myU OneStop


What's Inside

Resources

Encrypting Stored Data

Encryption is the conversion of data into a form, called ciphertext, that cannot be easily understood by unauthorized people.  Decryption is the process of converting encrypted data back into its original form, so it can be understood.

Before using encryption programs, evaluate if it is absolutely necessary to store confidential or private data on this computer or mobile computing device (e.g., PDA or USB flash drive). Consult with your local technical support staff.  If you need to store private data, take steps to encrypt the data to help prevent unauthorized disclosure of private data. For laptops, data encryption is just one of the required steps in the University's Securing Private Data Standard.

There is a variety of encryption software available for common operating systems. Some software encrypts the entire hard disk, while others have an option to encrypt specific files or folders on the hard disk. Some operating systems, such as Microsoft Windows and Apple Macintosh have an option to turn on the operating systems built-in encryption software. There are also some readily available data encryption products from third party vendors. Some are even free.

No matter what product you choose, here are some important reminders:

  • Consult with your local technical support staff.
  • Read about the encryption product.  Understand how to configure the software, where to store the keys and what is  encrypted.  Some products do NOT encrypt the files when they are e-mailed or saved to external media. 
  • Encryption is dependent on using strong passwords or passphrases.
  • Download encryption software from reputable company Web sites. Some encryption products may install a backdoor for hackers, adware, spyware or viruses.
  • All encrypted data can be permanently lost if you forget the encryption password (or passphrase). If you decide to save them, decryption keys should be locked in a a safe location.
  • Do not decrypt a file and store in a temporary file someplace. If this occurs, be sure to securely wipe/erase the file from disk.
  • Consider setting up a secure folder or disk partition on the computer for storing private data.
  • Properly done (good software, strong password, etc.), encryption is good protection for laptops and portable devices that may get lost or stolen as well as other computers.

Below are options for various operating systems/media: Macintosh, Unix, Windows and USB flash drives.

At the University for full disk encryption, in rough order based on number of users, the following encryption products are used: CheckPoint (PointSec), Sophos (Utimaco), Microsoft BitLocker, TrueCrypt.

Windows

Below are some products used within the University by some departments.  Be sure to download the software from a reputable site and periodically check the vendor web site for security patches or updates that must be applied.

Product

Windows Platforms

Options

Web site

Notes

Windows Encrypting File System (EFS)

XP, Vista and 2003

Built into the Windows Operating System

http://support.microsoft.com/kb/223316/EN-US/

File and folder encryption. See Required Steps for EFS.

Files emailed or saved to external media are  NOT encrypted.

Windows BitLocker
Vista, Windows 7Built into the Windows Operating Systemhttp://technet.microsoft.com/en-us/windows/aa905065.aspx Full disk encryption
CheckPoint FDE (formerly called PointSec) Purchase, under state contracthttp://www.checkpoint.com/products/datasecurity/index.htmlFull disk encryption

State Contract (for University-owned computers):
http://www.oet.state.mn.us/itproducts/software/manufacturers/Checkpoint_Pointsec_software_index.html

Sophos SafeGuard Easy/UtimacoXP, 2000 and 2003Purchasehttp://www.sophos.com/products/enterprise/encryption/safeguard-easy/
Full disk encryption
TrueCryptXP,  2000, Vista and 2003Freehttp://www.truecrypt.org/Full disk encryption, folder encryption, directory or virtual drive

GNU Privacy Guard (open source version of PGP)

XP and 2000

Free

http://www.gnupg.org/

File and folder encryption
With the Windows Privacy Tray for GnuPG, this allows for easy encryption, decryption and file shredding options. See http://www.gpg4win.org/.

PGP commercial

XP, 2000, Vista and 2003

Purchase

http://www.pgp.com/products/desktop/index.html

File, folder, whole disk or virtual disk encryption. Includes a feature to securely wipe or shred individual files. The gold standard of encryption, but more complex.
SecureZipXP, 2000, Vista and 2003Free trial, Purchasehttp://www.pkware.com/software-data-security/windows-file-encryptionFile and folder encryption.

*

Macintosh

Below are some products used within the University by some departments. Be sure to download the software from a reputable site and periodically check the vendor web site for security patches or updates that must be applied.

Product

Macintosh Platforms

Options

Web site

Notes

Mac File Vault

Mac OS X or higher

Built into the Macintosh Operating System

http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh1877.html

Folder encryption

CheckPoint FDE (formerly called PointSec)

 

Purchase, under state contract

http://www.checkpoint.com/products/datasecurity/index.html

Full disk encryption

State Contract (for University-owned computers):
http://www.oet.state.mn.us/itproducts/software/manufacturers/Checkpoint_Pointsec_software_index.html

TrueCryptMac OS XFreehttp://www.truecrypt.org/ Full disk and folder encryption
Mac GNU Privacy GuardMac OS X 10.1 or higherFree

http://macgpg.sourceforge.net/

File and folder encryption
PGP commercialMac OS X 10.4 or higherPurchasehttp://www.pgp.com/products/desktop/index.htmlFile, folder, whole disk or virtual disk encryption. Includes a feature to securely wipe or shred individual files. The gold standard of encryption, but more complex.

Macintosh OS X has native 128-bit encryption, called File Vault. File Vault encrypts the contents for a user's home directory.

Note:

  • Company administrators can set up a computer-wide master password as a safeguard in the event someone forgets their login password.

Unix

Be sure to download the software from a reputable site and periodically check the vendor web site for security patches or updates that must be applied.

Product

Platforms

Options

Web site

Notes

CheckPoint FDE (formerly called PointSec)Linux (Red Hat, Suse, OpenSuSe)Purchase, under state contracthttp://www.checkpoint.com/products/datasecurity/index.htmlFull disk encryption

State Contract (for University-owned computers):http://www.oet.state.mn.us/itproducts/software/manufacturers/Checkpoint_Pointsec_software_index.html

TrueCryptLinuxFreehttp://www.truecrypt.org/Full disk and folder encryption
GNU Privacy Guard (open source version of PGP)Unix, LinuxFree

http://www.gnupg.org/

File and folder encryption

SecureZip

Unix, Linux

Free trial, Purchase

http://www.pkware.com/software-data-security/windows-file-encryption

File and folder encryption

USB flash drives

USB flash drives are available with encryption to protect the contents. As with all software, periodically check the vendor web site for security patches or updates that must be applied.
 
 

Product

Options

Web site

Notes

DataTraveler-PEPurchasehttp://www.kingston.com/flash/DataTravelers_gov.aspPrivacy Edition has only an encrypted partition, so the first thing the user sees is the password prompt.  Ten attempts to enter the password or it locks (only allows a utility to delete all data and do a clean setup again). Users need to know this. Minimum password length is 6 characters and complexity is enforced.
IronKey BasicPurchase https://www.ironkey.com/basic User can select a "read-only" check-box for untrusted presentation computers (e.g. at conferences) with all versions to protect against autorun viruses from untrusted computers. The Enterprise version allows enforcement of all the options, but the cost is higher.  Ten attempts to enter the password, but it locks and is useless after that (no reset or anything). Minimum password length is 4 characters.
DataTraveler BlackBoxPurchasehttp://www.kingston.com/flash/DataTravelers_gov.asp Hardware based encryption and function without administrative rights.
KanguruDefenderPurchase http://www.kanguru.com/defender.html Hardware based encryption and function without administrative rights.

Other third party encryption software is also available to encrypt data on USB flash drives. Be sure to download the software from a reputable site and periodically check the vendor web site for security patches or updates that must be applied.

Product

Options

Web site

Notes

CheckPoint FDE (formerly called PointSec)Purchase, under state contracthttp://www.checkpoint.com/products/datasecurity/index.html

State Contract (for University-owned computers):
http://www.oet.state.mn.us/itproducts/software/manufacturers/Checkpoint_Pointsec_software_index.html

PGP CommercialPurchasehttp://www.pgp.com/products/desktop/index.html 
Sophos SafeGuard Easy/UtimacoPurchasehttp://www.sophos.com/products/enterprise/encryption/safeguard-easy/ 

TrueCrypt

Free

http://www.truecrypt.org/

 

Note: The University of Minnesota has no business relationship and makes no endorsement of any product listed.