Encryption Guide

Overview

When it comes to protecting data whether sensitive/confidential (as defined in the Confidential Information Policy), other private (college or personal data) or general web browsing, it is important to ensure that data is encrypted.  There are two primary kinds of encryption we're referring to here - data encrypted in transit (i.e. ensuring that data transferred over the internet, or intranet, is protected from eavesdropping) and data encrypted at rest (i.e. protected while it is stored on a local disk, network drive, or in the cloud).  This article has a brief listing of appropriate methods of encryption, as well as links to more detailed articles on their use.

 

Encryption in-transit

HTTPS (web site) encryption

The most common and visible form of encryption is https encryption, which is what is typically used when you are using a web browser.  This encryption protects your data in transit between your computer and the destination server.  The screenshot below shows this site in three web browsers (Google Chrome, Internet Explorer, and Mozilla Firefox), as well as the indications that a site is appropriately encrypting that traffic.
Screenshots of the address bars in Chrome, IE, and Firefox, showing the https indicators

 

Wireless network encryption

The other most common form of encryption in-transit is for wireless networks, known as WPA2 (Wi-Fi Protected Access 2).  If you are connecting to the wireless on-campus and using the NP Hawks WPA2 network, then your traffic is encrypted in transit.  The images below show the lock icon for Android, and then iOS.


Screenshot from android showing the lock icon next to the wireless network   Screenshot showing iOS wireless lock icon
 

If you are connecting to some wireless networks (like our Guest network, or many public WiFi networks) the traffic on that network is not encrypted.  It is then even more important to ensure that the websites you are visiting are encrypted (https, as in the first section).

Email Encryption

If you need to send sensitive data over email, you will want to use encrypted emails.  For more information, see our article on "Sending Encrypted Email"

Encryption at rest

Encryption at rest ensures that the data is protected on the disk (local, network, or cloud). If you are dealing with sensitive data you should ensure that the data is protected by encryption at-rest.  There are several categories.

Note: Encryption at rest (with all the methods listed below) is only sufficient protection with a strong password or passphrase.  If your password is simple or guessable, the protection is minimal at best.

Full-Disk Encryption

This ensures the entire disk is encrypted.  This is primarily to protect data on a lost or stolen device.  It does not protect the data from malware that is running on the system though - as the files appear in an unencrypted form to the operating system after logging in.

  • College owned laptops: All college owned laptops have full-disk encryption enabled.  This is done with either the Microsoft Bitlocker encryption software, or the Apple FileVault software.  Note: Some Windows devices are still using the SecureDoc software - that is being replaced with Bitlocker.
  • iPhone/iPad: We strongly recommend that any iPhone or iPad is encrypted.  We do not have an article on this at this time - so we recommend reviewing the article "How to Encrypt your iPhone" from the Electronic Freedom Foundation.
  • Android: As with iPhones we strongly recommend that any Android device is encrypted.  We do not have an article on this at this time, and the instructions differ depending on phone manufacturer.  You should be able to find encryption settings within "Settings->Security" or possibly Settings->Personal->Security.  Consult your manufacturer for more specific information.

 

File-level encryption

It is easy to encrypt individual files in many applications - most commonly Microsoft Office and Adobe Acrobat files.  For more information, see the articles below:

Microsoft Office: Add protection in your document, workbook, or presentation

Adobe Reader: Securing PDFs with passwords

 

Warning: If the file password is lost - the data in the file is most likely unrecoverable.  If this is college data you are working on, ensure that you share the encryption password with at least one other in your department.  Consider storing encryption passwords in a password manager.

Encrypted file-containers

If you want to protect a large number of files, an encrypted file container using the free/open-source VeraCrypt software might be the best option.  This will protect files at-rest on your computer, but with one main caveat.  You need to make sure to close (dismount) the encrypted volume when you are not working with those files.  If you always just open the encrypted area when you start your computer and leave it open, it is not sufficiently protected from any malware or cyber-criminal.

To start using VeraCrypt, see our Using Veracrypt article.

Warning: If the Veracrypt password is lost - the data in the container is most likely unrecoverable.  If this is college data you are working on, ensure that you share the encryption password with at least one other in your department.  Consider storing encryption passwords in a password manager.

Conclusion

No method of encryption is fool-proof.  There are almost always ways around encryption if the attacker has sufficient time, expertise, and resources.  Our goal is to make protections as strong as possible while still being usable for the day-to-day work that is being done by faculty and staff at the college.  These protections, if used appropriately, will mitigate many threats against senstiive data.

Details

Article ID: 50967
Created
Mon 3/26/18 12:00 PM
Modified
Mon 3/26/18 1:32 PM