We offer guidance and support to help you protect your confidential data, whether it's files that you need to share securely or a device that requires encryption.
The University requires that any device that holds sensitive or confidential information is encrypted. See Encrypting your device below for further advice.
If you need to share confidential data, it's vital that the files are encrypted. See Securely sharing confidential data below for further advice.
It is vital you do not transmit the encryption password via the same method as the encrypted data.
You should use another method to provide the password to the recipient. For example, if you are sending an encrypted file via email, you can send the password in a paper-based letter, or tell it to the recipient on the phone.
If you have any questions about encryption, or other security issues, please contact the Library & IT Help Desk.
You may also be interested in this article from Ars Technica:
Device encryption is an important tool in protecting confidential data.
We offer a free service to encrypt University owned laptops running Windows. Please contact IT Support for more information:
If you're using a device that is not owned or managed by the University, you can encrypt it yourself.
Remember that not all devices support encryption. You must not use any unencrypted device to directly access or store confidential University information. Instead, you should use the Virtual Desktop Service (VDS) to access the data through a secure virtual machine.
Any encryption is only as strong as the password chosen. Short or easily guessable passwords can be broken.
Follow our advice on choosing good passwords:
It's much better not to put data on a USB stick at all. All members of the University now have access to Google Drive, which can be seen as a cloud based USB stick.
If it is absolutely necessary to transport data on a USB stick, make sure that all confidential data on it is encrypted.
Due to their small size, USB sticks can easily be lost or forgotten, and if not encrypted, they can then be read by anyone who finds them.
This threat is quite real, and several recent cases in the UK public sector have lead to considerable media attention:
You can buy USB sticks that include hardware based encryption. These are secure, but can usually only be used on Windows machines, on which extra software is installed.
If you wish to use one of these devices, we recommend the "Kingston Hardware Ultra Secure USB 256bit Hardware Encryption FIPS 140-2" (or another FIPS 140-2 certified USB stick). If you must use USB sticks, they are the best solution, and the only one that will satisfy some research funders.
There are a lot of other cheaper "encrypted" USB sticks out there, but only the more expensive ones properly encrypt data at the hardware level, so we strongly recommend sticking to the brands above.
Another method for encrypting files is to enclose them in an encrypted zip file.
The default encryption method for ZIP files is not secure. It is outdated and can nowadays be broken easily. It is very important that you use the AES-256 encryption method detailed below instead.
On IT Services managed PCs, zip files can be created and read with the software 7-Zip. The program can be installed via Software Center:
On unmanaged or personally owned PCs, 7-Zip can be install for free:
To create an encrypted zip file with 7-Zip:
You will now find a new file with a .zip extension in the same folder as the original file. The contents of this zip file can be accessed only with knowledge of the password.
One option for secure zip encryption on Mac OS X is to use iZip, which is a free download:
To create an encrypted zip file with iZip:
The following instructions are based on Ubuntu 14.04. Other Linux distros may be similar but not identical.
You can use p7zip (a Linux command line version of 7-Zip on Windows) to create encrypted zip files. You can install p7zip with the following terminal command:
sudo apt-get install p7zip-full
Once p7zip is installed, encrypted zip files can be created with the following terminal command:
7za a -y -tzip -p -mem=AES256 archivename.zip /path/to/filestoencrypt
You will be prompted to enter a password for your encrypted zip file, which will then be saved to your current location in the terminal.
You can see a list of all available commands and switches in p7zip with the following terminal command:
The latest Windows versions of Microsoft Office (2007 and later) can encrypt a file using strong encryption. Earlier versions only used very weak encryption which can easily be bypassed and should not be used.
Microsoft provide their own guidance on protecting Office files. This guidance includes instructions on encryption:
Microsoft Office for Mac does not offer encryption for Word documents or Excel workbooks. It only offers basic password protection, which is not secure and must not be used for confidential University data.However, Office for Mac can open files that have been encrypted using Office on Windows.
Encrypted PDF files can be a good method for transmitted data, as, once encrypted, they can be sent via email. This method has the advantage that the recipient need not store any unencrypted versions of the file on disk.
Encrypted PDF files can be read with most PDF readers, including Adobe Reader. However, for encrypting the file, special software is needed.
PDF Converter is installed on all IT Services supported PCs, and is available to staff and students for unsupported machines and home use:
To encrypt a PDF file in Nuance PDF Converter:
Adobe provide their own guidance on encrypting a PDF by adding a password to the file:
Pdftk Server is a free set of command line tools for modifying PDF files. It's available for Windows, Mac and Linux:
Once installed, you can encrypt a PDF file with the following terminal command:
pdftk MyFile.pdf output MyFile_encrypted.pdf user_pw PasswordGoesHere
Note: Replace file names and password as appropriate.