Encryption - Types of encryption and key concepts

This document discusses encryption concepts end users should understand if it is determined that there is a business need for storing restricted or sensitive information on their computer or other portable device or media.

See also Encryption Considerations for general encryption and how to avoid the need for encryption.

Unfortunately, there is no simple answer to the question, how do I encrypt my sensitive data?  There are different ways to encrypt that protect against different events e.g.loss/theft of a laptop or other computing device, a compromised machine, etc.  In addition, each computer operating system (e.g. Windows XP, Windows 7, Mac OS 10.x) has a variety of possible solutions available for each encryption type.  Furthermore, an understanding of how each solution protects its encryption keys is needed to ensure appropriate backup of these keys is done to enable recovery of encrypted information if needed.

Before you encrypt, decide on the following:

  1. the type of encryption you need (document, file/folder, usb drive, full disk) given the operating system you use, and
  2. the approach you will use for backup of encryption keys and associated passwords.

The rest of this document is intended to help you with these decisions.  Consult with your local technical support staff or feel free to call the DoIT help desk if you'd like to talk to someone about what options are available.

Encryption Types

Description

Key Backup and Recovery

 Advantages

 Disadvantages

 Document Document encryption encrypts a single file.  Generally, when using document encryption you are using the features of the application (e.g Microsoft Word).  Typically this requires you to set and remember a password.  Current versions of Microsoft Office and Adobe offer encryption features to help restrict access to files through the use of passwords and encryption. Text based documents could use WinZip or something similar.  This is a type of file-level encryption provided by a particular application and is separate from any operating system--level encryption options. User must setup  and remember a password.  Loss of the password equates with loss of document. 
Simple to use, if you don't have many documents requiring encryption.

Documents will remain encrypted even if they are emailed or moved to a different location.
Application must support encryption.

User must remember to password protect every file with sensitive information. 
 File, Folder or Container Folder encryption allows you to encrypt all files in the folder.  All files dropped into this folder are then encrypted, files dragged out of the container are unencrypted.  Generally, when using file and folder encryption, you are using the features of the operating system.  Typically, the operating system shields you from the management of the password by using the password you use to login to your computer. Varies depending on encryption system used.  Simple to use particularly if you can easily organize those documents that require encryption. 
Since OS shields user from the complexity of encryption, sometimes user acts (e.g. changing passwords, getting new machine) can result in loss of access to data.

Files are only encrypted while in the folder or container.  Copying, moving or transmitting the files will decrypt them. 
 USB
USB encryption is similar to folder encryption in that all files on the USB are encrypted.  All files dropped into the container are encrypted, file dragged out of the container or unencrypted.  A wide variety of USB encryption mechanisms exist including using modern operating system features, buying USB devices that are encrypted and using third party tools.


Varies depending on encryption system used.
Simple to use particularly if you can easily organize those documents that require encryption. Files are only encrypted while on the USB drive.  Copying, moving or transmitting the files will decrypt them.
 Full disk The term full disk encryption (FDE) or whole disk encryption is used to signify that everything on a disk is encrypted. With FDE, data is encrypted automatically when it's stored on the hard disk and decrypted when it is read from the disk.  This includes operating systems files as well as user documents.  Most operating systems do not have true full disk encryption capability with the exception Windows 7's BitLocker feature, rather we use third party products for full disk encryption. Critical to have a password recovery and key escrow process in place since all data on machine is at risk should password be forgotten 
If device lost or stolen, no question of whether data is encrypted or not since everything encrypted.
System failures require understanding FDE recovery processes. 

Usually undertaken only with IT professional support since system boot mechanism is modified. 

Backup of encryption keys and associated passwords

Other Best Practices
See Encryption Tools Matrix for a guide to encryption tools or Issues to consider before implementing encryption for additional information about encrypting data