Encryption Manager, Version 4.5.1



Encryption Manager is a file manager, that offers a comfortable and secure way to keep files with confidential data encrypted. It uses AES or Twofish encryption. A master password is used to access the application and to encrypt the encryption keys, that are generated randomly for each file.

The idea behind the user interface of Encryption Manager is more like a favourites list: Confidential files are accessible directly in a list after the login. With one click on the file, the file is decrypted to its original folder on the phone memory or SD card (the folder is created, if it doesn't exist anymore) and can be shown by the installed viewer or editor app. When you are ready with the un-encrypted copy, the file can be deleted or re-encrypted either automatically or with one single click. The un-encrypted file is always wiped from the SD card.

This wipe process will overwrite the data with random bytes before the file is deleted. So even if the device is lost or stolen, it is not possible to access your confidential data with a "disk recovery tool".

Managing new files with Encryption Manager is very simple and can be done in two ways:

User Interface

Files and folders are displayed in lists. A single click on a file opens the viewer, that is defined for this file's extension. A single click on a folder opens the folder. Long pressing on the file or folder opens a context menu. This is important for putting files under management or removing them from the management - this feature is available only from the context menu.

Since version 2.70 there is a mode for selecting multiple files. In this mode a clicked file is not opened, but selected (yellow background). The operations encrypt and decrypt can be applied to the whole list of selected files. If you want to select a range of files, click on the first file and then open the context menu for the last file and select "Select range".

Master Password

The master password is your central key to secure all file encryption keys. Despite the fact, that the app requests only a minimal length of 6 characters for the master password, it is highly recommended to use longer passwords (12 or more, when using numeric characters and 10 or more, when using alphanumeric characters). Keep the chosen master password safe. If you cannot remember your password, all encrypted file data is lost!


The icons on the right side of the list of managed files are showing you the state of each file:


Encryption Manager stores all management data (file names, encrypted encryption keys, ...) in a SQLite database on the internal storage of the device. The encrypted files itself are stored again on the file system, were the original file was, but in a hidden directory, which is created for each file system. Since version 4.0 of the app, the location can be changed by the user. Most devices have exactly one such file system for the phone memory. In older Android versions this was /mnt/sdcard, in newer version it depends on the device, how the internal and external memory is named. Typical other file system names are e.g.:

For each file system the folder name for the encrypted files is either .encmanfull or Android/data/com.giraone.encmanfull/encrypted (only on external SD cards under Android 4.4 due to the restricted file permissions for non-system apps on these devices).

Please send an email to info@giraone.com if a SD card is not recognized correctly.

Please note, that Encryption Manager can be used to encrypt and decrypt data on removable storage (external SD card, USB storage), but the application has to be re-started, to recognize new storage media, if the storage was added when the app was already running.

Very important: Please do not manipulate the files in the hidden .encmanfull directory!

Storage Access Framework in Android 4 (KitKat) and 5 (Lollipop)

Since Android 4 (KitKat) non system apps like Encryption Manager cannot write to the external SD card anymore like it was able before Android 4. It is only possible to write to a single folder on the SD card: the app's data folder. For Encryption Manager this is

Therefore, if you have to delete files from the external SD card, that you want to encrypt, you have to use the Android file manager! Since Version 4.5.1 of Encryption Manager it is possible do have write access again on the external SD card. To perform this, Encryption Manager is using the Storage Access Framework (SAF) of Android. But this has to be enabled explicitly by the user. If you try to delete or write a file on the external SD card using Encryption Manager the first time, a confirmation screen of SAF is shown, where you have to allow Encryption Manager access to the root folder of the external SD card. Encryption Manager will remember then you decision and you can write again on the external SD card, like it was before Android 4. If you want to remove your decision, then use the corresponding option using the app's preferences.

Backup / Restore

Encryption Manager creates an individual encryption key for each file that is stored encrypted with the master password in a database. This database always resides on the internal storage, regardless whether the encrypted files are on the internal storage or an external storage (external SD card). If the database is lost, e.g. because of a factory reset, a major operating system update or because the app was removed, the encrypted files cannot be decrypted anymore! To prevent this, the app offers the possibility to back up the keys and the necessary data (file name, folder name, modification date, ...) to the file system is so-called key files. This can be done manually from the backup/restore screen or automatically (there is a preference for this). These key files are kept also in the .encmanfull storage directories, where the encrypted files reside.

If your Encryption Manager database was lost or you want to move encrypted files from one device to another, you can restore every managed file using the encrypted file (name ending in .ecmfl) itself plus the corresponding key file (name ending in .ecmbc). When you use the restore function, the app will automatically detect, whether there are encrypted files and key files, for which there is no entry in the database. Don't be confused, if you re-create all key files and then try to restore them, the app will show you a message "No files that are not yet managed have been found". This simply means, that the data in the storage folder and the data of the database are identical and nothing has to be restored.

Important notes:

Handling of Images and Videos

With version 2.0 of Encryption Manager, support for images and videos was added. From a security perspective there have to be special considerations of images and videos compared to other files. The reason for this is the generation of so-called "thumbnail" pictures, that are used in "gallery" apps. When an image file is encrypted and the original file is deleted, there might be still copies as thumbnails.

Note: The added features strongly depend on the type of gallery app, that is used. Most Android vendors come with there own gallery implementations and not all of them work as they should. There are also some image browsers, that use their own proprietary thumbnail cache directory. Encryption Manager cannot delete these copies when images are encrypted!

Encryption Manager uses the following functions to combine security and usability:

Note for users of HTC devices: Unfortunately the HTC gallery app returns sometimes a wrong thumbnail, so please display image before you are deleting them - the displayed thumbnail may be wrong!

Anti File Recovery

Normally, when a file is deleted by an app only an internal reference is removed. The content of the file is still available on the storage (internal or removable SD card, USB storage) and it can be restored by file recovery tools like Recuva. To prevent that somebody is doing this on your lost or stolen phone, Encryption Manager has a feature named "Anti File Recovery". Within this function, you can select one of your storage paths and Encryption Manager will overwrite all free memory with random data. By doing this, the content of deleted files will be wiped. Important: Overwriting all free memory might take a very long time and while the memory is overwritten it is not available for other apps or the system itself. In certain cases this might cause failures of other apps which are running or in the Android system itself. Therefore you can choose an amount of space that is left free. When the overwriting process is finished or was stopped with the "Stop" button all free memory is again released to be used. If the process was stopped with the "Pause" button, the memory overwritten so far is still occupied. If in any case not all memory is released, delete the folder named ".encmanfull/_fill"".

Encryption Algorithms

Encryption Manager offers 3 encryption variants and 2 key length. For technical details concerning the algorithms and so-called "block modes" (EBC and CBC) please study the related Wikipedia content.

How secure is Encryption Manager?

To answer this question, one has to look at the different scenarios, that may happen:

If the attacker has only access to the encrypted files (scenario 1a and 2), extreme computing power and years of time is needed to get the keys for de-crypting the files using brute-force methods. Each file is encrypted with a different 128 or 256 bit random key, that is not predictable.

If the attacker has both the phone and the SD card (3) or access to the SD card and is able to start code on the phone (1b) with root privileges, he may also read the database entries. In this case, he has access to the file names and to each encryption key, that is encrypted with your master password. In this case it depends on the length and complexity of your master password. Please do not use password, that exist in word lists or numbers, that can easily be derived, like date of birth. We recommend to use master passwords with at least 12 numeric digits or 10 characters, which is a good compromise between security and comfort.

Defining Filters

The application is shipped with a pre-defined set of filters, which considers most of the common office formats. The pre-defined filter cannot be changed, but deactivated. You can also define your own filters. For this you need to know the file extensions of the files, you want to include or the directory names of the folders, that should be excluded.


The EXIT menu of Encryption Manager finishes the app completely. This behaviour can be changed using a preference, but it is recommended to keep the default. It prevents malware from having the possibility to use memory dumps or memory debugging, after Encryption Manager was used.


If the app was put into the background for more than 5 minutes, the start screen will be displayed, when the app is resumed. This means you have to enter the master password to unlock the safe. The value for this inactivity timeout can be changed in the preferences screen.

Credits and Copyright

This app uses Open Source components of the following project:


If you have suggestions to improve the app, please mail your opinion to info@giraone.com.

Online Version of this manual



The supplier of this software will not be liable to you for any damage or loss of data. You should always keep a backup of your files on a second media (e.g. your PC).

Copyright giraone.com