IT Security Topic — Encryption

Product options

• Operating System Integrated
  • Windows 2000 and later
  • Windows Vista
  • Mac OS X 10.3 and later
  • Linux
• Hardware Level Encryption
  • Hard Drives with Encryption
  • Trusted Platform Modules
• Encryption Software
  • Utimaco/SouthSeas
  • PGP/GnuPG
  • PointSec
  • MS Office and OpenOffice
  • TrueCrypt

Operating system integrated

Windows 2000 and later include an encryption feature called Encrypted File System (EFS), which can be used to encrypt information at the file, folder or disk level.  It can leverage Active Directory for storing user encryption keys.

• Pros: Integrated into current versions of Windows and easy to use at a basic level.
• Cons: Full key management options require planning.  Encryption does not “stick” to files.
• For more information click here.

Windows Vista Enterprise and Ultimate editions include a disk encryption tool called BitLocker which is designed to work together with a Trusted Platform Module (TPM) hardware chip in a computer.  It uses a separate boot partition and encrypts the primary system partition.  It can leverage Active Directory for storing disk restore keys. 

• Pros: Integrated into the operating system and can leverage TPM chips and tokens for enhanced security
• Cons: Only available on certain versions of Windows Vista (Enterprise and Ultimate), effectively requires a TPM v1.2 chip in the computer, needs a special partitioning configuration, and encryption does not “stick” to files when they are copied off of the disk. 
• For more information click here.

Apple OS X versions 10.3 and higher include a tool called FileVault for encrypting a user’s home directory.  It uses the user’s normal login password, providing seamless access and allows the computer administrator to set a “master password” in case a user forgets their password. 

• Pros: It provides an easy to use and integrated encryption option for OS X users. 
• Cons: FileVault only encrypts the home directory, so files saved elsewhere are unencrypted.  As with other folder level encryption options, the encryption does not “stick” with the file when it is copied, moved or e-mailed. 
• For more information click here.

Different Linux distributions may come packaged with various encryption tools, most commonly forms of GnuPG (open source implementation of PGP style encryption).  Check with your Linux distribution provider to see what encryption tools are included and check the encryption software section below for products with Linux versions. 

Hardware level encryption

Storage companies are beginning to ship hard drives with hardware encryption built-in.  This means the hard drive itself can encrypt information as it writes it to the drive and decrypt it as it reads the information.  This technology is expected to grow quickly and surpass software encryption popularity for whole disk encryption functions.  A small number of USB thumb drives include hardware encryption (a number of them advertise encryption, but simply come packaged with basic encryption software).  

Trusted Platform Modules are chips in some computers that allow for hardware level management of some security functions, including encryption.  Purchasing a computer with a TPM chip does not, on its own, provide any protection, although some computer vendors package security software with the computer that can leverage the TPM.  Different products may use TPM chips in different ways and have different requirements for TPM chip versions.  If you are planning on using software that leverages a TPM chip you should verify the specific hardware requirements.  

Encryption software

The State of Colorado has established a state-wide pricing agreement that allows state agencies to purchase Utimaco encryption software through the SouthSeas reseller at a discounted rate.  The agreement covers the following suite of encryption products for Windows 2000/XP/2003:

• SafeGuard Easy
• SafeGuard Advanced Security
• SafeGuard Private Disk
• SafeGuard Private Crypto
• SafeGuard PDA
• SafeGuard LAN Crypt

These applications provide whole disk encryption, single file/folder encryption, multi-user file encryption, encryption of information on PDA’s and other functions.

• Platforms: Windows 2000 and XP

• For more product information see: http://utimaco.com/
• For more information on purchasing and pricing, see Colorado state price agreement number 20556YYY12M listed under Software here:

PGP (originally Pretty Good Privacy) and GnuPG (Gnu Privacy Guard) are based on the same underlying asymmetrical encryption technologies.  Currently, PGP is a commercial implementation of the technologies and GnuPG is an open-source implementation based on the OpenPGP standard.  PGP based encryption is probably best known for the use of public key/private key encryption and signing of e-mail messages, but also provides file and disk encryption capabilities.  The technologies are widely used and well vetted.

• PGP.com platforms: Windows, Mac OS X (does not include all features) and Linux (command-line tools only)
• For more information on PGP, see: http://www.pgp.com/

• GnuPG platforms: Windows, Mac OS X and Linux – as open source projects, the versions of GnuPG for different platforms are managed by different groups and differ in appearance and features.
• For more information on GnuPG, see: http://www.gnupg.org/ http://www.gpg4win.org/ and http://macgpg.sourceforge.net/

PointSec provides a widely recognized set of encryption software which is particularly popular in government and financial markets.  They are most commonly associated with whole disk encryption, but provide additional encryption functions. 

• Platforms: Windows and Linux
• For more information, see: http://www.checkpoint.com/products/datasecurity/

MS Office 2003/2007 and OpenOffice 2 both include strong encryption capabilities that password protect individual files.  For MS Office 2003, a default setting must be changed to provide robust encryption. 

Through version 2004, MS Office for OS X does not provide sufficiently strong encryption for documents.  ITS does not recommend that users rely on MS Office for OS X as their encryption layer to protect private data. 

• MS Office platforms: Windows, and Mac OS X (although current MS Office encryption for OS X is not recommended)
• OpenOffice platforms: Windows, Mac OS X and Linux

TrueCrypt is a free, open-source encryption application for Windows and Linux that provides strong encryption.  It is appropriate for individual users who wish to encrypt a set of files or a removable drive.  Truecrypt supports several encryption algorithms and uses passwords and/or key files to lock the encrypted information.

• Platforms: Windows and Linux
• For more information see: http://www.truecrypt.org/

Contact Information
Campus IT Security Office
(303) 735-4357 (or 5-HELP from a campus phone)
security@colorado.edu