UF Guidelines for IT Workers
Regarding Encryption of Stored
Data
Who Should Know This
These guidelines apply to UF IT workers who support encryption of Restricted Data [3].
IT workers should read and understand this document before supporting Users of
encryption for Restricted Data.
Definitions
Encryption, for the purpose of this document, is a process that uses a programmed
algorithm to transform data to an obscure form. It typically involves the use of an
electronic key, passcode or passphrase known only to those who are authorized to
access the data. The key, passcode or passphrase is used to both encrypt the data and
subsequently decrypt the data, returning it back to its original form when needed to be
used.
Encryption key, passcode and passphrase are terms that refer to secret codes or
strings of characters used in an encryption process. For purposes of this document, the
terms will be used interchangeably. Generally speaking, the passcode or passphrase
serves the purpose of ensuring the right user is decrypting the data, and the encryption
key serves the purpose of encrypting and decrypting the data. Depending on the
encryption product, the encryption key, passcode or passphrase may perform a different
technical function. From a general use standpoint the differences are subtle and the
terms are often used interchangeably.
Key Recovery means there is a lost or forgotten key, passcode, or passphrase
contingency feature in the product. If the user forgets the key they used to encrypt their
data, there is another secure means of decrypting his data.
Central Management means the product features key recovery and management from
a centralized process and location for all the encryption users of the product, by a
trusted organization. It also means there is the opportunity for group policy configuration
whereby Users are prevented from circumventing encryption controls on their
workstation.
Encrypts Entire Disk means the product encrypts the whole disk, even places where
temporary, page, user profile and other files (that might contain Restricted Data are
stored, unknown to the user.
Encrypts Files/Folders means the product encrypts selected data files and folders but
has no encryption coverage elsewhere on the storage medium such as places where
temporary, page, user profile and other files (that might contain Restricted Data) are
stored.
Encrypts Virtual Disk means that the product creates a file system within an encrypted
stand-alone file so it can be mounted as a real disk. The file may be mounted via
network share, CD, DVD, etc. Access to the data is only allowed when the file is
properly mounted and the appropriate key is supplied. When unmounted the file is
encrypted.
Purpose
This document provides information on encryption solutions for data at rest. It is not
intended to address encryption of data transmission. Some solutions listed below may
provide protection of data while it is in transmission, but that is not the primary focus of
this document and should not be assumed.
Some of the challenges that have deterred the use of encryption for everyday use
include:
1. Performance degradation. Additional time is needed to encrypt when saving files
and decrypt when accessing files. On current processors, the impact of
encryption/decryption processes is negligible.
2. Data loss. Data may be irretrievable if the key or passphrase, known only to the
user, is forgotten. Recovery features are improving in current products, but data loss
is still a risk.
3. Additional passwords. Encryption may add another password prompt between the
user and their data. Many current products do not require an additional password,
but for those that do, it is an acceptable trade-off for improving the security of data.
4. Encryption key management. Exchanging keys securely and efficiently among
Users sharing encrypted files adds complexity.
5. Complexity. It takes a combination of disparate products to do a complete job of
encrypting all Restricted Data on workstations, mobile computing devices and
removable media. One product solution may not work across all the platforms that a
user may use (PDA, business laptop, home computer.)
UF strongly urges encryption of Restricted Data on mobile computing devices [1] and
removable media [2] since the risk of unauthorized disclosure outweighs the challenges
of using encryption. Ramifications of unauthorized disclosure may be more severe if
data is not encrypted.
This document provides summarized feature information on a limited set of encryption
products that are broadly applicable in the UF environment. Units are not required to
select products from this document, but must employ effective encryption of Restricted
Data [3] stored on mobile computing devices and removable media.
Encryption Products
This section is informational only. It is not intended as an endorsement of these
products.
Windows desktops & laptops where Restricted Data is required and routinely stored
by the user.
o PGP WDE (Whole Disk Encryption) Professional in an unmanaged workstation
environment or PGP WDE Enterprise in a managed workstation environment:
PGP stands for Pretty Good Privacy, the name of a software company
specializing in encryption software. PGP WDE stands for Whole Disk
Encryption, which is PGP’s encryption product that can encrypt entire disks,
including boot sectors, system files and swap files, and runs as a background
process transparent to the user. Effective for securing all Restricted Data on
hard disks. Encryption does not follow data that are moved off of a Whole Disk
Encrypted hard drive, to a file share, email or to removable media for instance.
Users will have to enter a passphrase upon boot up of their computer, in
addition to entering their network/workstation logon.
July 10, 2008
2
Windows XP mobile computing devices, where Restricted Data is not required or
routinely stored by the user, and that do not have an entire disk encryption solution
already installed.
o XP version of EFS (Encrypting File System).: EFS stands for Encrypting File
System. It is the Microsoft encryption solution built into Windows 2000
Professional, Server 2000, XP Professional, 2003 Server and Vista. It is
effective for securing Users files and folders in the Windows XP environment
and has easy user activation. However, EFS does not secure all Restricted
Data under Windows (e.g. system and %systemroot%). EFS encrypted files
can still be listed or deleted, so Users should be careful about what they name
their files. EFS leverages the user’s Windows password for the encryption key
so that Users are not prompted twice from the workstation to access their
resources (desktop and data), but this puts added emphasis on the strength
and security of the user password on a Windows workstation. The Windows
2000 version of EFS cannot be relied upon for security, and is not
recommended. The XP version of EFS has improved upon the security holes
and is recommended for uses stated above. However, pay very close attention
to the Data Recovery Agent (DRA) handling prior to activating EFS XP to avoid
support issues.
Windows Vista
o Bitlocker: BitLocker is a full disk encryption solution built into Windows Vista
Ultimate and Enterprise editions. Taking a step further than EFS, it encrypts all
user and system data on the hard drive. A Trusted Platform Module (TPM) chip
included on the computer’s motherboard or USB flash drive is required to use
BitLocker. Authentication during the boot process is done using either a PIN
(TPM chip) or startup key (USB flash drive) in order to decrypt the contents of
the hard drive and load Windows.
Macs
o FileVault: FileVault is the encryption solution built into Mac OS. It is effective
for encrypting all contents of the Mac OS user’s home directory. Encryption
does not follow data transferred from a Mac to another computer, nor does it
encrypt data stored on the MAC hard drive outside of the user’s home directory.
Removable media accessible by Windows and Linux
o TrueCrypt: TrueCrypt is an Open Source encryption product that encrypts file
volumes. It is PC and OS independent, so is useful on removable media.
Installation is required on the removable media. A driver must be loaded on any
computer accessing a TrueCrypt encrypted file volume. Therefore, the IT
support group will need to include the driver in their workstation image.
Removable media accessible by Macs
o PGP Virtual Disk: PGP Virtual Disk creates a file that can be mounted as a file
volume. Any files subsequently stored in this file volume are encrypted. Files
encrypted with PGP Virtual Disk remain encrypted even if moved, for instance
to be accessed by another computer. However any computer accessing the
encrypted files will need to have PGP Virtual Disk software installed. Users will
have to enter a passphrase to access their PGP encrypted files.
o PGP SDA (Self Decrypting Archiving): PGP SDA stands for Self Decrypting
Archiving. This PGP product targets the need for securing files that need to be
transferred between computers and media, and does not require the presence
of PGP to decrypt a shared encrypted file. It features the ability to encrypt a file,
and the decryption logic is contained within the encrypted file. When the file is
July 10, 2008
3
sent or moved, it can be decrypted by another computer without the encryption
software present. Users will have to enter a passphrase to access their PGP
encrypted files.
Open source file encryption for multiple operating systems
o GPG (or GnuPG) stands for "GNU Privacy Guard", and is a free, open source,
platform-independent replacement for parts of the PGP software suite. GPG is
used to encrypt individual files or email messages, but does not support wholedisk or filesystem encryption. GPG-encrypted files and email messages are
compatible with PGP and other encryption programs that comply with the
OpenPGP standard. GPG is a good choice for encryption of individual files
when interoperability among different operating systems is required.
Table 1: Encryption product compatibility by operating systems.
Bitlocker
GPG
Operating
System

Mac OS

Microsoft
Windows
2000 SP41,
Windows
2003, and
Windows
XP

Microsoft
Vista

Linux
1
Support ends June 30, 2010.
PGP
WDE
Pro
PGP
WDE
Entrp


Product
PGP
PGP
Virtual SDA
Disk




EFS
FileVault
TrueCrypt






Table 2. Encryption product features.
Bitlocker
Feature
Entire Disk
Files/Folders
Virtual Disk
Central
Management
Key
Recovery
July 10, 2008
GPG




PGP
WDE
Pro

Product
PGP
PGP
PGP
WDE Virtual SDA
Entrp
Disk





EFS
FileVault


TrueCrypt




4
Bibliography
[1] Guidelines for IT Workers Who Support Mobile Computing Devices Used With
Restricted Data, http://www.it.ufl.edu/policies/security/documents/it-worker-mobiledevice-guidelines.pdf
[2] Guidelines for IT Workers Who Support Removable Media Used to Store Restricted
Data, http://www.it.ufl.edu/policies/security/documents/it-worker-removable-mediaguidelines.pdf
[3] UF IT Standards for Confidentiality of Restricted Data:
http://www.it.ufl.edu/policies/security/documents/restricted-data-standard.pdf
Product Links
Full Disk Encryption: http://www.full-disk-encryption.net/
PGP: http://www.pgp.com/
GPG: http://www.gnupg.org/
TrueCrypt: http://truecrypt.sourceforge.net/
Mac FileVault: http://www.apple.com/macosx/features/filevault/
Microsoft Windows XP EFS:
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prnb_efs_qutx.asp
http://www.microsoft.com/technet/security/smallbusiness/topics/Cryptographyetc/protect_data_efs.mspx
Microsoft Windows 2000 EFS:
http://www.microsoft.com/windows2000/techinfo/planning/security/efssteps.asp
http://cert.uni-stuttgart.de/archive/forensics/2003/06/msg00010.html
Microsoft Bitlocker: http://technet.microsoft.com/en-us/windowsvista/aa905065.aspx
July 10, 2008
5