Method:
Overview
Security Policies
Awareness & Education Topics
Tools & Instructions
Incident Response
What Is a Security Incident?
Incident Response Protocol
Data Breach Notification
Copyright Complaint
Harassment
Help & Support
Technical Support
Contact Information
Technical Listservs
Learning Opportunities
About Us
Charter
Office of Information Technology (OIT) > Security Information for IT Professionals > Awareness and Education Topics > Encrypting Stored Data
Encrypting Stored Data
Encryption is the conversion of data into a form, called ciphertext, that cannot be easily understood by unauthorized people. Decryption is the process of converting encrypted data back into its original form, so it can be understood.
Before using encryption programs, evaluate if it is absolutely necessary to store confidential or private data on this computer or mobile computing device (e.g., PDA or USB flash drive). Consult with your local technical support staff. If you need to store private data, take steps to encrypt the data to help prevent unauthorized disclosure of private data. For laptops, data encryption is just one of the required steps in the University's Policy Securing Private Data, Computers & Other Electronic Devices.
There is a variety of encryption software available for common operating systems. Some software encrypts the entire hard disk, while others have an option to encrypt specific files or folders on the hard disk. Some operating systems, such as Microsoft Windows and Apple Macintosh have an option to turn on the operating systems built-in encryption software. There are also some readily available data encryption products from third party vendors. Some are even free.
No matter what product you choose, here are some important reminders:
Consult with your local technical support staff.
Read about the encryption product. Understand how to configure the software, where to store the keys and what is encrypted. Some products do NOT encrypt the files when they are e-mailed or saved to external media.
Encryption is dependent on using strong passwords or passphrases.
Download encryption software from reputable company Web sites. Some encryption products may install a backdoor for hackers, adware, spyware or viruses.
All encrypted data can be permanently lost if you forget the encryption password (or passphrase). If you decide to save them, decryption keys should be locked in a a safe location.
Do not decrypt a file and store in a temporary file someplace. If this occurs, be sure to securely wipe/erase the file from disk.
Consider setting up a secure folder or disk partition on the computer for storing private data.
Properly done (good software, strong password, etc.), encryption is good protection for laptops and portable devices that may get lost or stolen as well as other computers.
Below are options for various operating systems/media: Macintosh, Unix, Windows and USB flash drives.
At the University for full disk encryption, in rough order based on number of users, the following encryption products are used: CheckPoint (PointSec), Sophos (Utimaco), Microsoft BitLocker, TrueCrypt.
Windows
Below are some products used within the University by some departments. Be sure to download the software from a reputable site and periodically check the vendor web site for security patches or updates that must be applied.
Products Windows Platforms Options Website Notes
Windows Encrypting File System (EFS)
7, Vista, XP
Built into the Windows Operating System
http://support.microsoft.com/kb/223316/EN-US/
File and folder encryption. See Required Steps for EFS.
Files emailed or saved to external media are NOT encrypted.
Windows BitLocker 7, Vista Built into the Windows Operating System http://technet.microsoft.com/en-us/library/dd875532%28WS.10%29.aspx Full disk encryption
CheckPoint FDE (formerly called PointSec) N/A Purchase, under state contract http://www.checkpoint.com/products/datasecurity/index.html
Full disk encryption
State Contract (for University-owned computers): http://www.oet.state.mn.us/itproducts/software/manufacturers/Checkpoint_Pointsec_software_index.html
Sophos SafeGuard Easy/Utimaco 7, Vista, XP Purchase http://www.sophos.com/products/enterprise/encryption/safeguard-easy/ Full disk encryption
Macintosh
Below are some products used within the University by some departments. Be sure to download the software from a reputable site and periodically check the vendor web site for security patches or updates that must be applied.
Product Macintosh Platforms Options Website Notes
Mac File Vault Mac OS X or higher Built into the Macintosh Operating System http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh1877.html Folder encryption
CheckPoint FDE (formerly called PointSec) N/A Purchase, under state contract http://www.checkpoint.com/products/datasecurity/index.html Full disk encryption
State Contract (for University-owned computers): http://www.oet.state.mn.us/itproducts/software/manufacturers/Checkpoint_Pointsec_software_index.html
Macintosh OS X has native 128-bit encryption, called File Vault. File Vault encrypts the contents for a user's home directory.
Note: Company administrators can set up a computer-wide master password as a safeguard in the event someone forgets their login password.
Unix
Be sure to download the software from a reputable site and periodically check the vendor web site for security patches or updates that must be applied.
Product Platforms Options Website Notes
CheckPoint FDE (formerly called PointSec) Linux (Red Hat, Suse, OpenSuSe) Purchase, under state contract http://www.checkpoint.com/products/datasecurity/index.html Full disk encryption
State Contract (for University-owned computers):http://www.oet.state.mn.us/itproducts/software/manufacturers/Checkpoint_Pointsec_software_index.html
USB Flash Drives
USB flash drives are available with encryption to protect the contents. As with all software, periodically check the vendor web site for security patches or updates that must be applied.
Product Options Website Notes
DataTraveler-PE Purchase http://www.kingston.com/flash/DataTravelers_gov.asp Privacy Edition has only an encrypted partition, so the first thing the user sees is the password prompt. Ten attempts to enter the password or it locks (only allows a utility to delete all data and do a clean setup again). Users need to know this. Minimum password length is 6 characters and complexity is enforced.
IronKey Basic Purchase https://www.ironkey.com/basic User can select a "read-only" check-box for untrusted presentation computers (e.g. at conferences) with all versions to protect against autorun viruses from untrusted computers. The Enterprise version allows enforcement of all the options, but the cost is higher. Ten attempts to enter the password, but it locks and is useless after that (no reset or anything). Minimum password length is 4 characters.
DataTraveler BlackBox Purchase http://www.kingston.com/flash/DataTravelers_gov.asp Hardware based encryption and function without administrative rights.
Kanguru Defender Purchase https://www.kanguru.com/index.php/flash-drives/secure-storage/ Hardware based encryption and function without administrative rights.
Other Tools Available
These are not as commonly used at the University as the others listed above. Be sure to download the software from a reputable site and periodically check the vendor web site for security patches or updates that must be applied.
Windows
Products Windows Platforms Options Website Notes
TrueCrypt 7, Vista, XP Free http://www.truecrypt.org/ Full disk encryption, folder encryption, directory or virtual drive
GNU Privacy Guard (open source version of PGP) XP Free http://www.gnupg.org/ File and folder encryption
With the Windows Privacy Tray for GnuPG, this allows for easy encryption, decryption and file shredding options. See http://www.gpg4win.org/.
PGP commercial 7, Vista, XP Purchase http://www.pgp.com/products/desktop/index.html File, folder, whole disk or virtual disk encryption. Includes a feature to securely wipe or shred individual files. The gold standard of encryption, but more complex.
SecureZip 7, Vista, XP Free trial, Purchase http://www.pkware.com/software-data-security/windows-file-encryption File and folder encryption.
Macintosh
Product Macintosh Platforms Options Website Notes
TrueCrypt Mac OS X Free http://www.truecrypt.org/ Full disk and folder encryption
Mac GNU Privacy Guard Mac OS X 10.2 or higher Free http://macgpg.sourceforge.net/ File and folder encryption
PGP commercial Mac OS X 10.5 or higher Purchase http://www.pgp.com/products/desktop/index.html File, folder, whole disk or virtual disk encryption. Includes a feature to securely wipe or shred individual files. The gold standard of encryption, but more complex.
Unix
Product Platforms Options Website Notes
TrueCrypt Linux Free http://www.truecrypt.org/ Full disk and folder encryption
GNU Privacy Guard (open source version of PGP) Unix, Linux Free http://www.gnupg.org/ File and folder encryption
SecureZip Unix, Linux Free trial, Purchase http://www.pkware.com/software-data-security/windows-file-encryption File and folder encryption
USB Flash Drives
Third party encryption software is available to encrypt data on USB flash drives. Be sure to download the software from a reputable site and periodically check the vendor web site for security patches or updates that must be applied.
Product Options Website Notes
CheckPoint FDE (formerly called PointSec) Purchase, under state contract http://www.checkpoint.com/products/datasecurity/index.html State Contract (for University-owned computers):
http://www.oet.state.mn.us/itproducts/software/manufacturers/Checkpoint_Pointsec_software_index.html
PGP Commercial Purchase http://www.pgp.com/products/desktop/index.html N/A
Sophos SafeGuard Easy/Utimaco Purchase http://www.sophos.com/products/enterprise/encryption/safeguard-easy/ N/A
TrueCrypt Free http://www.truecrypt.org/ N/A
