Encryption - Types of encryption and key concepts

This document discusses encryption concepts end users should understand if it is determined that there is a business need for storing restricted or sensitive information on their computer or other portable device or media.

See also Encryption Considerations for general encryption and how to avoid the need for encryption.

Unfortunately, there is no simple answer to the question, how do I encrypt my sensitive data?  There are different ways to encrypt that protect against different events e.g.loss/theft of a laptop or other computing device, a compromised machine, etc.  In addition, each computer operating system (e.g. Windows XP, Windows 7, Mac OS 10.x) has a variety of possible solutions available for each encryption type.  Furthermore, an understanding of how each solution protects its encryption keys is needed to ensure appropriate backup of these keys is done to enable recovery of encrypted information if needed.

Before you encrypt, decide on the following:

  1. the type of encryption you need (document, file/folder, usb drive, full disk) given the operating system you use, and
  2. the approach you will use for backup of encryption keys and associated passwords.

The rest of this document is intended to help you with these decisions.  Consult with your local technical support staff or feel free to call the DoIT help desk if you'd like to talk to someone about what options are available.

Encryption Types

Description

Key Backup and Recovery

 Advantages

 Disadvantages
 Document Document encryption encrypts a single file.  Generally, when using document encryption you are using the features of the application (e.g Microsoft Word).  Typically this requires you to set and remember a password.  Current versions of Microsoft Office and Adobe offer encryption features to help restrict access to files through the use of passwords and encryption. Text based documents could use WinZip or something similar.  This is a type of file-level encryption provided by a particular application and is separate from any operating system--level encryption options. User must setup  and remember a password.  Loss of the password equates with loss of document. 
Simple to use, if you don't have many documents requiring encryption.

Documents will remain encrypted even if they are emailed or moved to a different location.
 Application must support encryption.

User must remember to password protect every file with sensitive information. 
 File, Folder or Container Folder encryption allows you to encrypt all files in the folder.  All files dropped into this folder are then encrypted, files dragged out of the container are unencrypted.  Generally, when using file and folder encryption, you are using the features of the operating system.  Typically, the operating system shields you from the management of the password by using the password you use to login to your computer. Varies depending on encryption system used.  Simple to use particularly if you can easily organize those documents that require encryption. 
Since OS shields user from the complexity of encryption, sometimes user acts (e.g. changing passwords, getting new machine) can result in loss of access to data.

Files are only encrypted while in the folder or container.  Copying, moving or transmitting the files will decrypt them. 
 USB
USB encryption is similar to folder encryption in that all files on the USB are encrypted.  All files dropped into the container are encrypted, file dragged out of the container or unencrypted.  A wide variety of USB encryption mechanisms exist including using modern operating system features, buying USB devices that are encrypted and using third party tools.


Varies depending on encryption system used.
Simple to use particularly if you can easily organize those documents that require encryption. Files are only encrypted while on the USB drive.  Copying, moving or transmitting the files will decrypt them.
 Full disk The term full disk encryption (FDE) or whole disk encryption is used to signify that everything on a disk is encrypted. With FDE, data is encrypted automatically when it's stored on the hard disk and decrypted when it is read from the disk.  This includes operating systems files as well as user documents.  Most operating systems do not have true full disk encryption capability with the exception Windows 7's BitLocker feature, rather we use third party products for full disk encryption. Critical to have a password recovery and key escrow process in place since all data on machine is at risk should password be forgotten 
If device lost or stolen, no question of whether data is encrypted or not since everything encrypted.
System failures require understanding FDE recovery processes. 

Usually undertaken only with IT professional support since system boot mechanism is modified. 

Backup of encryption keys and associated passwords

  • Encryption is dependent on using strong passwords or passphrases.
  • Passwords or passphrases used must follow password policy
  • All encrypted data can be permanently lost if you forget the encryption password (or passphrase).
  • Backups or copies of passwords or encryption keys should be secured. For example, paper or written copies or keys should be locked in a secure location. Backups of passwords can be kept in secure password vaults, such as Password Safe.
  • If you decide to save them, decryption keys should be locked in a a safe location.
  • Forgotten passwords cannot be recovered and users should use caution where the passwords are being kept.
  • Secure storage of passwords e.g. password safe
  • Users who need to share encrypted documents with others should use a different password than the password used for those documents that are only accessed by the user themselves.
  • Passwords for shared, encrypted documents will need to be given to recipients via phone not through insecure method e.g. email
Other Best Practices
  • Read about the encryption product.  Understand how to configure the software, how to backup the keys and what is encrypted. Some products or encryption techniques do NOT encrypt the files when they are e-mailed or saved to external media.
  • Download encryption software from reputable company Web sites. Software downloaded from disreputable sites, may install a backdoor for hackers, adware, spyware or viruses.
  • Do not decrypt a file and store in a temporary file someplace. If this occurs, be sure to securely wipe/erase the file from disk.
  • Consider setting up a secure folder or disk partition on the computer for storing private data.
  • Properly done (good software, strong password, etc.), encryption is good protection for laptops and portable devices that may get lost or stolen as well as other computers.
  • Encryption is not a substitute for other security controls
See Encryption Tools Matrix for a guide to encryption tools or Issues to consider before implementing encryption for additional information about encrypting data

Keywords:
encryption encrypt concepts encryptdata@rest 
Doc ID:
17489
Owned by:
Allen M. in Cybersecurity
Created:
2011-03-27
Updated:
2012-02-15
Sites:
DoIT Help Desk, Office of Cybersecurity