On Encryption

In a previous post, I spoke about the importance of backing up your data. In my role, I’ve seen accidents happen. We’ve provided teachers with backup drives, using Apple’s TimeMachine as the mechanism for performing these daily (or at worst) weekly backups. But the human component involved is the weak link. My laptop has probably gone beyond a one-week backup at this point, and is due for a “plug-in” soon, to the backup drive I use in my office.

But what about security? I’m not a CIA agent or a high-profile investor for millionaire clients. But there is data (or pathways to get to data) on my laptop that need to be secure. If I lost my laptop (because I was stupid, and left it someplace) and someone had access to my computer, what might they find?

File Vault

My emails. My documents. My saved passwords for access to student data. My VCU work. My browsing history. And having that all backed up is great, but what if what is backed up is compromised? What if my VCU work included transcripts of interviews, let’s say, that were promised to a client to be confidential? Depending on who gets my laptop, such transcripts could be benign and ignored. Most folks would probably wipe my laptop and re-use it for their own use. But losing the confidentiality of your data to someone else is frightening. And it may be unethical, depending on what you’ve collected.

On Encryption

Encryption is a method of making data non-sensical to anyone without a key. The best analogy is taking a document, a piece of paper, and scrambling all the letters in that document up. With the right type of encryption, there is no way to get the letters back into the right order to put your document “back together again,” without the right key.

And the “document” I speak of could be a Word file, a JPEG, a folder of documents, an e-mail message, or even your entire hard drive.

So, these are your options, in “big picture” order down to individual documents:

  • Whole Hard Disk encryption,
  • Home Directory encryption,
  • folder encryption,
  • e-mail encryption,
  • single file encryption.

The days of securing your laptop with a single password and that being secure, are gone. If you boot your computer with another drive, all your data is still there. The password is just a small speed-bump towards accessing what’s on your computer.

Where enryption becomes most important, probably, is in the transport of documents. “Can you e-mail me those interview files? I want to code them…” would be a lightweight example. The path from your computer, to the e-mail server, across the internet, to your colleague’s e-mail server, and then back to their computer, is insecure. Along multiple points in that chain of communication are opportunities to see the e-mail, from network sniffers at a school building, to the traffic traveling along the open internet, and then from your colleague’s mail server to their computer.

And their computer doesn’t need to be compromised to capture that data. It’s travel to that computer is insecure.

Encrypting E-mail

So the choices are to encrypt the entire message being sent. This means everything in the e-mail, including the document(s), are secure. If any of the message is intercepted enroute, it’s gibberish.

You can also send an un-protected e-mail (you can read the message) with an encrypted file. The important stuff is protected, like putting important documents in a Tyvek envelope and knowing they won’t get wet.

The standard for years on enrypting e-mail is something called PGP (Pretty Good Privacy). Both the sender and receiver agree that they will exchange private e-mails and exchange public keys. These are blocks of characters (really, just a very big password). People can exchange their public keys in “public,” there’s no harm for others to see the password.

In turn, there’s a secret part. We each have private keys. A combination of the private and public keys are used to encrypt messages. Your public key and my private key lock the message down. Your private key and my public key open it on your end. That way, only the intended recipient, who holds their own private key, can access the e-mail.

PGP is great if you plan on sending a lot of e-mail that needs to be encrypted. It works “automatically” in the background, but depending on what package you use to do this, can be a little “techie” to setup.

For more details on PGP on the Mac, check this link out. For more details on PGP on the PC, check this link out. And for a commercial platform that works on both Macs and PCs, check this link out.

In some cases, services like Hushmail might do the trick for less-regular exchanges. It’s a free encrypted mail service.

Encrypting the Entire Drive

On the Mac, Apple bundles a pre-installed mechanism for securing your Macintosh called FileVault. In Mac OS X Lion and Mountain Lion (10.7, 10.8) you also now have whole-disk encryption. This won’t make e-mails secure, but it means if your laptop (or desktop) is intercepted, your password is now also an encryption key. The data on the drive is scrambled.

Don’t forget that your backup drive may be un-encrypted. There are options on the Mac, for TimeMachine to encrypt the backups too.

Apple’s FileVault allows you to encrypt just a home folder, or the entire drive. This means, on a home machine (for instance), you can keep the kids’ accounts open, and only mom and dad’s accounts are encrypted. At this point, on the Mac at least, I see no reason not to encrypt the entire machine.

My inexperience with encryption with Windows PCs prevents me from making specific recommendations. This page on Wikipedia shows some of the options. If I were starting out, I’d likely choose some of the better-regarded commercial solutions.

File Encryption

So, maybe you don’t need to encrypt the entire lot. Maybe there are just certain files that need to be kept secret, like a list of your credit card numbers, some financial documents, or your folder of data for your capstone project.

On the Mac, the easiest (and free) method is to create an encrypted disk image. Disk images are files that represent entire “disks” to the operating system. You may have seen .iso files before; these typically are CD or DVD “images” in a file. After downloading them from the Web, you can burn them into a real CD or DVD.

On the Mac, Disk Images are ways to mount a virtual disk and install software. You may see these as “.dmg” files (Disk iMaGe). Disk images can be any size, including a type called “sparse,” which can grow beyond its initial size.

Disk Utility on the Mac allows you to create empty disk images, and it offers an encryption option. With an encrypted disk image, once that image is un-mounted, its contents are scrambled. Open it up, provide a password, and everything inside is accessible. It’s like a giant manila folder with a padlock on the front.

Disk images can be shared through online filesharing services like Google Drive and Dropbox between Mac users. While the image is sitting in a public server, even, the contents are safe inside.

On the PC, one method for encrypting single files and folders is 7Zip. This zipping utility includes the option for adding a strong AES password to encrypt the zip file. You can even create ZIPs that will extract (.exe option) so the recipient, with the right password, doesn’t need to install 7Zip on their machine to access the encyrpted file or folder. And as a bonus, it’s compressing the files, too.

The only problem with these cheap and easy services is that data cannot be easily exchanged between the Mac and PC. I say not easy, but not impossible. There are ways to facilitate ease through 3rd party software.

I have found that zipping archives on the Mac with encryption is possible, and for free. It just takes a step on the wild size with the Terminal. Why this isn’t a default option in the graphical interface, I do not know.

Check out this website for instructions on how to create encrypted ZIP files on the Mac. I’m interested in seeing if these files are usable on the PC side.

Weak Protection

Some advocate for the use of “weak” protection methods, such as an Excel spreadsheet password, over these more ironclad solutions. These password methods are far easier to break (and less so, with the newest versions of Office). They’re like the padlock you put on luggage. Easy to break-off, but a nuisance, that may thrwart someone’s interest. With all the billions of e-mails and documents being traded at any one time, what makes yours so special? And maybe setting a password on something using weak tools is an equal balance between the ease for you to apply it, and the just annoying enough to break it, for the person wanting to pry-into your files.

Check out Microsoft’s how-to on setting encryption on Office documents. It’s free, and built-in.

Advertisements

Leave a comment

Filed under Resources

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s