Enabling Data Protection in iOS 4

For all of my friends and readers with existing iPhone/iPod Touch hardware, today is an exciting day: iOS 4 is now available via iTunes. But before you go rushing to update your phone, let me give you one small piece of advice:
Apple has done a great job bringing some of the enterprise security features (complex passcodes, wipe on 10 failures, etc) to regular users as part of the upgrade. One of the new features in iOS 4 that has been underreported on is called “Data Protection“. From my understanding, Data Protection is meant to correct some of the issues with the original hardware encryption method introduced last year on the 3GS and 3rd Gen iPod Touch. It also provides developers with better APIs for encrypting your data, so that if you’re carrying around your financial data or health information, you can get an additional level of security. Additionally, there’s no discernible performance hit.
Sounds great, right? There’s a tiny catch: if you’re upgrading from iOS 3, the filesystem needs to be rebuilt from scratch to enable this feature. So if you have an iPhone 3GS or iPod Touch 3rd Gen, you need to do a backup-factory restore-data restore installation of iOS 4. To break this into discrete steps:

  1. Plug in your iPhone.
  2. Let it backup through iTunes.
  3. Rather than clicking “Upgrade”, click “Restore”.
  4. Let iTunes download the installer and do a complete restore.
  5. When the installation is done, iTunes will prompt you about restoring from the backup you just took. Do so.
  6. Wait the somewhat lengthy amount of time as all your data is put back onto your phone.

You can confirm this has been done by going to Preferences -> General -> Passcode Lock and scrolling to the very bottom, where you should see “Data Protection is enabled.”
That’s it. You will need to set a passcode to get the benefit of this (but you should have that anyhow); iPhone 4 users will automatically have this out of the box. You are certainly allowed to just do a regular upgrade, but you won’t get data protection (and if you’re in an enterprise, know that configuration profiles can check against this as a pre-requisite.) And for those on earlier hardware – sorry, you lack the hardware chip to do the encryption.
Developers who are interested in the technical details or in leveraging Data Protection should check out Session 209, “Securing Application Data”, in the WWDC 10 videos.
Enjoy the upgrade.