- What is encryption?
- What data should be encrypted?
- How do I encrypt the hard disc on my computer?
- Can I encrypt my removable media, smartphone or tablet?
- How do I encrypt email attachments?
For digital data, encryption is a technique whereby data is encoded when it is stored so that it cannot be read without use of a password (also known as the encryption key). This helps to protect the data from unauthorized malicious or accidental access. The encoding technique and complexity of password help determine how easy it might be for another person to decode the data, therefore it is advisable to use tools that meet international standards, such as FIPS 140-2, along with complex passwords.
The University classifies data as being Confidential, Sensitive, Restricted or Unrestricted.
Encryption is advised for Confidential, and Sensitive data where physical security does not suffice and always when such data is stored on mobile devices. For additional protection Restricted data should be encrypted on removable media.
This chart may help identify where data should be encrypted:
|Material stored on:||Confidential||Sensitive||Restricted||Unresticted|
|Server||Encryption may be advised||Encryption may be advised||Encryption not necessary||Encryption not necessary|
|Local||Must be encrypted||Must be encrypted||Encryption may be advised||Encryption not necessary|
|Removable media||Must be encrypted||Must be encrypted||Encryption may be advised||Encryption not necessary|
You are advised to refer to your local Information Security Policy.
MSD IT Services can implement Whole Disc Encryption (WDE) for University owned computers in the Medical Sciences Division. The service is provided centrally by IT Services and is available for Microsoft Windows, Apple OS X & some Linux based computers. The previously provided service, in conjunction with the Weatherhall Institute of Molecular Medicine (WIMM), will be maintained for existing users. Both are based on the Symantec PGP system. Please contact the MSD IT Help Desk or call (2)21323 for further information. WDE is strongly recommended for all laptops used for the processing of sensitive data. See the section on What data should be encrypted?
Hardware encrypted devices must be used when storing sensitive data on external media. Such devices should be certified to FIPS 140-2 and USB Flash drives are available for purchase from the MSD IT Services Office at the John Radcliffe. As with all removable media, data should be appropriately backed up so that the device does not hold the only copy of the data.
Smartphones & tablets:
Apple devices running iOS 5 and later
The newer iPhones and iPads have a level of hardware encryption built in which should be enabled via the 'Passcode Lock' section of settings. Simple Passcode (i.e. 4 digit passwords should be disabled). See Apple's support page for details. Siri should also be disabled to prevent this feature being used whilst the device is locked.
The later versions of the Android OS include the ability to encrypt all the data on your device, however this is not implemented by all manufacturers. Information relating to the Nexus 10 is available from Google.
Blackberry devices attached to a Blackberry Enterprise Server (BES) will send & receive data encrypted, but data stored on the handset is not, however encryption is an option.
Note: the process of encrypting a BlackBerry device may take more than an hour to complete & so the device may need to be attached to a charger during the process.
The process is enabled as follows (new handset may be slightly different):Go to Options > Security Options > General Settings. Set Content Protection to Enabled
If you apply Content Protection to your Address Book you will lose the Caller ID function.
You may also need to encrypt any removable media cards:
On the Home screen of the BlackBerry select: Options.
Select Media Card or Advanced Options > Media Card (depending on the BlackBerry Device Software version that is installed).
There are three options:
To encrypt the data using an encryption key for a media card generated by the BlackBerry smartphone, set the Encryption Mode field to Device.
To encrypt the data using the BlackBerry smartphone password, set the Encryption Mode field to Security Password.
To encrypt files using an encryption key for a media card and the BlackBerry smartphone password, set the Encryption Mode field to Security Password & Device.
Note: To turn off encryption for a media card, set the Encryption Mode field to None.
How do I encrypt email attachments?
Due to the nature of email, alternatives to email should be considered for the exchange of sensitive documents.
PDFs can be encrypted on Microsoft Windows using either Adobe Acrobat Pro or Nuance PDF Converter. The latter is available under a University site license. Where possible the AES-256 encryption option should be used. In Apple's OS X you can use the encryption function included in the Preview program to create an encrypted PDF document.
Where use of PDFs are not appropriate, then compression programs such as 7-zip (Windows only) or similar may used and the AES-256 Encryption method selected. Apple OS X has a compression (ZIP) function built-in but it is necessary to use a command line to encrypt the resulting archive.
There is a free zip encryption utility for OS X available from Izip. Versions are also available for iOS.
In both cases as these methods employ a symmetric-key algorithm or a shared secret, care must be taken in providing the recipient with the password to decrypt the data. The password must never be sent in the same email as the attachments.