Encryption is a useful measure you can apply to protect your data, especially when other data protection methods, such as high-security storage options or de-identification of the data, are not feasible or when multiple protection methods should be applied to the data. The following provides a basic description of a few encryption methods and how they should be applied.

Full Disk Encryption

Full disk encryption (FDE) encrypts the hard drive of your computer. This is important because if your computer is lost or stolen the hard drive can be removed and the information on it can be accessed if it hasn’t been encrypted, even if your computer is password-protected. Anyone working with research data that is stored, even temporarily, on their computer’s local hard drive must ensure that FDE is active.

NB: If you are storing data on YODA you will likely access the data via Cyberduck. This is a program which securely copies data from YODA to your computer. Because a local copy of the data is stored on your computer, you should always have FDE active when using YODA and Cyberduck.

NB2: If your data are stored on Research Drive or SURF Drive and you use the desktop client to sync data to a local file on your computer, you should always have FDE active and you should take additional measures (measures for Research Drive and measures for SURFDrive) to keep the data secure.

  • Windows users: Windows OS generally uses Bitlocker for FDE. Bitlocker is installed on all VU green and orange work stations: if these VU computers are using Windows 10, then Bitlocker is already active. If a green or orange work station uses Windows 7, you need to activate Bitlocker yourself. If you have a VU red work station, ensure that you install and activate Bitlocker. If you have to activate Bitlocker yourself make sure to enable the recovery option. Once Bitlocker is activated, it will de-encrypt the hard drive every time you login to your computer and re-encrypt it when you lock your computer. Additional security options can be added on top of your password, if desired. Contact the IT Service Desk for additional support if the information provided here is insufficient for your purposes.

  • Mac users: MacBooks come with FileVault installed as FDE software. Simply go to System Preferences > Security & Privacy to turn on FileVault. Make sure to keep the recovery key somewhere safe. Whenever you login to your MacBook it will de-encrypt the hard drive and the hard drive will be re-encrypted when you lock your MacBook.

Filesystem-level Encryption

Filesystem-level encryption (FLE) encrypts individual files or entire folders. There are many different types of FLE software and unfortunately, VU IT does not provide support for these encryption tools. Many are free and fairly easy to use, however. Unfortunately, if you work on a green or orange workstation you will need to get help from the IT Service Desk to install most of these encryption tools. Also, if the encrypted files and folders need to accessed on more than one computer, than every computer needs to have the software installed to be able to de-encrypt the files/folders.

  • Cryptomator: Cryptomator is a fairly easy encryption tool to use that is available for Windows, MacOS, Linux, Android and iOS. With Cryptomator, you create “vaults” within which the files and folders that you want to protect are stored. It’s your best option if you want to encrypt an entire folder that is stored on SURF Drive or Research Drive because it’s built to work well with cloud-based storage. It also works well with Cyberduck, which is the primary program used to access data stored in YODA.
    • Follow this guide to set up Cryptomator in Cyberduck if you are using Cyberduck to connect to YODA.
      • NB: When you unlock the Cryptomator vault via Cyberduck, the default setting is to save the de-encryption password. If you save this password, it will be saved in your operating system’s keychain. You won’t be prompted again on your device to enter the password unless you delete it from your keychain. It’s still important to save the de-encryption password in a password manager because you may need to share the password with a collaborator or it may get deleted from the keychain. Be aware that if you opt to save the de-encryption password in your keychain it means that the vault is essentially always open when you are logged into your computer. Therefore, always lock your screen when you away from your computer and never share login credentials. Alternatively, you can simply never save the password and always enter it when you need to open the Cryptomator vault.
    • If you use SURFdrive or Research Drive, Cryptomator vaults can only be unlocked if you sync your encrypted files to the SURF Drive or Research Drive desktop application.
      • If you are using Cryptomator with the SURF Drive or Research Drive desktop application, the changes you make to files or folders in your vault sometimes don’t appear to sync with your Drive. If that happens, simply restart the SURF Drive or Research Drive desktop application.
      • If you share an encrypted vault with a user who does not have access to the SURF Drive or Research Drive desktop application, it isn’t immediately apparent how to de-encrypt the vault. The other user will need to have Cryptomator installed. They will need to download the encrypted file you have shared with them, which appears as a .tar-file. They should store this .tar-file in an appropriate location on their computer and unzip it. They can then go to the Cryptomator app and select “Open an existing vault” by pressing the + sign. This will open a dialogue box that allows them to select the unzipped .tar-file from the location that they stored it in. They will see a file called “masterkey.cryptomator”, which they should select. This will add the vault to their Cryptomator app and they can then open the vault with the password you’ve securely provided.
  • VeraCrypt: VeraCrypt is a bit more complex than Cryptomator to use, but it’s also a good encryption tool if you need to encrypt several files simultaneously in one folder. It is available for Windows, MacOS and Linux. This page provides extensive instructions on how to set up a basic “container” within which you will store all of the files and folders that need to be encrypted. It doesn’t work quite as well with cloud-based storage, (SURF drive and Research Drive), so it should only be used on your local computer or for portable media which doesn’t have built-in encryption capabilities.
  • AES Crypt: AES Crypt can be used on Windows, MacOS and Linux systems; you can either install the easy to use graphical user interface (GUI) or if you are familiar with the command line you can install the console version. AES Crypt allows you to easily encrypt individual files by simply right-clicking on the file and choosing a password.
    • AES Crypt will create a new copy of your file in an encrypted form, and everytime you de-encrypt that file, it will create a new un-encrypted copy. If you are only opening the file to view its contents, make sure to delete the unencrypted copy after use. If you update the unencrypted file, make sure to encrypt this updated version and overwrite the old encrypted file.
    • MacOS users don’t automatically have the right-click option for encrypting and de-encrypting, and the use of the GUI-app isn’t immediately clear. You can either install the “Extension to Enable Right-Clicking” so then when you right-click on a file, you see an option to encrypt or de-encrypt, or you just drag the file you want to encrypt/de-encrypt to the icon for the AES Crypt app. The app itself does not open.
  • 7Zip Encryption: 7Zip encryption only runs on Windows; it may already be installed on your Windows workstation. You can technically access it from a MacOS or Linux workstation via the virtual Windows 10 green workspace, but this should only be done if none of the above options are feasible for you.
    • When you want to create an encrypted file or folder, right-click, go to 7ZIP and select “Add to archive”; a dialogue box will open where you can enter a password; if you don’t add a password, a 7ZIP file will still be created, but anyone will be able to open the file
    • _When you want to open an encrypted file or folder, right-click, go to 7ZIP and select “Extract file”; a dialogue box will open where you can enter the password.
    • As with AES Crypt, 7ZIP will create a new copy of your file in an encrypted form, and everytime you de-encrypt that file, it will create an un-encrypted copy. If you are only opening the file to view it’s contents, make sure to delete the unencrypted copy after use. If you update the unencrypted file, make sure to encrypt this updated version and overwrite the old encrypted file.

Encrypted Portable Media

Information on encrypted portable media can be found in the guide on Secure Physical Data Transport.

Passwords

Set strong passwords when encrypting your media. For further information on strong passwords, review the Security Basics.

Long-term encryption

Encryption standards change over time because, as computers become more powerful, it becomes easier to break older encryption methods. If encrypted files will be stored for long periods of time, it is important to re-assess regularly whether the encryption used still meets current standards. Updates are necessary whenever an encryption standard has been cracked or has been shown to be vulnerable. The IT Service Desk can help with this assessment.

It is also important to make a plan for the long-term management of the de-encryption keys. This is particularly important when archived data need to be encrypted. Within FGB, data will usually be archived in YODA. When you archive your data in YODA, your best plan is to contact the YODA administrators to give them a copy of the de-encryption key. Then print a copy of the de-encryption key and archive this in your department’s paper archive.