Oct 192012

Attached to the University of Hertfordshire’s Data Policy is a handy DOs and DON’Ts guide to handling Personal and Confidential Information (PCI). Research data often falls under the definition of PCI, because it is ethically sensitive or has commercial value to the University or a sponsor.  It probably won’t be a surprise to anyone engaged in JISCMRD that we find that practice that is given as ‘unacceptable’ by the guide, is actually common in the research community. Saving PCI on a non-University computer; use of portable media devices to store or backup PCI; regular transfer or unencrypted transfer of PCI via portable media – all these happen…often.

I would suggest that the single most likely channel to an incident of reputational damage to the University is the loss or theft of an unencrypted USB memory stick.

There is further information to support this assertion in our Practical use of encryption for Personal Confidential Information workshop presentation (PDF, 1.7MB)

Some researchers simply don’t recognise the risk. Others do, but don’t know how to go about securing their data.

RDTK has done some work to de-mystify encryption and prove first to ourselves, and now hopefully to our researchers, that it is not that difficult. It really is not as burdensome as you might think.

There are several freely available options to encrypt data on portable media or for electronic transfer. If you just want to secure your own data there is an option built into both Windows and Apple OSX. If you are likely to move data between platforms, including to and from Linux, there is TrueCrypt.

All these solutions work in broadly the same way: you create a ‘container’ that holds your encrypted files and which expands into a secure folder on your desktop when you open it. Usually the ‘container’ looks like a single large file, but it can also be a whole device.

Bitlocker (on Windows)

BitLocker was first introduced in Vista and has now become a standard feature of the Ultimate and Enterprise editions of Windows 7 and 8.

It is not a cross platform solution, although there is some support for Windows XP, which can read but not write secured data. We haven’t tested it enough to be sure about backwards version compatibility.

BitLocker uses 128 bit AES encryption, and differs from other more flexible systems in that it encrypts an entire device, but this does means you can secure a whole USB stick or portable hard drive quite easily. However take care with it: as you can see from the screen grab above – it is easy to apply Bitlocker to you system drive and thus lock yourself out of it in a moment of distraction.

Secure Disc Images (on OSX)

Apple have included this as a utility at least as far back as the inception of OSX. It is not a well known feature but works very well and is easy to use. It is not cross platform but works across all versions OSX.

The Disc Utility application can be used to create an encrypted disc image, with a range of options for size, filesystem type, and encryption, although you have to remember to turn this on. 128 bit AES encryption is the recommended option, though 256 bit is available.

Once you have created the disc image, it is portable and can be placed on whatever media is available. A double click on the disc image file (.dmg) prompts you for the password, whereupon a new volume is mounted, and the top level folder opens. Beware: if the password you choose for the encrypted disc image is the same as your OSX user password, the dmg will open without challenge, exposing your encrypted files. So pick a different password!

TrueCrypt (on Windows, Linux and OSX)

TrueCrypt is opensource software which allows encrypted data to be shared across Windows, Linux and OSX. TrueCrypt can be used like Bitlocker to encrypt a whole device, or like an OSX disc image to create a portable encrypted container. Containers can be moved between systems and platforms but the only way to access them is via the password you decide on.

We have users who have successfully secured their whole laptop, but this should hardly ever be necessary. The most common use would be to create a portable container to hold files on a USB stick, rather than just placing them insecurely on the stick.

TrueCrypt containers work in two ways: via an installed application or in standalone mode where a .exe can be included on a portable device to allow it to open the container without a full installation. This portable mode , known as ‘traveller’ mode, only works on Windows. Although TrueCrypt containers can be shared  across platforms TrueCrypt must be installed on OSX or Linux to open them. You can also use a container in a Dropbox, SkyDrive or GoogleDrive.

After some thorough research and testing we can recommend TrueCrypt as the software package of choice for encrypting research data, because it the most flexible and portable of solutions. For the sake of a very few extra clicks when you start work each day, you can make the data in your shared folder, USB stick, or external hard drive secure from theft or interference.

From user feedback we are aware that starting to use encryption can be a confusing experience. The TrueCrypt website, which is typical of a developer lead effort, does nothing to help this. It is far from clear what to do. For this reason we have produced a user guide to creating and working with TrueCrypt containers. The guide focuses on TrueCrypt for Windows, but the steps are very similar on Mac OSX and Linux. We will also be running a desktop encryption workshop open to all University of Hertfordshire staff in December.

The guide to encryption using TrueCrypt is available here (PDF, 2.0MB)

Try TrueCrypt now

We have prepared standalone a TrueCrypt container for Windows users to try out.

Download this zip. (RDTK made this, it is clean, we promise).
> Right click on rdtk_herts_1MB_truecrypt_demo.zip, and  ‘Extract All…’
> Open the unzipped folder, click once on rdtk_herts_1MB-test-container, and then drag and drop it onto TrueCrypt.exe
> Click on a drive letter in the TrueCrypt application window, for example M:
> Click ‘Mount’ and enter password ( rdtk_herts ), click ‘OK’

The encrypted volume is now mapped to drive M:

To open the encrypted volume either double click on M: in the TrueCrypt application window, or go to ‘My Computer’ (Window key+E) and open Local Disc (M:) You can drop files into this folder to test it. When you have finished, return to the TrueCrypt application window and click ‘Dismount All’.

You also have everything you need to make TrueCrypt containers yourself. Just run TrueCrypt Format.exe and follow the wizard. Alternatively, you can download the full TrueCrypt package here.

We would welcome feedback of  your experience of this demonstration.

A note about handheld devices.

As more and more people make use of smart phones and tablets the risk of exposing unsecured PCI increases.

The remedy for this if you are an Apple iPad and iPhone user is very simple. Make sure you turn on your passcode lock. With passcode lock on, everything on the device is encrypted, without it, it is not, with a consequent risk of theft.

If anyone has any similar advice about Android devices please let us know via a comment.

And finally, a cautionary anecdote

If I had a regular reader they might remember this.

I am embarrassed to say this idiot RDM project manager is no longer in possession of the laptop pictured here because he left it in the boot of an unlocked car and it was stolen. I am however, pleased to say that I didn’t panic for very long, because the laptop contained no information of value apart from my PCI, and this was stored on an encrypted disc image. Phew, bacon saved. Now, if only I could find the mug, which has also disappeared…