UCSD Health Sciences -- Compliance / Privacy Program
Privacy / Security Bulletin
Issue: December 2008
Basic Encryption Tutorial
For Protecting Sensitive Electronic Data Stored on Portable Media
Principles: Electronic data should not be placed onto portable media unless there is a UC business
purpose. Employees are expected to implement appropriate administrative, technical and physical
safeguards to protect sensitive data entrusted to them from access, use, disclosure or unauthorized viewing.
such as personally identified information (PII) and protected health information (PHI) (medical information,
medical billing). Identified data stored on portable media should either be de-identified or encrypted (128+ or
stronger).
What is personally identified information (PII)? Sensitive data includes an individual’s name (first name or
first initial and last name) combined with one of the following identifiers: SSN, drivers license number, credit
card / financial account numbers, medical record number, medical information, and health insurance
information. PII also includes the 18 HIPAA protected health information (PHI) identifiers.
Why encrypt data? Electronic information is vulnerable to exposure in the event of the theft of the computer
or flash drive or if the data is transmitted in clear text across a public network. Even if the computer requires
a password to start up, a thief could access the contents of the hard drive simply by connecting it to another
computer. The only way to ensure the safety of sensitive data on your computers (laptops) and USB flash
drives is to encrypt it.
Tutorial Instructions: Select an encryption method from the list below. Practice encrypting test files. Be
sure to choose a password that you will never forget. Passwords are case sensitive. The UCSD Medical
Center Help Desk cannot reset passwords. Forgotten passwords will result in lost data! 
ENCRYPTION TUTORIAL
1
2
Methods
Encrypted
Flash Drives
(USBs)
TrueCrypt
(free
shareware)
3
Microsoft files:
Word
Excel
Power point
533563209
Description
Lexar Secure-II USB. Lexar software calls encrypted folders “vaults”. To encrypt a file,
you must first create a vault. The first option, Encrypted Vault needs to be clicked on.
That opens an area that has information about the vaults you have on the Lexar
JumpDrive Secure II flash drive.
- To create a vault, you just need to click on create and prompts will take you through
the steps of selecting the size for the vault and what you want the password to be.
- Once a vault is created, you can drag and drop files into that will be encrypted.
- When you are done saving files to the vault, you must click on “unmount” to close the
vault and encrypt the files using 256 bit AES encryption.
- You can create more than one vault on the flash drive. When you want to access
files in a vault, you need to select the vault from the list and then click on mount.
After the vault is mounted, you can then open the files saved in it, add more, or
delete them.
- Tip: Make the entire USB one encrypted vault.
Free open-source disk encryption software for Windows Vista/XP, Mac OS X, and Linux
Main Features: (1) Creates a virtual encrypted disk within a file and mounts it as a real
disk. (2) Encrypts an entire partition or storage device such as USB flash drive or hard
drive. (3) Encrypts a partition or drive where Windows is installed (pre-boot
authentication). (4) Encryption is automatic, real-time (on-the-fly) and transparent.
Encryption algorithms:
- AES-256, Serpent, and Twofish.
- Mode of operation: XTS.
Further information regarding features of the software may be found in the
documentation. www.truecrypt.org
- TrueCrypt 6.1 (released October 31, 2008)
Open the desired file in a Microsoft application (Word, Excel, Power point).
1. Choose: File, save as, advanced
2. Choose encryption type: RC4 + AES and 128 bit
3. Enter a password or passphrase
OR
Page 1 of 2
UCSD Health Sciences -- Compliance / Privacy Program
Privacy / Security Bulletin
Issue: December 2008
Methods
Description
1. Choose: Tools, options, security, advanced
2. Choose encryption type: RC4 + AES and 128 bit
3. Enter a password or passphrase
WinZip
4
WinZip version 9 (or higher) includes AES encryption. Prior to version 9, WinZip’s
Version 9
encryption algorithm was weak and prone to attack. With Winzip 9 or better, you can
or higher
safely encrypt individual files, or entire directories, for transit over e-mail or other means,
without fear that anyone else will be able to read the protected data. This, however, is
predicated on two important facts:
- You need to use a strong password when encrypting the archive. Use a password
or pass phrase with at least 8, or more ideally, 10, characters.
- The file names within the archive will be visible, therefore if your archive contains
sensitive file names, you can “double Zip” your archive to protect the sensitive data.
http://www.winzip.com
Adobe
5
1. Open Adobe, select “document”.
Acrobat
2. Go down to the security option near the bottom in the "Document" drop down menu
Version 6 or
and select the "Restrict opening & Editing" option.
higher
3. A new window should pop-up on your screen with the title "Password Security Settings". You will be able to choose the compatibility settings (meaning which
versions of acrobat can access the pdf file. Choose Adobe acrobat 5.0 and higher.
4. Next you will click on the box next to "Require password to open the document". You
will now be able to enter your personal password for the pdf file.
5. Once you have created your password click on "Ok" at the bottom. Adobe acrobat
will now prompt you to confirm the password by typing it again.
6.
Now that you confirmed your password, you will need to save your document for the
(not Adobe
password settings to initialize.
reader)
7. Go to the menu bar under "File" and select the save option of simply hit Ctrl & S.
8. After saving close the pdf file and open it again adobe should prompt you for a
password. The PDF file is now secure.
ADVANCED ENCRYPTION METHODS
6
File / Folder
File system-level encryption, often called file or folder encryption, is a form of disk
Encryption
encryption where individual files or directories are encrypted by the file system itself. This
…for NT File
is in contrast to full disk encryption where the entire partition or disk, in which the file
Systems
system resides, is encrypted. You can encrypt your files or folders only if your hard drive
is formatted as an NTFS (NT File System) drive. The encryption is transparent: You can
access the files just as you normally would. The files are decrypted as you open them
and encrypted when you close them. So, they’re saved on your hard drive in a scrambled
state.
1. Right-click the file or folder to encrypt. A small pop-up menu appears.
2. Choose Properties. The Properties menu appears.
3. Click the Advanced button on the General tab. You’ll find the General tab at the top
of the window; among the tabs that look like hanging folders.
4. In the Advanced Attributes box, select the Encrypt Contents to Secure Data check
box. Encrypting your files makes sure that no one who intrudes on your files (or your
wireless network) can read them.
5. Click OK to close the Advanced Attributes box, and then click OK to close the file or
folder’s Properties dialog box. An Encryption warning may appear. When you want
only the file, and not the entire folder, encrypted, choose the Encrypt the File Only
option and click OK. The file shows up with green text in its name, which is your only
real clue that it’s encrypted.
Other encryption solutions:
 Full disk encryption (FDE), e.g., PointSec, Credant Technologies, TrueCrypt
 Virtual Private Network (VPN), e.g., IPSec for gateway to gateway security
 Consult with your department’s information technology staff for assistance.
533563209
Page 2 of 2