Go Directly to Page Content
Go Directly to Site Search
Go Directly to Site Navigation
ITS Safe Computing

What Is Encryption?

Encryption “scrambles” data in a way that it can only be read by someone who possesses the corresponding decryption key. If an unauthorized individual obtains access to a device with encrypted data, but does not have the decryption key, they see only random “gibberish” instead of sensitive data.

Expand All Questions

Besides actually protecting confidential data from unauthorized disclosure, encryption has the added benefit of saving you the cost and embarrassment of having to notify potentially affected individuals when your mobile device is lost, stolen, confiscated etc. Because a properly implemented encryption solution is recognized as an adequate protection mechanism against even the most determined attacker, most notification laws provide for an exemption if sensitive data on a lost or stolen device is encrypted. Due to the high costs and negative publicity of notification along with the potential fines and legal ramifications associated with a sensitive data breach, encryption of sensitive data is often cost justified.

First, decide on the general approach you want to take. Broadly speaking, there are two options: Use the encryption solution(s) that are already built in to the device(s) you use, or opt for a third-party “add on” solution. Our recommendation is to take the built-in approach unless the range of different mobile devices results in so many different “built-in” solutions that it exceeds some usable and manageable number. For example, if you are a lone researcher storing sensitive data on a laptop, use the encryption solution that is already built in to that laptop.

  • Similarly, members of a small research group that use and manage their own laptops can use the encryption solutions that are built-in to those laptops.
  • If your team uses different kinds of laptops running different operating systems and uses various kinds of thumb drives, consider a third-party open source solution that can provide some consistency across those platforms and devices.
  • If you are an IT pro that manages a homogeneous Windows environment with Group Policy and you keep your version of Windows up to date with mainstream support, then use the built-in Windows encryption solution(s).
  • If you are an IT pro that manages a heterogeneous environment, evaluate third party solutions that can provide some management consistency across the platforms you need to support.

It is essential to encrypt data that is both at rest and in motion. 1 Encryption mitigates the most prevalent threats associated with mobile devices. Encrypting data at rest mitigates the disclosure of data when a mobile device is lost or stolen. Encrypting data in motion mitigates the threats (e.g., eavesdropping) associated with the transmission of sensitive data over insecure public networks that mobile devices often connect to.

Encryption, of course, does not address every mobile device concern. For example, encryption does nothing to prevent a mobile device from being lost or stolen in the first place. This FAQ talks about other safeguards that can be used in conjunction with encryption to address a range of mobile device concerns.

Using a “boot” (BIOS) password and/or account password along with a password-protected screensaver is a recommended best practice for keeping honest people honest. These “boot” or logon passwords, however, do nothing to prevent an individual from accessing a hard drive if they want to. All an “interested” individual needs to do to bypass a boot password is to put the hard drive in another machine. All that is needed to bypass an account password is to insert a different boot disk. In short, passwords provide no protection when physical security is breached as in the case of a stolen, lost, or confiscated device.

Besides actually protecting confidential data from unauthorized disclosure, encryption has the added benefit of saving you the cost and embarrassment of having to notify potentially affected individuals when your mobile device is lost, stolen, confiscated etc. Because a properly implemented encryption solution is recognized as an adequate protection mechanism against even the most determined attacker, most notification laws provide for an exemption if sensitive data on a lost or stolen device is encrypted. Due to the high costs and negative publicity of notification along with the potential fines and legal ramifications associated with a sensitive data breach, encryption of sensitive data is often cost justified.

Deciding on an encryption solution can depend on a lot of factors. Some decision points such as usability, cost, and platform support are easy to understand. Other decision factors, such as algorithm support are complicated but less interesting because, in the end, different solutions will support the same techniques. One influential parameter that is worth understanding further, however, is the approach used to secure the files on disk. The two competing philosophies are File/Folder-level encryption and Full-Drive encryption.

  • File/folder level encryption is selective. It allows specific files to be encrypted or it allows a container (i.e. folder or directory) to be created such that files saved in the container are encrypted.
  • Full-drive encryption, on the other hand, encrypts all the sectors on a disk or disk volume. Thus, a full-drive encryption solution will often encrypt operating system files, applications, system settings, and cache files in addition to specific sensitive data files.
    • The benefit most often cited for full-drive encryption over file/folder-level encryption is that full-drive encryption leaves less doubt about whether all instances of sensitive data were actually encrypted. This is because operating systems and applications write data in caches, temp directories, page files, hibernation files and other areas that are difficult to identify let alone selectively encrypt. Furthermore, humans make mistakes. Users may simply forget to store sensitive data in the right (encrypted) folder. Techniques and solutions exist to mitigate all of these file\folder-level shortcomings, but such solutions are typically only viable in “managed” environments where the mobile devices are managed by an IT department and end-users do not log in with administrative privileges.

First, make sure you have a choice.2 Your unit, or authoritative compliance office, may already mandate a specific encryption approach. If the File/Folder versus Full-Drive approach has not already been decided, we offer the following guidance:

If both approaches are available for the effectively the same cost 3, then use the full-drive encryption approach.

However, if the cost of full-drive encryption significantly outweighs the cost of file/folder level encryption, then that cost needs to be weighed against the likelihood and incremental impact of the lost or stolen laptop. When considering this tradeoff we offer these baseline recommendations:

  • If the data being encrypted is subject to legal or regulatory requirements and that data is newsworthy in terms of quantity, then strive to use the full-drive encryption approach.
  • Even if the data is not regulated but its unauthorized access would have a significant impact on people's lives or on the reputation or mission of the university, then strive to use the full-drive encryption approach.

Full-drive encryption is recommended for regulated environments because, as explained in the answer to the previous question, full-drive encryption reduces doubts that people (users, administrators, auditors, investigators, customers, research subjects etc.) have regarding the possible exposure of sensitive data when the device is lost or stolen. In fact, in Japan, only the full-drive encryption approach is recognized as sufficient for avoiding notification when a device containing private personal information is lost or stolen. 4

That being said, highly "managed" environments—those run by an IT department supporting end users that do not have administrative rights—may be able to successfully deploy a policy-based file/folder level encryption solution even for regulated or other highly sensitive data. For these environments, a good centrally managed policy-based file-folder encryption solution may be as transparent and demonstrably comprehensive as the full-disk encryption approach, but the IT department should convince themselves of that.

Footnotes

1   Data at rest is data that is stored on some physical storage media like a hard disk, flash drive, or DVD. Data in motion refers to data that is traveling as packets through a network (e.g., as an email makes its way across the internet). Note that data on a thumb drive is considered data at rest even though the thumb drive itself may be mobile.

2   File/folder and full-drive encryption are not necessarily mutually exclusive. However, this FAQ does not discuss using both approaches simultaneously because this FAQ is concerned primarily with the threat of information disclosure due to a lost, stolen, or confiscated laptop and either approach may be used, by itself, to mitigate this threat.

3   Cost includes administrative, operational and performance costs in addition to outright hardware and software costs.

4   Encryption for Mobile Hosts.