Cookies on this website

We use cookies to ensure that we give you the best experience on our website. If you click 'Accept all cookies' we'll assume that you are happy to receive all cookies and you won't see this message again. If you click 'Reject all non-essential cookies' only necessary cookies providing core functionality such as security, network management, and accessibility will be enabled. Click 'Find out more' for information on how to change your cookie settings.

Why you should and how you would encrypt data and how to ensure files really are deleted

Introd​uction

Where a computer file contains sensitive information, eg names and addresses, bank details, medical records etc. they should be protected against being read by unauthorised people. This is especially important when the data is taken out of the Centre, for example on a laptop or external hard drive/USB key.

Whilst you can take steps to prevent physical access by unauthorised people by storing the device in a locked drawer it is also essential that these files are protected by encryption and correctly destroyed when the file/media is no longer required. Don't assume your data is safe because it is on a Centre desktop computer - there is the potential for them to be stolen. Encryption is essential where sensitive material is sent by post or through email/over the internet.

Also consider what happens when a device goes off for repair - a failed hard drive or SSD is normally retained by the manufacturer (unless you agree to pay for a replacement part or take out 'keep my disk' insurance at the time of purchase) - on Apple laptops the storage is permanently attached to the computer's mainboard so some repairs will necessarily require them to keep your SSD. Whilst a reputable company would ensure that the contents of the drive is erased, do you have any documentary proof that this happens?

Even storing such files on the Centre file servers is not entirely secure as any publicly accessible server (for example jalapeno) may be compromised by a determined hacker.

If transferring data over the internet, do you trust the service at the other end? All data must be encrypted in transit (https web sites or SCP/SFTP or TLS protected services), but how is the data stored at the other end - is the remote storage location encrypted at rest? Are you (or your research group) the only ones with access to this data store?

SSD/fl​ash Security

The use of SSDs is now ubiquitous on laptops and the mechanisms used to store data on these products is such that guaranteed erasure of data is not necessarily possible. This inability to erase permanently is more likely on USB-stick/pen drive devices as secure wiping shortens their lifespan considerably. SSD devices usually support 'TRIM', an efficient deletion process, that offers significant protection against data recovery, but this may not always be turned on.​ Consequently, any 'flash'/SSD storage must be encrypted before any sensitive data is copied to it.

Where it is an option, consider purchasing hardware encrypted devices.

Securel​y erasing data

When you delete a file on a computer system you don't actually delete the data, just the index that tells the computer where to find it. Consequently, a determined data thief can easily recover sensitive material by looking through the data stored on a disk using easily obtainable tools.
Historically, you would be advised to 'secure erase' the data, often by overwriting multiple times with '0' or random data. Some modern file systems (for example our central file servers the macOS file system and all SSDs irrespective of the file system in use) use a mechanism called 'copy on write' to store new data, so secure erase is not possible so if you have data that needs to be securely destroyed ask computing-help@win.ox.ac.uk for advice on what can practically be done.

Erasing hard ​drives

If you have a ​traditional magnetic storage drive that is not encrypted that you need to clean of data that still functions then you can use tools such as ABAN (https://aban.derobert.net - Intel/AMD CPUs only) to achieve this. If the device is not functional then please contact computing-help@win.ox.ac.uk to arrange for the device to be securely recycled.

Clearing 'erased' SSD blocks

SSDs support a special operation (called TRIM) that allows the operating system to tell the SSD hardware which blocks (from it's point of view) are in use. The SSD controller then uses this information to permanently clear the blocks that have recently been 'erased'. To ensure this is run on a macOS computer reboot it - the TRIM operation is run on boot.

On Windows, the TRIM operation is run by the disk optimiser, to run this after deleting some data, search for 'Defragment and Optimize Drives' in the Windows search tool and run the program. Select your SSD in the list of droves and click on Optimize.

Data ​​Encryption

At some point you may need to store sensitive information, such as subject names and contact details, perhaps in a document that ties together the subject id with the subjects personal information or MRI structurals with intact faces. This sensitive data should always be stored in an encrypted form in a DPA2018/GDPR compliant manner.

The most important factor with file encryption is the quality of the password you use to secure the file(s); a small dictionary word will be trivial to crack and therefore the encryption applied is pointless. Equally, the passphrase itself needs to be protected from unauthorised access - don't write it on a post-it and leave it in full view!. For advice on choosing an encryption password see our passwords page. Ideally, use a password vault to hold this password so that it is not written down anywhere.

 

Never store a password with the resource it protects, and unless in a vault, don't record usernames and password together. 

There are two types of encryption of data stored on a computing device, whole-disk (sometimes referred to at rest) and file-level encryption. Which you choose is a balance of convenience and security and/or software support. 

 

 

 

Whole-disk Encrypti​on (WDE)

This ensures that all data written to the storage device is encrypted and is primarily used to protect the device when it is powered off. If your laptop/desktop or USB pen drive/external hard drive is stolen/lost then without your password the data is unreadable (assuming the password is not easily guessed/obtained).

When the device is powered on and unlocked then the files/data are freely accessible by any programs running on the computer (subject to the usual access rights), so it doesn't protect the data from malware or malicious people who have access to the running computer - also keylogger malware may be able to snoop your password so up-to-date antivirus is critical to ensuring this protection is robust.

Don't forget your backup device too - if this is physical device then this needs to be encrypted to the same standard (or better) as your computer.

F​or encryption of external media there are are several hardware based encrypted hard drives on the market, some using USB keys that must be plugged into the device, others a finger-print recognition device or a pin code or software unlocker (some Western Digital USB drives). Clearly, if you are sending data sets to a collaborator on a USB-key encrypted drive you must NEVER send the USB-key in the same package as the drive - this includes a paper copy of the password! 

​All Centre owned laptops MUST be encrypted and units setup by WIN IT will be encrypted before delivery to yourself.

This encryption is enforced on macOS devices via the Orchard management system (or Sophos on legacy systems). WIN IT have access to a recovery key held by these management systems, should you forget your password.

For Windows devices, BitLocker should be used, and WIN IT strongly recommend that your University owned device is managed by our Sophos Anti-Virus estate as this can securely store a recovery password should you forget yours. If not setup by WIN IT, to enroll your device contact computing-help@win.ox.ac.uk.

Some external hard drives come with WDE (often referred to as hardware encryption) software or even fingerprint readers or 'dongle' physical USB keys, if it lacks this then encrypt via software, e.g. Encrypted Time Machine or encrypted disk format on macOS, BitLocker on Windows or LUKS on Linux. In all cases make sure you store the encryption password in a safe place (for example a password manager) - never keep it with the device!

Bene​​fits

  • OS provided ​​WDE is implemented at a low-level in the operating system so typically has no potential for incompatibility with the software being used on the computer.

  • When the computer is switched off (or the device disconnected) your data is protected from being read by people without an authorised password (Windows BitLocker or Linux may be setup to not require a password but instead use the hardware key on the motherboard - this is reliant on the security of the OS preventing unauthorised login). For additional security, Windows BitLocker can be configured to require a password or pin to be able to boot.

Pitfalls

  • For the data to be protected the computer/device has to be off - closing the lid of your computer to sleep it does not always protect your data as the encryption key may still be in memory and can be recovered using a 'cold-boot' attack. Further, if you don't have your laptop set to request a password when waking from sleep then your data should be considered to be unencrypted!

  • Potential for performan​ce drop-off compared to an unencrypted device. In most instances with modern CPUs this has limited or no impact, but some time sensitive data capture may have problems with this.

  • By its very nature, WDE cannot protect your files from access by other users on the computer, so it may not be appropriate for multi-user devices where the files themselves must be segregated.

  • How is your backup protected? If it is to a USB hard drive/SSD this must also be encrypted.

Exa​​mple software

macOS

Filevault 2 - preferably managed (for your OS/built-in disk by Orchard or Sophos)

Linux

LUKS/dm-crypt

Windows

Bitlocker - Either with TPM hardware or password protected - preferably managed by Sophos

File-l​evel Encryption

The most straightforward method of encrypting data is to encrypt just the file that contains the sensitive information. This has the advantage that backup of the file is simple and there is no wasted space on your disk. However, the file is visible in the filesystem which may encourage attempts to decrypt it.

There are several potential methods of achieving this, single file encryption (e.g. GPG) or encrypted pseudo-filesystems (e.g. https://github.com/rfjakob/gocryptfs, Apple Disk Images, Veracrypt disk images)​

PGP En​c​rypt​​​ion

PGP - Pretty Good Privacy is a standardised method of encrypting individual files and software for encryption/decryption is widely available.

This is ideal for sending files to/from collaborators through the post or over the internet. The file is encrypted with a passphrase which should be communicated to the third party using some unrelated mechansim - e.g. not in the email that you provide the URL or attach the file to!

We recommend the open source PGP implementation GnuPG which is available for Linux, macOS and Windows.

Linux​​

Centre provided Linux machines should already have GnuPG installed as the command gpg, but if you use Linux on your own laptop/home computer, you can either download binaries from http://www.gnupg.org/ or install the pre-built GnuPG package for your Linux distribution - on CentOS this would be achieved with the command:

sudo yum install gnupg​

or on Ubuntu:

sudo apt install gnupg

Or use the Add/Remove Software option in the Applications menu (or Ubuntu Software Centre).

mac​OS​​

Centre desktop mac computers should already have the software installed, where not, please contact computing-help@win.ox.ac.uk with the name of your computer to request installation. For laptops and home computers the software is available from https://gpgtools.org​​.

Windo​​ws

The GnuPG port for Windows is available from http://www.gpg4win.org/

Encrypting a file

If you are using a command line interface, you can encrypt a file with the command:

gpg -c myfile​​​​​

This will ask for a password to encrypt the file with twice, for confirmation, and then encrypt myfile saving the output to the file myfile.gpg, leaving the original file intact. Clearly, there is little point in encrypting the file if you leave the un-encrypted file behind, so this should be removed in a secury manner (at the very least deleted).

To decrypt the file use:

​gpg --output myfile -d myfile.gpg

Zip/tar.gz File​ Encryption

Zip files are an archive format, ie a collection of files and folders are stored in a single file for ease of transport between computers, which is then compressed to reduce its size. This format is typically encountered on Windows systems and is also the default compressed file/folder option in the macOS Finder. A closely related archive format is the tar file, which can be optionally compressed with the gzip program (commonly referred to as tar.gz files). Zip files also have the option of being encrypted. However, the cross-platform encryption method used in the zip standard is relatively easy to break, so its use is not recommended. The 7-Zip software tool can open (and create) securely encrypted files, with ports available for Linux (p7zip) and several other utilities available for macOS that can read these files (see below).

Where you need to send an encrypted Tar-Gzip file, we recommend using PGP encryption of the archive as described above.

Graphical Clients

WinZip AES encrypted files

If you are sent a WinZIP AES encrypted Zip file then get hold of a copy of 7-zip (http://www.7-zip.org) which has support for reading/writing this format. This package is free and available as a Windows GUI application and command-line client for Linux (check your package manager for p7zip). On macOS you can use http://unarchiver.c3.cx Unarchiver (also available on the App Store) or you can install p7zip via MacPorts or HomeBrew. To use 7-zip from the command line use:

7za -x <filename>​

Caveats

  • Some email servers do not allow the transmission of Zip files, being especially cautious about encrypted Zip files, as these have been extensively u​​tilised for sending viruses.

  • Never send the password and file in the same email/package!

Disk image file encryption

Where you have many files to encrypt and don't wish to/cant use whole disk encryption you should look to using encrypted disk images (this is the mechanism used by macOS if you tick the 'Encrypt backups' option in TimeMachine). In the case of USB pen drives you are strongly recommended to encrypt the whole drive or obtain a hardware encrypted device (see above).

This works by creating a single file disk image, which can then be made to appear to the computer as a removable disk (a process called mounting). The file itself is encrypted, but once you have unlocked the drive, the files are available un-encrypted.

Disadvan​tages

The most important caveat to using this encryption method safely, is to only mount/unlock the filesystem when you need a file from it, and to then unmount/lock the filesystem. You should never leave the filesystem mounted when you leave your computer anywhere or when you sleep/hibernate the system, as if it is stolen, the data is at risk until the machine is completely switched off (or the image unmounted).

Veracrypt Disk E​ncryption

Where 'whole device' encryption must be readable on multiple platforms consider using the Veracrypt package https://www.veracrypt.fr/en/Home.html. The package supports encrypting an entire volume or just a selection of files within a disk image.

Gene​ral Advice

  • If you want to be ​​able to read your encrypted files on a wide range of computer platforms then choose either FAT (files <4GB in size) or exFAT filesystem when creating the encrypted disk image, most currently available operating systems have full read-write support for these filesystem types.
  • The main disadvantage of encrypted images/drives is how do you backup your data? If you use a 'changed file' type backup system (Time Machine on macOS or TSM if you are using the University ​backup service) then any modification, no matter how small, will result in the entire encrypted disk image to be copied, which could be an issue if the file is many gigabytes in size! Probably the best option is to exclude the disk image from your backup and then take manual backups by copying the encrypted image when appropriate.