Encryption Guidance

Purpose of this Article

To ensure that staff and students are aware of the benefits and requirements for data encryption, and are able to determine when encryption is appropriate and how to take advantage of it.

Guidance

Encrypting data makes the information unreadable, it can only be read using a secret key to unlock it, called decryption. Data encryption can be applied to both stored data (on computer drives or removable media) and data shared via networks. Mobile devices and removable media, including laptops, USBs, hard drives and DVDs pose particular risks and encryption can be used to reduce these risks when sharing or storing sensitive information using these methods.

What is encryption?

Encryption is not the same as password protection. While password protection can prevent other users from opening a file, the contents of the file itself are not protected and can be extracted through other means. Encryption technology uses a robust process to ‘scramble’ data as it is stored on a computer or portable media device so that the data can only be understood by authorised users. In order to read and/or work with the data, a user must provide relevant credentials.

When should I use encryption?

Encryption should be used to secure confidential data that is in transit, or that may be accessed or held in locations where you may not control access.  For instance, sensitive or confidential information that is emailed to external parties or held on devices that are easy to steal or lose (such as laptops, tablets, etc) should be protected with encryption.

Encryption Options

Mobile Devices

Encrypting data makes the information unreadable unless the viewer uses a secret key to unlock it, called decryption. Data encryption can be applied to both stored data, on computer drives or USB storage devices) and data being transferred via networks. If you store data, emails or photos on your portable device then you can encrypt the information to protect it. If the device is also protected with a PIN or password, encryption will further reduce the risk of your data being subject to unauthorised access.

Laptops

All UWE provided laptops used by staff and students are encrypted by default. IT Services use a facility provided with windows 7 and later called BitLocker, which automatically encrypts all data on the hard disk of a laptop. Should an encrypted laptop be lost or stolen, the facility will guarantee the safety of the data on it. Your laptop must also be protected with a strong password.

  • Windows
    If you have a personal laptop that you would like to encrypt, then you may also be able to use BitLocker. To use BitLocker, your computer must satisfy certain requirements:
    Windows 8 or later — Professional or Enterprise edition
    Windows 7 — Enterprise or Ultimate edition
  • Mac
    If you use a mac laptop then you can enable full disk encryption using the built in FileVault2 software.  To use FileVault2, your computer must satisfy certain requirements:
    OS X — Maverick (10.9) and above

Documents and Files

  • Microsoft Office/Office365 documents
    Microsoft Office provides an inbuilt encryption facility. To find out how to encrypt and protect documents from within Office, please see ‘Office Document Encryption’.
  • 7-ZIP
    7-Zip should be preinstalled on all UWE provided computers and can be used to encrypt the contents of a Zip or 7-Zip file. It is free and available on Linux, OS X and Windows. For instructions on how to encrypt a file or folder with 7-Zip, please see '7-Zip Encryption'.

USB Storage Devices

  • Windows
    If you are able to use BitLocker on a windows computer, you can use it to protect removable media. For instructions on how to encrypt a USB drive with BitLocker, please see ‘BitLocker USB Encryption’.

Key Management

It is important when encrypting documents or devices that great care is taken with the choice and storage of the encryption key. Since the key provides access to the data in the same way that a password provides access to an account or system, the same principles regarding selection and storage of an appropriate password apply.

In addition, care must be taken to ensure that the key is not lost – unlike many services, there is no way to reset the key to enable access – losing the key means that the data will most likely be unrecoverable.

When sharing encrypted data with another party, always ensure that the data and the key to unlock it are never sent together, as this negates the benefits of encryption by providing anyone that possesses the files with the ability to read the encrypted data. Instead, always send the key through a different medium. For example, if the data is emailed to someone, then the key could be shared over the phone or by SMS. That way, if anyone were to gain access to the recipients email account, they would not automatically have access to the encrypted data. For this reason, sending the key in a separate email is not sufficient.

Back to top