Encrypting your device
Further reading
You may also be interested in this article from Ars Technica:
Encrypting laptops and mobile devices
Device encryption is an important tool in protecting confidential data. University managed devices (staff) are encrypted by default.
If you're using a device that is not owned or managed by the University, you can encrypt it yourself.
Remember that not all devices support encryption. You must not use any unencrypted devices to directly access or store confidential University information. Instead, you should use the virtual desktop service (VDS) to access the data through a secure virtual machine.
Encryption passwords
Any encryption is only as strong as the password chosen. Short or easily guessable passwords can be broken.
Follow our advice on choosing good passwords:
Securely sharing confidential data
USB sticks
We don’t recommend storing data on USB sticks. All members of the University have access to Google Drive, which is equivalent to a large cloud based USB stick and much more secure.
If it is absolutely necessary to transport data on a USB stick, make sure that all confidential data on it is encrypted.
Due to their small size, USB sticks can easily be lost or forgotten, and if not encrypted, they can then be read by anyone who finds them.
This threat is quite real, and several recent cases in the UK public sector have lead to considerable media attention:
- Firm 'broke rules' over data loss, BBC News, 22 August 2008
- Troops' manoeuvres left in club, BBC News, 9 September 2008
- Navy to investigate security breach, The Guardian, 29 November 2009
- Greater Manchester Police fined over stolen data stick, BBC News, 16 October 2012
- East Sussex NHS Trust apologies over data breach, BBC News, 5 July 2015
You can buy USB sticks that include hardware based encryption. These are secure, but can usually only be used on Windows machines, on which extra software is installed.
If you wish to use one of these devices, we recommend the "Kingston Hardware Ultra Secure USB 256bit Hardware Encryption FIPS 140-2" (or another FIPS 140-2 certified USB stick). If you must use USB sticks, they are the best solution, and the only one that will satisfy some research funders.
There are a lot of other cheaper "encrypted" USB sticks out there, but only the more expensive ones properly encrypt data at the hardware level, so we strongly recommend sticking to the brands above.
Encrypting ZIP files
Another method for encrypting files is to enclose them in an encrypted zip file.
The default encryption method for ZIP files is not secure. It is outdated and can nowadays be broken easily. It is very important that you use the AES-256 encryption method detailed below instead.
| Windows |
On IT Services' managed PCs, zip files can be created and read with the software 7-Zip. The program can be installed via Software Center.
On unmanaged or personally owned PCs, 7-Zip can be install for free via 7-Zip
To create an encrypted zip file with 7-Zip:
- Start 7-Zip, and in the main screen, select the file that you wish to encrypt
- Click the Add button. This will open the Add to Archive window
- Set Archive format to zip
- Set Encryption method to AES-256
- Enter a strong password (See our guidance for choosing a strong password)
- Click OK
You will now find a new file with a .zip extension in the same folder as the original file. The contents of this zip file can be accessed only with knowledge of the password.
|
| Mac |
One option for secure zip encryption on Mac OS X is to use iZip, which is a free download:
To create an encrypted zip file with iZip:
- Start iZip and click New
- Click Specify name
- In the Save As field, enter the name you want to give the encrypted zip file, select the location you want to save it in the Where field, then click Create
- When asked about password protection, tick Enable password protection and enter a strong password (See our )
- When asked about using encryption, choose AES 256 bit
- iZip will then ask you which files and folders you want to add to the encrypted zip file. When you have finished adding your files/folders, click Next
- iZip will display a summary of the options you've selected, click Next and your encrypted zip file will be created
|
| Linux |
The following instructions are based on Ubuntu 14.04. Other Linux distros may be similar but not identical.
You can use p7zip (a Linux command line version of 7-Zip on Windows) to create encrypted zip files. You can install p7zip with the following terminal command:
sudo apt-get install p7zip-full
Once p7zip is installed, encrypted zip files can be created with the following terminal command:
7za a -y -tzip -p -mem=AES256 archivename.zip /path/to/filestoencrypt
You will be prompted to enter a password for your encrypted zip file, which will then be saved to your current location in the terminal.
You can see a list of all available commands and switches in p7zip with the following terminal command:
7za -h
|
Using Microsoft Office
Windows and Mac
The latest Windows versions of Microsoft 365 (Office 2016, Office 2019 and 365) include integration with OneDrive. OneDrive has sharing capabilities, however, Google Drive is our recommended solution.
Microsoft 365 (Office 2007 and later for Windows, and Office 2011 and later for Mac) can encrypt files using strong encryption. Earlier versions do not adequately encrypt data and should not be used.
Microsoft provides their own guidance on protecting Microsoft 365 files. Learn how to protect a document with a password.
Encrypting PDF files
Encrypted PDF files can be a good method for transmitted data, as, once encrypted, they can be sent via email. This method has the advantage that the recipient need not store any unencrypted versions of the file on disk.
Encrypted PDF files can be read with most PDF readers, including Adobe Reader. However, for encrypting the file, special software is needed.
Corel PDF Fusion
Corel PDF Fusion is installed on all IT Services managed classroom PCs, and is available to staff and research graduates for managed office PCs, unsupported machines and home use.
To encrypt a PDF file in Corel PDF Fusion:
- Open the file you wish to encrypt
- Go to Document | Set Document Security | Standard. This will open the Document Settings panel
- In the Encryption Level, select '128-bit'. (If you are sure your recipient has PDF software capable of handling higher levels of encryption, you may wish to choose a higher rate.)
- Click next
- Tick Requires a password to open document and enter a strong password in the Enter password field (See our guidance for choosing a strong password)
- Click Finish. Save and close the document for the encryption to take effect
Nuance PDF Converter
To encrypt a PDF file in Nuance PDF Converter:
- Open the file you wish to encrypt
- Go to Document | Security | Secure Document. This will open the Security panel
- Under the Password Security heading, double-click on Interactive
- You may see a message asking if you are sure you want to change the security settings of the document. If so, click Yes. The Password Security window will open
- Select Encrypt all document contents
- Tick Allow document opening only by password and enter a strong password in the Document Open Password field (See our )
- Click OK. Save and close the document for the encryption to take effect
Adobe Acrobat Professional
Adobe provide their own guidance on encrypting a PDF by adding a password to the file:
Pdftk
Pdftk Server is a free set of command line tools for modifying PDF files. It's available for Windows, Mac and Linux:
Once installed, you can encrypt a PDF file with the following terminal command:
pdftk MyFile.pdf output MyFile_encrypted.pdf user_pw PasswordGoesHere
Note: Replace file names and password as appropriate.
