Why Device Lock PIN/Password must be configured with Windows Mobile 6.1 Device Encryption

It is a well know fact that a lot of enteprise IT pros require data encryption for mobile devices.  The Windows Mobile operating system has included support for the Data Protection API (DPAPI) since Windows Mobile 2003.  And DPAPI forms the basis for Windows Mobile file encryption used with removable storage cards (Windows Mobile 6.0) and main memory (Windows Mobile 6.1). 

DPAPI provides easy-to-use functions for encryption and decryption.  A number of applications use DPAPI.  The thing that makes DPAPI easy to use for developers is that they don’t have to wite all the key generation and key management code that typically goes with any encryption solution.  DPAPI uses a master key that is stored in the memory of the device.  When an application calls DPAPI, the same master key is used to generate symmetric keys for all encryption and decryption operations.  In this way, the application does not have to generate or manage the encryption key used.  For a thorough description of DPAPI see the MSDN article covering Windows Data Protection

Of course, this begs the question, “How is the master key protected?” Read the rest of this entry »