This guide provides an overview of “in-place” or “data at rest” encryption. The focus is on workstation (or desktop), laptop and external drive encryption. This is to protect your information, especially research data, from being accessed by non-authorized people. The focus is not on “data in motion” which means encrypting file transfers on a network, for example.
These are various approaches or methods of encryption we can use.
Full disk encryption: encrypting all data on the storage media.
Container or volume encryption: designating a specific virtual container or disk volume to encrypt.
File or folder encryption: specifying files or folders to encrypt as needed.
Application encryption: using an application that is capable or encrypting the data.
Full disk encryption
Full or whole disk encryption will encrypt all the data on your hard disk. For example, you can encrypt external disks or laptops so the data is protected if lost or stolen. If you are working with confidential information you should utilize a strong password and whole disk encryption. The software used to encrypt your disk varies depending on your operating system.
- All information is automatically encrypted by the installed software.
- Loss or corruption of the authentication credentials or keys would result in loss of the entire system.
- Performance (e.g. processing overhead may result in slowness).
Container or volume encryption
Container or volume encryption provides a specific area that has encrypted data. For example you can create a virtual encrypted disk using VeraCrypt which can be a specific size then you would mount that disk and store files there. Also, you can have a section of your hard drive that is partitioned so it stores the data encrypted, separate from your operating system. In general it’s easier to just use full disk encryption on a separate data hard disk either installed on your computer or an external disk connected to your computer for storing the data. You may want to use a container on a USB drive for just the data you want to keep confidential.
- Information is encrypted when placed on the designated volume/container.
- Loss of corruption of the authentication credentials or keys results in the loss data on the volume only.
- Requires manual management to ensure appropriate data is placed in the volume.
File of folder encryption
Each specific file and/or folder can be encrypted using a password. If you just a specific folder or a few files that need to be secured, you can use a simple method of encrypting those files or folders. If you have more information to secure, it is easier to store the relevant data on a separate encrypted disk.
- Each designated data file must be managed.
- Loss of corruption of the authentication credentials or keys results in the loss data in the file only.
- Requires manual management to ensure appropriate data is encrypted.
This relies on a specific application such a backup software or Microsoft Office to encrypt the file(s) and uses the built-in application capability to manage the encryption and credentials (passwords) for the data.
- Information used by the application is encrypted based on the application’s capabilities.
- Loss of corruption of the authentication credentials or keys results only in the loss data associated with the application.
- Only data managed by the application is encrypted.
- Users and application administrators must understand the scope of the data the application encrypts.
- Data extracted from the application may not be encrypted.
For external disks that may be used on various platforms, we recommend using VeraCrypt, https://www.veracrypt.fr/ which provides open source disk encryption software for Windows, Mac OSX and Linux. It provides both full disk encryption and volume encryption. You can create a virtual encrypted disk that can be mounted and files can be stored in the disk. Also, you encrypt an entire disk partition.
Beginner’s Tutorial: https://www.veracrypt.fr/en/Beginner%27s%20Tutorial.html
On Mac OSX you can use the FileVault feature to enable full-disk encryption for your Apple computer which protects the whole startup disk.
More info: https://support.apple.com/en-us/HT204837
For external disks using Mac OSX, you can use the Mac Disk Utility application to format an external volume which can be encrypted and protected with a password.
On newer Windows Pro and Enterprise computers, BitLocker drive encryption should be available. You can enable BitLocker when logged in as an administrator, you just need to turn on the BitLocker capability. You will also need to save the BitLocker recovery key, typically you can print this out for any drive which has BitLocker turned on.
More info: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview
If you would like to use encryption to protect your data and you work in the School of Social Ecology at UC Irvine, you can contact Social Ecology computing services.
UCI Security Website