laptop taken while you step away at a cafe), encryption provides no protection. Therefore, setting a short auto-lock time (1-2 minutes), building a habit of manually locking when stepping away (Windows: Win+L, macOS: Ctrl+Cmd+Q), and setting a strong login password are equally important as encryption. Encryption is the "last line of defense" - it achieves complete protection only when combined with daily security habits.

Encrypting External Drives and Backups

Don't forget to encrypt external HDDs/SSDs and backup data in addition to the device itself. Create Time Machine backups with the encryption option enabled, and apply BitLocker To Go to Windows backup drives. Taking backups to unencrypted external drives means data can leak via backups regardless of how well the main device is encrypted. When using cloud backups, verify the service provides encryption at rest.

For portable encrypted storage solutions, encrypted external SSDs (Amazon) provide hardware-level protection for data on the go.