Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security > Security

Laptop/Tablet Encryption

This article describes common types of encryption and when they should be used. When data is exposed due to a laptop or similar mobile device being compromised, lost, or stolen, the result can be very costly. Depending on the sensitive nature of the data, the laptop owner or others can be at risk for identify theft or financial or medical fraud. This article describes how to use disk and file encryption on laptops and similar devices as a layer of protection to limit such risk.

Encryption Types - Overview

The common types of encryption are:

  • full disk encryption
  • file/folder encryption
  • virtual disk encryption

As with any encryption solution, take extra care to know the password needed to decrypt the data to access it. Use strong passwords that are unlikely to be easily guessed or brute forced.

Full Disk Encryption (FDE)

Full disk encryption (FDE), also known as whole disk encryption, is the process of encrypting all the data on the hard drive, including the computer's operating system (OS). This method permits access to the system only after successful authentication with a device user’s account name and/or password.

Many laptop manufacturers automatically install encryption tools into OS of their latest distributions, and other solutions can be downloaded from reputable sites and purchased. IT Services recommends the following:

  • Microsoft BitLocker - BitLocker is designed to run on the Windows 7 and 8 OS platforms that have the Trusted Platform Module (TPM) enabled. Be mindful of this and check with the vendor before purchasing your device.
  • Apple FileVault 2 – FileVault 2 is designed to run on Mac OS platforms. OSX Lion (10.7) and later versions come with FileVault 2 which provides whole-disk encryption. We recommend upgrading Macs to 10.10, which includes an option to automate the storage of the recovery key information by using iCloud.
  • Veracrypt – Veracrypt is designed to work on Windows/OS X/Linux operating systems, and is a great solution for replacing TrueCrypt, which is no longer a supported encryption solution.

File/Folder Encryption

File encryption is the process of encrypting individual files on a storage medium (such as a hard drive) and permitting access to the encrypted data only after proper authentication is provided.  When a user attempts to open an encrypted file (either encrypted by itself or located in an encrypted folder), the software requires the user to first authenticate successfully. Once that has been done, the software will automatically decrypt the chosen file.

Some operating systems offer built-in file and/or folder encryption capabilities. Otherwise, many third-party programs are also available.

Some of the more common file/folder OS built-in solution are found on the Windows and Linux platforms. We recommend the following:

  • Microsoft (MS) Encrypting File System (EFS)

Microsoft EFS is a built-in module of the Windows operating systems that uses standard cryptographic algorithms to encrypt and decrypt files. EFS prevents any individual or application that does not present the appropriate cryptographic key from accessing the data. EFS is designed in a manner that files stored on a shared computer can only be encrypted or decrypted by the user account that possesses the cryptographic key. This ensures that files on a shared computer can be protected from being viewed by all users. The key can be archived to an external media and stored in a safe place if key recovery is needed.

EFS-encrypted files are not encrypted during transmission if saved to or opened from a folder on a remote server. The file is decrypted, crosses the network in plain text, and only re-encrypted if saved to a folder on the new local drive that's marked for encryption.

When using MS-Office file encryption, the password should be sent to the recipient separately from the file itself. We suggest that you call or text the recipient to share the password, and only send it through email as a last resort, but never with the file.

  • Linux –based solutions:
    • dm-crypt – dm-crypt is a transparent disk encryption subsystem of the Linux kernel. It can encrypt whole disks (including removable media), partitions, software RAID volumes, logical volumes, as well as files. If dm-crypt is available for your Linux distribution (e.g., Ubuntu, RedHat), you will find instructions within the vendor documentation.
    • loop-AES – loop-AES is also a disk encryption solution for Linux users. It is free and downloadable from Sourceforge.

Folder encryption is very similar to file encryption, only it addresses individual folders instead of files. Folder encryption protects the files within the encrypted folder from being viewed or accessed until the user is authenticated.

Virtual Disk Encryption

Similar to folder encryption, virtual disk encryption is the process of encrypting a file called a container, which can hold many files and folders, and permitting access to the data within the container only after proper authentication is provided. Once authenticated, the virtual disk is mounted and accessible.

USB flash drives (thumb drives) are an example of a virtual disk that can be encrypted. USB flash drives come in both encrypted and unencrypted formats. Both types can be purchased at a reasonable price from most local computer stores and online merchants, and they come in a variety of sizes.

Non-encrypted flash drives may also be used to store encrypted data by using solutions such as Veracrypt, which would be used to encrypt data, while it’s stored on the flash drive. The encrypted data file name(s) would be visible, but the content itself would be encrypted. Non-encrypted data can be stored on the device as well, since the device itself is not encrypted.

NOTE: *IT Services has made these suggestions based upon research and experience, but may not provide technical support for all of the solutions presented. Please use these solutions with caution and consult IT Security (security@uchicago.edu) or your local IT support team as needed. Encryption solutions and vendors change, so while we have made recommendations, there are other viable solutions available as well.

BSD Users who desire encryption solutions should refer to the BSD Encryption Program.




Keywords:full_disk, volume_and_virtual_disk_file, volume_and_virtual_disk_folder, EDE, secure, transfer, FDE, bitlocker, filevault2, veracrypt, EFS   Doc ID:15736
Owner:Rosa M.Group:University of Chicago
Created:2010-11-23 19:00 CDTUpdated:2017-05-18 13:42 CDT
Sites:University of Chicago, University of Chicago - Sandbox
Feedback:  3   0