sign in sign up
<<
Home , Disk encryption, Disk encryption software, Encrypting File System, Encryption software, VeraCrypt

Overview: Encryption is a method used to protect information from unauthorized users. The data is converted from readable to unreadable format called -text. Even though an unauthorized user obtains a of this cipher-text he will not be able to it back to readable format. Only the authorized users with knowledge of the relevant (e.g. ) will be able to convert it back to readable format. This document details various encryption techniques and tools used to protect data-- rest (e.g. files stored on ) as well as data-in-transit (e.g. an email), and which is best suited for different use cases.

Full (FDE) Full disk encryption (FDE), also known as whole disk encryption, protects all data stored on a hard drive, including the computer’s . Access is permitted to the disk after a successful with a username and/or password. Once this one- authentication at log in is completed, any file the user wants to access is decrypted on-the-fly in memory and then presented to the user. This of encryption provides good protection for lost and stolen devices since the entire disk is encrypted until an authorized user provides the password/key to decrypt. But once the user is logged in to the system, any file can be accessed without requiring repeated authentications. However, FDE does not protect the files when they are removed from the disk (e.g. Sending a file as an email attachment).

FDE should be used along with File/Folder Encryption (explained in next section) to effectively secure confidential data. Additionally, FDE tools can also in encrypting USB flash drives.

Microsoft and Apple both include encryption tools in their operating systems for full disk encryption:

BitLocker—BitLocker is designed to run on the and 10 platforms.

• Apple FileVault 2—FileVault 2 is designed to run on Mac OSX Lion or later platforms.

• VeraCrypt – VeraCrypt is a free open source tool for disk encryption suitable for Windows, MAC OSX, and .

File/Folder Encryption File/folder encryption protects individual files or folders on a disk. Access is permitted to the file or folder once proper authentication is provided.

Microsoft includes file/folder encryption in Windows OS and MS Office tools. There are various software tools which have inbuilt capabilities of encrypting files (e.g. Adobe Acrobat). Some of the tools are mentioned below:

• Microsoft Encrypting (EFS) — The (EFS) by Microsoft uses standard cryptographic algorithms to encrypt and decrypt files and folders. Files stored on a shared computer can only be encrypted or decrypted by the user account that possesses the cryptographic key. This ensures that files on a shared computer can be protected from being viewed by all users. Note: EFS-encrypted files are decrypted when sending across a network and hence sharing is not secure.

• Microsoft Office Encryption — Microsoft Office includes built-in solutions for encrypting and protecting Office documents, workbooks, and presentations. Microsoft Office documents can be encrypted with a strong password and is suitable for sharing since the file remains encrypted while in transit. information about Microsoft Office encryption is available here.

Note: Microsoft Office applications prior to 2010 use password protection features that are not secure.

• 7-Zip — 7-Zip is an open source software used to compress or zip files with the option for encryption. Files or folders are encrypted with a strong password and are suitable for sharing.

• Adobe Acrobat — Adobe Acrobat provides support for encrypting PDF files with a strong password and is suitable for secure sharing.

Note: Adobe Acrobat prior to version 10.0 uses password protection features that are not secure.

• Open Office Suite — This MS Office alternative tool provides options to encrypt a file with a password. This article provides details on encrypting a file in OpenOffice Write and Calc tools. Alternatively, steps to password-encrypt and export a file in PDF format are given here.

• LibreOffice — This is another MS Office alternative tool which provides options to encrypt the files with password. This article provides more details on encrypting the files.

Note: When sharing password-encrypted files, the password should be sent to the recipient separately from the file itself. Call, text, or IM the recipient to share the password.

Virtual Disk Encryption Virtual disk encryption is the process of creating an encrypted container, which can hold many files and folders, and permitting access to the data within the container only after proper authentication is provided. Once authenticated, the virtual disk is mounted and accessible. Virtual disk encryption is suitable for creating an encrypted container on your hard drive.

Note: The files are encrypted when they are stored in the container. Once they are moved out of container (e.g. attached to an email), they are no longer encrypted.

• Veracrypt — Veracrypt is an open-source virtual disk for creating encrypted containers for files and folders. The step-by-step guide is available here.

USB Flash Drives, Disks, /DVD Encryption Software tools discussed in earlier sections such as VeraCrypt, BitLocker, FileVault etc. have capability to encrypt the contents of removable media such as USB Flash Drives, memory card etc. Self-encrypting drives are also available eliminating the need to install additional encryption software. Alternatively, individual files can be encrypted using tools like 7Zip, Adobe Acrobat, MS Office Suite and then moved to removable media. When unattended, the removable media should be stored in a secured and locked location (e.g. cabinets, lock boxes, etc.) where access is limited to users on a need-to-know basis. Mobile Device Encryption It is NOT recommended to use a mobile device to store or transfer confidential data. Major mobile device vendors and operating systems such as Android and iOS, support full device encryption. Make sure you are using some form of device lock (pin, password, biometric), and the device encryption is enabled. Please visit device manufacture’s website for more details on enabling above mentioned security features. Text, IM Encryption It is recommended to use only the trusted Instant Messaging platforms e.g. Microsoft Teams/, which provide encryption in transit. Email Encryption To send confidential data as an email attachment, it is recommended to use inbuilt file encryption features available in Microsoft Office or other file encryption tools such as 7Zip, and encrypt the file with a password. In this case only the attachment is encrypted. Do not share any confidential data in message body. The corresponding password can be shared via Text Message/Call. Network Traffic Sharing the information on the network e.g. uploading documents to a website, accessing a website, taking a remote control session etc. can be done in secured fashion using encryption. Few recommendations;

• SSH should be used instead of Telnet for remote terminal sessions. • While accessing sites or uploading files to trusted websites, make sure the communication is happening using “HTTPS” protocol. It can be verified by clicking on the lock symbol that appears next to the address bar in most of the browsers. Also, the URL in address bar starts with “://” Note: Confidential data can only be uploaded and shared, based on the classification of the data and with trusted and authorized parties and applications. • Wireless Network Access: In ‘Open’ and ‘Guest’ wireless networks (e.g. free wireless provided by coffee shops) the data travels unencrypted over the air (from your device to the wireless Access Point), making it vulnerable to interception. It is recommended to use Northeastern’s VPN to encrypt and secure all the communication when you are connected to such unsecured networks. VPN A (VPN) provides secure and encrypted access to Northeastern resources from a remote computer (e.g. from home or connected to coffee shop wireless network). Northeastern uses Palo Alto GlobalProtect software as the VPN client. More information on VPN is available here and the guide to install VPN client is available here.

Quick Reference Guide

No. Scenario Recommended Action 1 I want to email an excel sheet with sensitive Encrypt the file: Open the MS Excel file > Go to data (e.g. SSN, Tax Details) to internal OR "File" tab > Info > Select "Protect Workbook" > external parties Input a one-time use password (different from all other accounts). Share the password to individual receiver through IM (MS Teams) or Text/Call. 2 I want to email multiple documents with Download and Install 7Zip tool. Copy the files to sensitive data but I don’t want to a folder. Encrypt the folder using 7Zip. Follow individually encrypt files this guide. Share the password through IM (MS Teams) or Text/Call them. 3 I have to share confidential research data of First, archive and Encrypt with password using large size with my team member tools such as 7Zip. Use OneDrive to securely upload the data and share only with the team member. You can also use any removable storage media to transfer the encrypted data. Share the password using different channel - Text /Call/IM 4 Can I use OneDrive to securely share the Yes. Follow this guide. Please note once the file files with internal users? is downloaded it is not encrypted. For “High Risk” 7 “Medium risk” data use one of the file/folder encryption tools (e.g.7Zip) and then upload to OneDrive for sharing. 5 I want to access NUnet resources from my Make sure you are using GlobalProtect VPN to /phone while I am travelling connect to NUnet network resources 6 I often work on confidential documents Use BitLocker (Windows) or FileVault2 (MAC OS) which are stored on my laptop in different to enable Full-Disk encryption on your laptop. folders Also, you can use VeraCrypt tool to create separate encrypted to store all confidential documents (files/folders) securely.