VISC File and Disk Encryption Guideline
File and Disk Encryption Guidelines
FINAL
REVISION CONTROL
Document Title:
VISC File and Disk Encryption Guideline
Author:
VISC Document Committee
File Reference:
VISC File and Disk Encryption Guideline
Revision History
Revision Date
Revised By
Summary of Revisions
Section(s) Revised
3/28/2011
Sylvia Barnes
Draft VISC encryption guideline
Redraft all
10-5-2011
Sylvia Barnes
Reformatted to VISC Template and restructured to new
format.
1.0; 2.0; 3.0
10-11-2011
Sylvia Barnes
Added key management under section 4.0.
4.0
10-26-2011
Andru Luvisi
Added key management under section 4.0.
4.1, 5.0
11-16-2011
Sylvia Barnes
Changed title and placed into new template
All
Review / Approval History
Review Date
Reviewed By
Action (Reviewed, Recommended or Approved)
11/9/2011
VISC Committee
Approved
2/7/2012
VISC Governance
Approved
Last Revised: 11/23/11 Guideline # 8060.000.G12.7
Page ii
File and Disk Encryption Guidelines
FINAL
Table of Contents
Page
1.0
2.0
FILE AND DISK ENCRYPTION GUIDELINES ................................................................................................. 4
1.1
Introduction ............................................................................................................................................. 4
1.2
Purpose ................................................................................................................................................... 4
1.3
Scope ...................................................................................................................................................... 4
ENCRYPTION STANDARDS ........................................................................................................................... 4
2.1
Recommended Standards ...................................................................................................................... 5
2.2
Various Encryption Needs ...................................................................................................................... 5
2.3
Recommended File/Folder Encryption Solutions and their Requirements ............................................. 5
3.0
DEFINITIONS ................................................................................................................................................. 10
4.0
REFERENCES ............................................................................................................................................... 11
Last Revised: 11/23/11 Guideline # 8060.000.G12.7
Page iii
File and Disk Encryption Guidelines
1.0
FILE AND DISK ENCRYPTION GUIDELINES
1.1
Introduction
FINAL
This guideline was developed to support the CSU Polices, government regulations and audit compliance. This
guideline provides support for the identification and implementation of encryption solutions for assets that have
been determined to process Protected Level 1 data.
1.2
Purpose
The following encryption implementation guideline is designed to supplement the CSU Policy and CSU draft
standards which address encryption requirements for Protected Level 1 information in transit and in storage.
Protected Level 1 information is particularly vulnerable to identity theft. Additional responsibilities for safeguarding
Protected Level 1 information are imposed by law and policy due to the need to protect privacy and reduce risk
and liability to the University. While units have been encouraged to eliminate unnecessary electronic storage of
Protected Level 1 information, the need to protect Protected Level 1 information required to conduct University
business still remains.
Encryption can be used to protect Level 1 Information stored on devices in case of loss, theft, or compromise.
1.3
Scope
This guideline applies to all users (e.g., executives, managers, faculty, staff, students, guests, business partners,
all auxiliaries and others) of CSU data, computer networks, equipment, or computing resources who process,
transmit, or handle Protected Level 1 information in a physical or electronic format. This includes servers,
workstations or any computers which store Protected Level 1 information.
2.0
ENCRYPTION STANDARDS
A campus unit or association that uses encryption will need to have the permission of the Data Owner before
deploying the encryption. The Data Owner will need to work with the Data Custodians and or Users to ensure
procedures are in place for key management and secure key recoverability by the University.
No single solution for encrypting stored data can address the University’s diverse computing environments and
requirements. This guideline recommends a variety of encryption tools and practices following review and trial of
a number of open-source and commercial tools. Native, Open Source, and proprietary options should all be
considered when looking for an appropriate solution.
Two types of encryption solutions are generally available: file encryption (referred to as “folder encryption” when a
folder is encrypted) and full disk encryption. With file or folder encryption, the file or folder is encrypted and users
must be sure to save Protected Level 1 information in the encrypted file or folder. Full disk encryption protects the
entire hard drive, including the operating system. As the name suggests, the entire drive is encrypted and the
user unlocks the decryption key before the operating system boots.
Last Revised: 11/23/11 Guideline # 8060.000.G12.7
Page 4 of 11
File and Disk Encryption Guidelines
2.1
FINAL
Recommended Standards
Determine the computing environment so that the method of encryption that is needed for the environment can be
deployed. The following standards are recommended for the corresponding environments:
a. File encryption for desktops that remain on all the time.
b. File or full disk encryption for desktops that are powered down at the end of the work session or day.
c. File encryption for servers, including shared folders.
d. Full disk encryption for mobile devices (e.g., laptops, PDAs, tablet PCs and smart phones), storage media
(e.g., flash drives), and media for which adequate physical security cannot be guaranteed.
e. Full disk encryption or native database software features for database servers.
f.
2.2
Compatible encryption for dual boot systems and shared folders.
Various Encryption Needs
A unit may elect to implement any number of these to meet its varied needs. For example, a unit may select:
a. BitLocker for laptops and desktops with a Windows Vista Ultimate or Enterprise operating system.
b. TrueCrypt for full drive encryption of any Windows laptops with operating systems other than
Windows Vista Ultimate or Enterprise, and Linux laptops.
c.
TrueCrypt for file encryption of any Windows desktops with operating systems other than Windows
Vista Ultimate or Enterprise, Linux desktops, and flash drives.
d. FileVault for Macintosh systems.
Note:
Consideration should also be given to key management and data recovery options. See “Key
Management Plans” below. Information specific to each of the solutions is presented below.
2.3
Recommended File/Folder Encryption Solutions and their Requirements
With file or folder encryption, the user creates an encrypted file or a folder or disk partition where the user must
store the data to be encrypted.
2.3.1
TrueCrypt
TrueCrypt is a free, open-source software application that creates encrypted disk image files, similar to
FileVault for Macintosh (see below). It uses on-the-fly encryption, meaning that data are automatically
encrypted or decrypted right before they are loaded or saved, without any user intervention. It is not
transparent to the user, who must mount the drive by entering a password. Training and support are highly
recommended for users of TrueCrypt. A Beginner’s Tutorial is available on the TrueCrypt website.
All versions are inter-compatible so that encrypted devices can be used between different platforms. The
following operating systems (among others) are not supported: Windows 2003 IA-64, Windows 2008 IA-64,
Windows XP IA-64, and Windows 95/98/ME/NT. Additional TrueCrypt considerations are below:

Some Windows functions require administrator privileges (see
http://www.truecrypt.org/docs/?s=version-history).

For Linux, installation packages are available for OpenSUSE and Ubuntu distributions, but not for
Fedora.
Last Revised: 11/23/11 Guideline # 8060.000.G12.7
Page 5 of 11
File and Disk Encryption Guidelines
FINAL

TrueCrypt is particularly useful for encrypting removable media such as removable flash drives
(see the Flash Drive Encryption Procedure). It will function on a dual boot system.

More information: http://www.truecrypt.org
System requirements for installation of TrueCrypt are detailed below:
Note:

Windows 7

Windows 7 x64 (64-bit) Edition

Windows Vista

Windows Vista x64 (64-bit) Edition

Windows XP

Windows XP x64 (64-bit) Edition

Windows Server 2008

Windows Server 2008 x64 (64-bit)

Windows Server 2003

Windows Server 2003 x64 (64-bit)

Windows 2000

Mac OS X 10.4 Tiger

Mac OS X 10.5 Leopard

Linux (kernel 2.4, 2.6 or compatible)
Consideration should also be given to key management and data recovery options. See “Key
Management Configuration Guidelines” below. Information specific to each of the solutions is presented
below.
2.3.2
Windows Encrypting File System (EFS)
Encrypting File System (EFS) encrypts files and folders stored on local computers. EFS uses
encryption/decryption keys associated with the Windows user accounts. As a result, only the user keys used
to encrypt the data are able to decrypt it again.
A user must have a valid X.509 certificate to encrypt files and folders with EFS. EFS looks in the user’s
personal certificate store for an EFS certificate. If it does not find one, it attempts to enroll the user for an EFS
certificate with a Windows certification authority. If the user is not using a domain account or if EFS is unable
to request a certificate through a certification authority, EFS generates a self-signed certificate. Additional
Encryption File System considerations are below:

Securing EFS depends on selecting a strong password for the Windows login account. The login
account holder establishing the EFS folder can permit other login accounts to access the
encrypted folder.

Access to encrypted data may be lost if passwords for local Windows login accounts are
changed. Traveling users of Active Directory generated encryption keys may lose access to
encrypted data as cached credentials go stale or passwords are changed and the computer
cannot authenticate to the Active Directory domain.

If a user encrypts data using EFS and loses the key, the data cannot be recovered, so EFS
should not be used for encrypting the only copy of critical University data without a key
management plan.
Last Revised: 11/23/11 Guideline # 8060.000.G12.7
Page 6 of 11
File and Disk Encryption Guidelines
Note:
FINAL

Securing EFS depends on selecting a strong password for the Windows login account. The login
account holder establishing the EFS folder can permit other login accounts to access the
encrypted folder.

Additional EFS resources http://technet.microsoft.com/en_us/library/bb457065.aspx
http://technet.microsoft.com/en_us/library/bb457116.aspx
Consideration should also be given to key management and data recovery options. See “Key
Management Plans” below. Information specific to each of the solutions is presented below.
2.3.3
FileVault for Macintosh
FileVault is built in to Mac OS X. Unlike EFS, which encrypts individual files and folders, FileVault creates a
single encrypted disk image file containing the user’s home directory.
This disk image is mounted as the user logs in, allowing only that user access to the decrypted data.
Additional TrueCrypt considerations are below:

The user cannot select which parts of the disk to encrypt with FileVault. Only the entire home
directories can be encrypted. The user cannot encrypt the whole disk.

Specific files or folders cannot be encrypted using FileVault, although its underlying encrypted
disk image technology can be used for this purpose via Apple's Disk Utility Application, included
in the standard installation of OS X.

The user must be an administrator on the computer, or obtain assistance from an administrator
help, to set up FileVault and turn on FileVault for the computer’s home folder.

A user who has forgotten both a login password and a FileVault master password will not be able
to log in to the user’s account and access encrypted data.

FileVault should not be used for the only copy of critical university data without a key
management plan because of the risk of losing the key.

Additional resources for FileVault
http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh1906.html
System requirements for installation of FileVault are detailed below:

Note:
Operating System Required: Mac OS X v. 10.3 and later.
Consideration should also be given to key management and data recovery options. See “Key
Management Plans” below. Information specific to each of the solutions is presented below.
2.4
Recommended Full Disk Encryption Solutions and their Requirements
Full disk or Whole disk encryption protects the entire hard drive, including the operating system. The entire drive
is encrypted and the decryption key is unlocked by the user before the operating system boots. Because the
whole disk is encrypted, users do not need to save Level 1 or confidential data in an encrypted file or folder in
order to ensure that the data is protected.
Last Revised: 11/23/11 Guideline # 8060.000.G12.7
Page 7 of 11
File and Disk Encryption Guidelines
2.4.1
FINAL
Windows BitLocker
BitLocker Drive Encryption is a whole disk encryption feature included as part of the Enterprise and Ultimate
editions of the Windows Vista, Windows 7 operating system and of the Windows Server 2008 operating
system.
BitLocker encryption may be implemented by selecting one of three different configurations. Two of the
configurations require a cryptographic hardware chip called a Trusted Platform Module (TPM). The third
configuration does not require the TPM. A Trusted Platform Module (TPM) is a microchip that is built into
a computer. It is used to store cryptographic information, such as encryption keys. Information stored on
the TPM can be more secure from external software attacks and physical theft. The three different
configurations are detailed below:
1. Transparent Operation Mode: With this mode, the TPM chip enables the user to log onto
Windows Vista as usual.
2. User Authentication Mode: This mode requires the user to provide some authentication—either a
PIN entered by the user or a USB key inserted by the user during boot—before being able to boot
the operating system. This mode requires a TPM chip.
3. USB Key Mode: The user must insert a USB device that contains a startup key into the computer
to be able to boot the protected operating system. The BIOS must be able to read USB devices in
the environment from which the operating system boots.
Additional BitLocker considerations are below:

For BitLocker to operate, the hard disk must have at least two NTFS-formatted volumes, one for
the operating system (usually C:) and another with a minimum size of 1.5GB, from which the
operating system boots. BitLocker requires the boot volume to remain unencrypted, so the boot
volume should not be used to store confidential university data or personal information.

BitLocker is sensitive to hardware changes, so that a user who swaps a CD or DVD drive for an
extra battery will require the access key to unlock the system when the user attempts to reboot
the system.

EFS may be used in conjunction with BitLocker to secure data once the operating system kernel
has been loaded. Because BitLocker decrypts on-disk files before the operating system has
loaded, all file operations from the perspective of the operating system will precede as if there is
no encryption on the files being accessed by the operating system. Files within the operating
system can only be protected using encryption software that operates within Windows, such as
EFS. No passphrase recovery is available. BitLocker should not be used to encrypt the only copy
of critical data without a key management plan. See “Key Management Plans” below.

Additional resources for BitLocker: http://technet.microsoft.com/en-us/windows/aa905065.aspx
System requirements for installation of Windows BitLocker are detailed below:

Windows 7 Enterprise Edition

Windows 7 Ultimate Edition

Windows Vista Enterprise Edition

Windows Vista Ultimate Edition

Windows Server 2008
Last Revised: 11/23/11 Guideline # 8060.000.G12.7
Page 8 of 11
File and Disk Encryption Guidelines
2.5
FINAL
TrueCrypt
TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage
device). On-the-fly encryption means that data is automatically encrypted or decrypted right before it is loaded or
saved, without any user intervention. TrueCrypt offers full disk encryption with pre-boot authentication for
Windows in addition to its file/folder encryption capability. TrueCrypt encrypts an entire partition or storage device
such as USB flash drive or hard drive.
Additional TrueCrypt considerations are below:

In full drive encryption mode, no passphrase recovery is available.

TrueCrypt should not be used to encrypt the only copy of critical data without a secure retrieval
key management plan.

Some users have experienced difficulty in creating a copy of the restore disk. With no method to
skip the process, and no work-around to simply check the rescue disk image against what it
expects, the user may find it difficult to move past the CD/DVD check screen.

Additional resources for TrueCrypt: See above section 4.2.1 TrueCrypt.
System requirements for installation of TrueCrypt are detailed below:
2.6

Windows 7

Windows 7 x64 (64-bit)

Windows Vista

Windows Vista x64 (64-bit) Edition

Windows XP

Windows XP x64 (64-bit) Edition

Windows Server 2008

Windows Server 2008 x64 (64-bit)

Windows Server 2003

Windows Server 2003 x64 (64-bit)

Windows 2000
Key Management Configurations Guidelines
Many Universities may currently have no central infrastructure which supports the sharing of keys. If your unit
does not have this infrastructure, consideration needs to be given to these general and solution-specific
guidelines for key management and data recovery:

Copying keys and recovery files to offline media and storing the media in a physically secure
location (such as a safe or locked cabinet) known and accessible to more than one authorized
person with a right to know.

Recording passphrases on paper, placing the paper in a sealed envelope and securely storing
the envelope in a physically secure location or with a supervisor.

Configuring Windows computers using EFS to allow access by a second login account.

Encrypting data using a “chain” of multiple EFS keys, giving more than one individual the ability to
decrypt data.

Setting up and sharing with a supervisor a master password for FileVault or for TrueCrypt as a
centrally managed, standalone encrypted volume.
Last Revised: 11/23/11 Guideline # 8060.000.G12.7
Page 9 of 11
File and Disk Encryption Guidelines

2.6.1
FINAL
For BitLocker, producing the optional recovery key (or mandating recovery keys with Group
Policy) and sending it to a supervisor or printing it and storing it in a secure location.
Unit Specific Key Management Guidelines
Units must document, communicate and test procedures for management of keys and recovery of data if
passwords are forgotten, encryption keys are lost or unavailable, or keys or passwords are compromised.
An encryption key management plan should:

Ensure data can be decrypted when access to data is necessary, by requiring implementation of
backup and other strategies—such as key escrow or recovery agents—to enable decryption, and
should include strategies for changes to passwords

Address handling of a compromise or suspected compromise of encryption keys, including
actions to be taken in the event of a compromise with respect to system software and hardware,
reissuance of private keys and re-encryption of data

Address the destruction or revocation of encryption keys that are no longer in use (such as when
the user has left the University) or that are not associated with a key management program.

Ensure that IT staff can obtain access to supported computers when the users are not present.

It is the responsibility of management, supervisors and employees to ensure that all access
passwords have been deactivated and all University data has been returned when an employee
leaves the University’s employment.
Note: Contact the Virtual Information Security Center immediately at visc@calstate.edu if a computer
storing encryption keys for personal information is compromised. In those circumstances, the system
should be examined to determine whether the personal information or the encryption keys were accessed
by an unauthorized party. In addition, the key must be revoked or destroyed and a new key generated.
2.6.2
Recovering and Preserving Encrypted Data
Recovering encrypted data requires the use of a key, or corresponding key pair, used to encrypt the data.
The key is often unlocked with a password or passphrase. Managing encryption for stored data is
complicated by the need to preserve security of the key.
When an unauthorized party obtains an encryption key and the password required to unlock it, that party
can gain access to all data accessible by that key. As a result, prevention of unauthorized access to
encryption keys and passwords is of utmost importance.
Setting strong passwords or passphrases and periodically changing passwords and keys is crucial.
Note:
If a key is lost or a password is forgotten, the encrypted data is permanently lost because it can
never be decrypted. Any key management plan needs to address the risk of unintentional data loss,
consistent backup and secure encryption key management practices.
3.0
DEFINITIONS
All definitions from the Integrated CSU Administrative Manual glossary (http://www.calstate.edu/icsuam/glossary/)
are incorporated here by reference.
Last Revised: 11/23/11 Guideline # 8060.000.G12.7
Page 10 of 11
File and Disk Encryption Guidelines
4.0
FINAL
REFERENCES
Appendix A: Northridge 2007 Hard Disk Encryption Solution Survey
California State University, System-wide Information Security Policy
Senate Bill 1386 SEC. 2. Section 1798.29
Audit Reference: Procedures for the encryption of application databases and network transmissions.
Last Revised: 11/23/11 Guideline # 8060.000.G12.7
Page 11 of 11