Documentation - Encryption
Encryption Documentation
Types of Encryption
There are three common types of encryption: full disk encryption, volume and virtual disk encryption, and file/folder encryption.
Full Disk Encryption (FDE)
Full disk encryption (FDE), also known as whole disk encryption, is the process of encrypting all the data on the hard drive used to boot a computer, including the computer's OS, and permitting access to the data only after successful authentication to the FDE product. Most FDE products are software-based. FDE software is most commonly used on desktop and laptop computers. The requirement for pre-boot authentication means that users have to be able to authenticate using the most fundamental components of a device, such as a standard keyboard - because the OS is not loaded, OS-level drivers are unavailable.
For a computer that is not booted, all the information encrypted by FDE is protected, assuming that pre-boot authentication is required.
Volume and Virtual Disk Encryption
Virtual disk encryption is the process of encrypting a file called a container, which can hold many files and folders, and permitting access to the data within the container only after proper authentication is provided, at which point the container is typically mounted as a virtual disk. Virtual disk encryption is used on all types of end user device storage. The container is a single file that resides within a logical volume.
Examples of volumes are boot, system, and data volumes on a personal computer, and a USB flash drive formatted with a single filesystem. Volume encryption is the process of encrypting an entire logical volume and permitting access to the data on the volume only after proper authentication is provided. Volume encryption is most often performed on hard drive data volumes and volume-based removable media, such as USB flash drives and external hard drives. The key difference between volume and virtual disk encryption is that containers are portable and volumes are not-a container can be copied from one medium to another, with encryption intact. This allows containers to be burned to CDs and DVDs and to be used on other media that are not volume-based.
When virtual disk or volume encryption is employed, the contents of containers are protected until the user is authenticated for the containers.
File/Folder Encryption
File encryption is the process of encrypting individual files on a storage medium and permitting access to the encrypted data only after proper authentication is provided. Folder encryption is very similar to file encryption, only it addresses individual folders instead of files. Some OSs offer built-in file and/or folder encryption capabilities,24 and many third-party programs are also available. When a user attempts to open an encrypted file (either encrypted by itself or located in an encrypted folder), the software requires the user to first authenticate successfully. Once that has been done, the software will automatically decrypt the chosen file.
File/folder encryption protects the contents of encrypted files (including files in encrypted folders) until the user is authenticated for the files or folders. File/folder encryption software cannot protect the confidentiality of filenames and other file metadata, which itself could provide valuable information to attackers (for examples, files that are named by Social Security number).
NOTE: Organizations should be aware that they should not rely on storage encryption technologies to protect data without regularly maintaining the encryption solution. For example, if an attacker acquires a lost, stolen, or retired device protected by storage encryption technology, and a vulnerability in the storage encryption technology is discovered in the future, the attacker may be able to exploit it to access the protected data.
Encrypt a File
Currently, we provide instructions for encrypting Microsoft Office files. We will issue a recommendation for encrypting non-Office files in 2009.
- WARNING: If you lose your encryption key (encryption password), your data is gone. DO NOT LOSE IT!
- DO NOT use your CNetID password as encryption keys for your files.
- If you need to move a high risk file, encrypt it before moving it.
Last updated: 11/10/08