Encryption is a useful measure you can apply to protect your data, especially when other data protection methods, such as high-security storage options or de-identification of the data, are not feasible or when multiple protection methods should be applied to the data. The following provides a basic description of a few encryption methods and how they should be applied.
Full Disk Encryption
Full disk encryption (FDE) encrypts the hard drive of your computer; this is important because if your computer is lost or stolen the hard drive can be removed and the information on it accessed if it hasn’t been encrypted, even if your computer is password-protected. Anyone working with research data that is stored, even temporarily, on their computer’s local hard drive should ensure that FDE is active.
NB: Most users of the VU Cloud-based storage solutions, Research Drive and SURFdrive, will use the desktop client to sync the data to their local hard drive. If this applies to you, you should always have FDE active and you should take additional steps to keep the data secure.
Windows users: Windows OS generally uses Bitlocker for FDE. Bitlocker is installed on all VU green and orange work stations: if these VU computers are using Windows 10, then Bitlocker is already active. If a green or orange work station uses Windows 7, you need to activate Bitlocker yourself. If you have a VU red work station, ensure that you install and activate Bitlocker. If you have to activate Bitlocker yourself make sure to enable the recovery option. Once Bitlocker is activated, it will de-encrypt the hard drive every time you login to your computer and re-encrypt it when you lock your computer. Additional security options can be added on top of your password, if desired. Contact the IT Service Desk for additional support if the information provided here is insufficient for your purposes.
Mac users: MacBooks come with FileVault installed as FDE software. Simply go to System Preferences > Security & Privacy to turn on FileVault. Make sure to keep the recovery key somewhere safe. Whenever you login to your MacBook it will de-encrypt the hard drive and the hard drive will be re-encrypted when you lock your MacBook.
Additional information on these FDE options can be found on VUnet.
Filesystem-level encryption (FLE) encrypts individual files or entire folders. There are many different types of FLE software and unfortunately, VU IT does not provide support for these encryption tools. Many are free and fairly easy to use, however. Unfortunately, if you work on a green or orange workstation you will need to get help from the IT Service Desk (email@example.com) to install most of these encryption tools. Also, if the encrypted files and folders need to accessed on more than one computer, than every computer needs to have the software installed to be able to de-encrypt the files/folders.
- Cryptomator: Cryptomator is a fairly easy encryption tool to use that is available for Windows, MacOS, Linux, Android and iOS. With Cryptomator, you create “vaults” within which the files and folders that you want to protect are stored. It’s your best option if you want to encrypt an entire folder that is stored on SURF Drive or Research Drive because it’s built to work well with cloud-based storage.
- Note that Cryptomator only works if you sync your encrypted files to the desktop application for SURF Drive or Research Drive.
- If you are using Cryptomator with the SURF Drive or Research Drive desktop application, sometimes the changes you make to files or folders in your vault don’t appear to sync with your Drive. If that happens, just restart the SURF Drive or Research Drive desktop application.
- If you share an encrypted vault with a user who does not have access to the desktop application, it isn’t immediately apparent how to de-encrypt the vault. The other user will need to have Cryptomator installed. They will need to download the encrypted file, which appears as a .tar-file; they should store this .tar-file in an appropriate location on their computer and unzip it. They can then go to the Cryptomator app and select “Open an existing vault” by pressing the + sign. This will open a dialogue box that allows them to select the unzipped .tar-file from the location that they stored it in; they will see a file called “masterkey.cryptomator”, which they should select. This will add the vault to their Cryptomator app and they can then open it with the password you’ve provided (via other means such as an SMS).
- VeraCrypt: VeraCrypt is a bit more complex than Cryptomator to use, but it’s also a good encryption tool if you need to encrypt several files simultaneously in one folder. It is available for Windows, MacOS and Linux. This page provides extensive instructions on how to set up a basic “container” within which you will store all of the files and folders that need to be encrypted. It doesn’t work quite as well with cloud-based storage, (i.e. SURF drive and Research Drive), so it should only be used on your local computer or for portable media which doesn’t have built-in encryption capabilities.
- AES Crypt: AES Crypt can be used on Windows, MacOS and Linux systems; you can either install the easy to use graphical user interface (GUI) or if you are familiar with the command line you can install the console version. AES Crypt allows you to easily encrypt individual files by simply right-clicking on the file and choosing a password.
- AES Crypt will create a new copy of your file in an encrypted form, and everytime you de-encrypt that file, it will create a new un-encrypted copy. If you are only opening the file to view it’s contents, make sure to delete the unencrypted copy after use. If you update the unencrypted file, make sure to encrypt this updated version and overwrite the old encrypted file.
- MacOS users don’t automatically have the right-click option for encrypting and de-encrypting, and the use of the GUI-app isn’t immediately clear. You can either install the “Extension to Enable Right-Clicking” so then when you right-click on a file, you see an option to encrypt or de-encrypt, or you just drag the file you want to encrypt/de-encrypt to the icon for the AES Crypt app. The app itself does not open.
- 7Zip Encryption: 7Zip encryption only runs on Windows; it may already be installed on your Windows workstation. You can technically access it from a MacOS or Linux workstation via Citrix in the Windows 10 green workspace, but this should only be done if none of the above options are feasible for you.
- When you want to create an encrypted file or folder, right-click, go to 7ZIP and select “Add to archive”; a dialogue box will open where you can enter a password; if you don’t add a password, a 7ZIP file will still be created, but anyone will be able to open the file
- _When you want to open an encrypted file or folder, right-click, go to 7ZIP and select “Extract file”; a dialogue box will open where you can enter the password.
- As with AES Crypt, 7ZIP will create a new copy of your file in an encrypted form, and everytime you de-encrypt that file, it will create an un-encrypted copy. If you are only opening the file to view it’s contents, make sure to delete the unencrypted copy after use. If you update the unencrypted file, make sure to encrypt this updated version and overwrite the old encrypted file.
Set strong passwords when encrypting your media. For further information on strong passwords, review the Security Basics.
Encryption standards change over time because, as computers become more powerful, it becomes easier to break older encryption methods. If encrypted files will be stored for long periods of time, it is important to re-assess regularly whether the encryption used still meets current standards. If data will be encrypted and stored for more than 5 years, you should ensure that someone on your research team will monitor whether your encryption methods should be updated. Updates are necessary whenever an encryption standard has been cracked or has been shown to be vulnerable. The IT Service Desk can help with this assessment.