Protecting confidential data

We offer guidance and support to help you protect your confidential data, whether it's files that you need to share securely or a device that requires encryption.

The University requires that any device that holds sensitive or confidential information is encrypted. See Encrypting your device below for further advice.

If you need to share confidential data, it's vital that the files are encrypted. See Securely sharing confidential data below for further advice.

It is vital you do not transmit the encryption password via the same method as the encrypted data.

You should use another method to provide the password to the recipient. For example, if you are sending an encrypted file via email, you can send the password in a paper-based letter, or tell it to the recipient on the phone.

If you have any questions about encryption, or other security issues, please contact the Library & IT Help Desk.

Encrypting your device

Further reading

You may also be interested in this article from Ars Technica:

Encrypting laptops and mobile devices

Device encryption is an important tool in protecting confidential data. 

We offer a free service to encrypt University owned laptops running Windows. Please contact IT Support for more information:

If you're using a device that is not owned or managed by the University, you can encrypt it yourself.

Remember that not all devices support encryption. You must not use any unencrypted device to directly access or store confidential University information. Instead, you should use the Virtual Desktop Service (VDS) to access the data through a secure virtual machine.

Encryption passwords

Any encryption is only as strong as the password chosen. Short or easily guessable passwords can be broken.

Follow our advice on choosing good passwords:

Securely sharing confidential data


USB sticks

It's much better not to put data on a USB stick at all. All members of the University now have access to Google Drive, which can be seen as a cloud based USB stick.

If it is absolutely necessary to transport data on a USB stick, make sure that all confidential data on it is encrypted.

Due to their small size, USB sticks can easily be lost or forgotten, and if not encrypted, they can then be read by anyone who finds them.

This threat is quite real, and several recent cases in the UK public sector have lead to considerable media attention:

You can buy USB sticks that include hardware based encryption. These are secure, but can usually only be used on Windows machines, on which extra software is installed.

If you wish to use one of these devices, we recommend the "Kingston Hardware Ultra Secure USB 256bit Hardware Encryption FIPS 140-2" (or another FIPS 140-2 certified USB stick). If you must use USB sticks, they are the best solution, and the only one that will satisfy some research funders.

There are a lot of other cheaper "encrypted" USB sticks out there, but only the more expensive ones properly encrypt data at the hardware level, so we strongly recommend sticking to the brands above.

Encrypting ZIP files

Another method for encrypting files is to enclose them in an encrypted zip file. 

The default encryption method for ZIP files is not secure. It is outdated and can nowadays be broken easily. It is very important that you use the AES-256 encryption method detailed below instead.

Windows

On IT Services managed PCs, zip files can be created and read with the software 7-Zip. The program can be installed via Software Center:

On unmanaged or personally owned PCs, 7-Zip can be install for free:

To create an encrypted zip file with 7-Zip:

  1. Start 7-Zip, and in the main screen, select the file that you wish to encrypt
  2. Click the Add button. This will open the Add to Archive window
  3. Set Archive format to zip
  4. Set Encryption method to AES-256
  5. Enter a strong password (See our guidance for choosing a strong password)
  6. Click OK

You will now find a new file with a .zip extension in the same folder as the original file. The contents of this zip file can be accessed only with knowledge of the password.

Mac

One option for secure zip encryption on Mac OS X is to use iZip, which is a free download:

To create an encrypted zip file with iZip:

  1. Start iZip and click New
  2. Click Specify name
  3. In the Save As field, enter the name you want to give the encrypted zip file, select the location you want to save it in the Where field, then click Create
  4. When asked about password protection, tick Enable password protection and enter a strong password (See our guidance for choosing a strong password)
  5. When asked about using encryption, choose AES 256 bit
  6. iZip will then ask you which files and folders you want to add to the encrypted zip file. When you have finished adding your files/folders, click Next
  7. iZip will display a summary of the options you've selected, click Next and your encrypted zip file will be created
Linux

The following instructions are based on Ubuntu 14.04. Other Linux distros may be similar but not identical.

You can use p7zip (a Linux command line version of 7-Zip on Windows) to create encrypted zip files. You can install p7zip with the following terminal command:

sudo apt-get install p7zip-full

Once p7zip is installed, encrypted zip files can be created with the following terminal command:

7za a -y -tzip -p -mem=AES256 archivename.zip /path/to/filestoencrypt

You will be prompted to enter a password for your encrypted zip file, which will then be saved to your current location in the terminal.

You can see a list of all available commands and switches in p7zip with the following terminal command:

7za -h

Using Microsoft Office

Windows

The latest Windows versions of Microsoft Office (2007 and later) can encrypt a file using strong encryption. Earlier versions only used very weak encryption which can easily be bypassed and should not be used.

Microsoft provide their own guidance on protecting Office files. This guidance includes instructions on encryption:

Mac

Microsoft Office for Mac does not offer encryption for Word documents or Excel workbooks. It only offers basic password protection, which is not secure and must not be used for confidential University data.

However, Office for Mac can open files that have been encrypted using Office on Windows.

Encrypting PDF files

Encrypted PDF files can be a good method for transmitted data, as, once encrypted, they can be sent via email. This method has the advantage that the recipient need not store any unencrypted versions of the file on disk.

Encrypted PDF files can be read with most PDF readers, including Adobe Reader. However, for encrypting the file, special software is needed.

Nuance PDF Converter

PDF Converter is installed on all IT Services supported PCs, and is available to staff and students for unsupported machines and home use:

To encrypt a PDF file in Nuance PDF Converter:

  1. Open the file you wish to encrypt
  2. Go to Document | Security | Secure Document. This will open the Security panel
  3. Under the Password Security heading, double-click on Interactive
  4. You may see a message asking if you are sure you want to change the security settings of the document. If so, click Yes. The Password Security window will open
  5. Select Encrypt all document contents
  6. Tick Allow document opening only by password and enter a strong password in the Document Open Password field (See our guidance for choosing a strong password)
  7. Click OK. Save and close the document for the encryption to take effect

Adobe Acrobat Professional

Adobe provide their own guidance on encrypting a PDF by adding a password to the file:

Pdftk

Pdftk Server is a free set of command line tools for modifying PDF files. It's available for Windows, Mac and Linux:

Once installed, you can encrypt a PDF file with the following terminal command:

pdftk MyFile.pdf output MyFile_encrypted.pdf user_pw PasswordGoesHere

Note: Replace file names and password as appropriate.