Encryption is a useful measure you can apply to protect your data,
especially when other data protection methods, such as high-security storage options or de-identification of
the data, are not feasible or when multiple protection methods should be
applied to the data. The following provides a basic description of a few
encryption methods and how they should be applied.
Full Disk Encryption
Full disk encryption (FDE) encrypts the hard drive of your computer.
This is important because if your computer is lost or stolen the hard
drive can be removed and the information on it can be accessed if it
hasn’t been encrypted, even if your computer is password-protected.
Anyone working with research data that is stored, even temporarily, on
their computer’s local hard drive must ensure that FDE is active.
NB: If you are storing data on YODA you will likely access the data via Cyberduck. This is a program which securely copies
data from YODA to your computer. Because a local copy of the data is
stored on your computer, you should always have FDE active when using
YODA and Cyberduck.
NB2: If your data are stored on Research Drive or SURF Drive and you use the desktop client to sync data to a local file on your
computer, you should always have FDE active and you should take
additional measures (measures for Research Drive and measures for SURFDrive) to keep
the data secure.
Windows users: Windows OS generally uses Bitlocker for FDE.
Bitlocker is installed on all VU green and orange work stations: if
these VU computers are using Windows 10, then Bitlocker is already
active. If a green or orange work station uses Windows 7, you need to
activate Bitlocker yourself. If you have a VU red work station, ensure
that you install and activate Bitlocker. If you have to activate
Bitlocker yourself make sure to enable the recovery option. Once
Bitlocker is activated, it will de-encrypt the hard drive every time you
login to your computer and re-encrypt it when you lock your computer.
Additional security options can be added on top of your password, if
desired. Contact the IT
Service Desk for additional support if the information provided here
is insufficient for your purposes.
Mac users: MacBooks come with FileVault installed as FDE
software. Simply go to System Preferences > Security &
Privacy to turn on FileVault. Make sure to keep the recovery key
somewhere safe. Whenever you login to your MacBook it will de-encrypt
the hard drive and the hard drive will be re-encrypted when you lock
your MacBook.
Filesystem-level Encryption
Filesystem-level encryption (FLE) encrypts individual files or entire
folders. There are many different types of FLE software and
unfortunately, VU IT does not provide support for these encryption
tools. Many are free and fairly easy to use, however. Unfortunately, if
you work on a green or orange workstation you will need to get help from
the IT Service Desk
to install most of these encryption tools. Also, if the encrypted files
and folders need to accessed on more than one computer, than every
computer needs to have the software installed to be able to de-encrypt
the files/folders.
- Cryptomator:
Cryptomator is a fairly easy encryption tool to use that is available
for Windows, MacOS, Linux, Android and iOS. With Cryptomator, you create
“vaults” within which the files and folders that you want to protect are
stored. It’s your best option if you want to encrypt an entire folder
that is stored on SURF Drive or Research Drive because it’s built to
work well with cloud-based storage. It also works well with Cyberduck,
which is the primary program used to access data stored in YODA.
- Follow this guide to set up Cryptomator in Cyberduck if you are
using Cyberduck to connect to YODA.
- NB: When you unlock the Cryptomator vault via Cyberduck, the
default setting is to save the de-encryption password. If you save this
password, it will be saved in your operating system’s keychain. You
won’t be prompted again on your device to enter the password unless you
delete it from your keychain. It’s still important to save the
de-encryption password in a password manager because you may need to share the
password with a collaborator or it may get deleted from the keychain.
Be aware that if you opt to save the de-encryption password in
your keychain it means that the vault is essentially always open when
you are logged into your computer. Therefore, always lock your screen
when you away from your computer and never share login credentials.
Alternatively, you can simply never save the password and always enter
it when you need to open the Cryptomator vault.
- If you use SURFdrive or Research Drive, Cryptomator vaults can
only be unlocked if you sync your encrypted files to the SURF Drive or Research Drive desktop application.
- If you are using Cryptomator with the SURF Drive or Research
Drive desktop application, the changes you make to files or folders in
your vault sometimes don’t appear to sync with your Drive. If that
happens, simply restart the SURF Drive or Research Drive desktop
application.
- If you share an encrypted vault with a user who does not have
access to the SURF Drive or Research Drive desktop application, it isn’t
immediately apparent how to de-encrypt the vault. The other user will
need to have Cryptomator installed. They will need to download the
encrypted file you have shared with them, which appears as a .tar-file.
They should store this .tar-file in an appropriate location on their
computer and unzip it. They can then go to the Cryptomator app and
select “Open an existing vault” by pressing the + sign. This will open a
dialogue box that allows them to select the unzipped .tar-file from the
location that they stored it in. They will see a file called
“masterkey.cryptomator”, which they should select. This will add the
vault to their Cryptomator app and they can then open the vault with the
password you’ve securely provided.
- VeraCrypt: VeraCrypt is a bit more complex than
Cryptomator to use, but it’s also a good encryption tool if you need to
encrypt several files simultaneously in one folder. It is available for
Windows, MacOS and Linux. This page provides extensive instructions on how to set
up a basic “container” within which you will store all of the files and
folders that need to be encrypted. It doesn’t work quite as well with
cloud-based storage, (SURF drive and Research Drive), so it should only
be used on your local computer or for portable media which doesn’t have
built-in encryption capabilities.
- AES
Crypt: AES Crypt can be used on Windows, MacOS and Linux systems;
you can either install the easy to use graphical user interface (GUI) or
if you are familiar with the command line you can install the console
version. AES Crypt allows you to easily encrypt individual files by
simply right-clicking on the file and choosing a password.
- AES Crypt will create a new copy of your file in an encrypted
form, and everytime you de-encrypt that file, it will create a new
un-encrypted copy. If you are only opening the file to view its
contents, make sure to delete the unencrypted copy after use. If you
update the unencrypted file, make sure to encrypt this updated version
and overwrite the old encrypted file.
- MacOS users don’t automatically have the right-click option for
encrypting and de-encrypting, and the use of the GUI-app isn’t
immediately clear. You can either install the “Extension to Enable
Right-Clicking” so then when you right-click on a file, you see an
option to encrypt or de-encrypt, or you just drag the file you want to
encrypt/de-encrypt to the icon for the AES Crypt app. The app itself
does not open.
- 7Zip
Encryption: 7Zip encryption only runs on Windows; it may already be
installed on your Windows workstation. You can technically access it
from a MacOS or Linux workstation via the virtual Windows 10 green
workspace, but this should only be done if none of the above options are
feasible for you.
- When you want to create an encrypted file or folder,
right-click, go to 7ZIP and select “Add to archive”; a dialogue box will
open where you can enter a password; if you don’t add a password, a 7ZIP
file will still be created, but anyone will be able to open the
file
- _When you want to open an encrypted file or folder, right-click, go
to 7ZIP and select “Extract file”; a dialogue box will open where you
can enter the password.
- As with AES Crypt, 7ZIP will create a new copy of your file in
an encrypted form, and everytime you de-encrypt that file, it will
create an un-encrypted copy. If you are only opening the file to view
it’s contents, make sure to delete the unencrypted copy after use. If
you update the unencrypted file, make sure to encrypt this updated
version and overwrite the old encrypted file.
Passwords
Set strong passwords when encrypting your media. For further
information on strong passwords, review the Security
Basics.
Long-term encryption
Encryption standards change over time because, as computers become
more powerful, it becomes easier to break older encryption methods. If
encrypted files will be stored for long periods of time, it is important
to re-assess regularly whether the encryption used still meets current
standards. Updates are necessary whenever an encryption standard has
been cracked or has been shown to be vulnerable. The IT Service Desk can
help with this assessment.
It is also important to make a plan for the long-term management of
the de-encryption keys. This is particularly important when archived
data need to be encrypted. Within FGB, data will usually be archived in
YODA. When you archive your data in YODA, your best
plan is to contact the YODA administrators to give them a copy of the
de-encryption key. Then print a copy of the de-encryption key and
archive this in your department’s paper archive.