Location: Bowdoin / IT / FYI / Information Security / Security For / Using Encryption

Information Security

Get Help

Submit Help Ticket 24/7

Live Chat

Faculty/Staff
x3030 or 207-725-3030
Students
x5050 or 207-721-5050

Using Encryption

First, What is Encryption?

Encryption is a process to encode data to prevent unauthorized access by all except those who know the decryption key (password).  It uses an algorithm to convert plaintext (readable) into ciphertext (scrambled) form.  Only the correct key will convert the data back to plaintext format.  It is different than simply password-protecting a file.  Use of just password-protection, without encryption, is not a strong method of safeguarding data since it can be relatively easy to break into.

When Do I Use Encryption?

Encryption is used to protect the contents of electronic documents, file folders, and e-mail.  It is commonly used when restricted data needs to be shared over insecure methods, such as e-mail, postal mail, or when stored on laptops.

WARNING:  Be sure to keep track of your passwords! You will not be able to extract or open any files for which you do not have the correct password.  If you forget the password to open a file, you are locked out until you can remember it.  Information Technology has no means to decrypt the file.  Use encryption sparingly and responsibly for this reason.

Information Security has an overall framework, including methods other than encryption, for handling restricted data.

Important General Considerations

  • Encryption is only as good as the strength of the password - both in terms of who knows it and its difficulty guessing by a person or software program Please see Strong Passwords to learn more about this critical topic.  Do not use your Bowdoin NetID (Logon) password for an encryption password.
  • Consider who you are sharing information with.  They will need to have the same software and technology to decrypt the information.
  • When available, encrypt using AES-128 or AES-256.
  • When sending restricted information by common carrier (US Postal Service, Federal Express, UPS, etc.), encrypt the data and use a tracked shipping method.
  • Do not send restricted information in regular e-mail messages - they are not encrypted and can be easily intercepted if sent outside the Bowdoin network.  You can attach an encrypted item to the e-mail without needing to place restricted content in the message itself.
  • Never use ‘automatically' remember passwords, or ‘auto' start-ups of encryption services.  This bypasses a layer of security.
  • Save items in the latest version of the software.  Do not save as "compatible with previous versions" and expect it to be as safe as the current version of the software.
  • Consider saving your passwords in one document on your Home drive.  You may encrypt this - but tell at least one other person the password to decrypt.

Encryption Practice

The chart below describes several different recommended encryption techniques to use depending on your situation.  For guidance, please contact IT Security at:

E-mail: itsecurity@bowdoin.edu
Phone:  207-725-3471

Encryption Techniques

Where is the information you would like to encrypt?
File system to be shared      
File system NOT to be shared  
Email message        
Email attachment    
Regular Mail / Common Carrier      
Stored on laptop    

This type of encryption may be used for this purpose, but is not preferred due to limitations or complexities

This type of encryption is recommended for this purpose

PGP/GPG

The use of digital certificates can be very effective to securely communicate information.  This is different than simply adding an e-mail signature.  PGP (Pretty Good Privacy) uses digital certificates for signing, encrypting and decrypting e-mails and documents to increase the security of e-mail communications and files.  It ensures to a recipient that it is from a trusted source and has not been altered.  GNU Privacy Guard (GnuPG or GPG) is a free open source alternative to the PGP suite of cryptographic software.  Sending and viewing encrypted e-mail messages requires both sender and recipient to share their public key portion of their digital id, or certificate.  Once the parties have shared certificates, sending and viewing encrypted e-mail messages between them is the same as with any other e-mail messages.

Bowdoin has an internal system of deploying certificates using PGP.  If you regularly exchange restricted information and would like to invoke e-mail encryption and digital id's, please contact IT Security for assistance at:

E-mail: itsecurity@bowdoin.edu
Phone:  207-725-3471

S/MIME

An e-mail system (e.g. Microsoft OUTLOOK, Apple Mail) may be used to digitally sign and encrypt messages by using digital certificates and S/MIME (Secure / Multipurpose Internet Mail Extensions).   S/MIME is a standard for public key encryption and signing of e-mail encapsulated in MIME.  S/MIME features rely on digital IDs, which associate a user's identity with a public and private key pair. The combination of a certificate and private/public key pair is called a digital ID Sending and viewing encrypted e-mail messages requires both sender and recipient to share their public key portion of their digital id, or certificate.  Once the parties have shared certificates, sending and viewing encrypted e-mail messages between them is the same as with any other e-mail messages. 

Bowdoin has an internal system of deploying certificates using PGP.  If you regularly exchange restricted information and would like to invoke e-mail encryption and digital id's, please contact Bowdoin IT Security for assistance at:

E-mail: itsecurity@bowdoin.edu
Phone:  207-725-3471

Microsoft Office

Warning:  Strong encryption is not available on the Macintosh versions of Office.
Microsoft Office 2003/2007 for Windows provides the ability to use strong encryption on a single Word, Excel, or PowerPoint document.

Windows Microsoft Office 2007
Microsoft Office 2007 defaults to strong encryption.  To encrypt a document, go to the Microsoft Office button, select Prepare, then select Encrypt Document and enter a password.  Repeat the process and delete the password to remove encryption.  Do not save as an Office 97-2003 document as it will not be secure.

Windows Microsoft Office 2003
The Microsoft Office 2003 default encryption method is weak and should not be used.  To ensure a strong encryption, an extra step is required.  Click File > Save As.  Click Tools > Security Options. Enter a password to open (do not use modify password), and then click the Advanced button next to the password.  A list of available Crypto Service Providers appears.  Select "RC4, Microsoft Enhanced RSA & AES..." and choose 128 or greater for the key length.  This is the strong method recommended by Information Security. 

WINZIP

WinZip is an archival tool with an encryption option available to Windows users.  Using WinZip 8 or newer, with strong encryption, you can encrypt files and folders for archiving on the network, sending via e-mail or copying to a CD for storage or shipping by regular mail.  WinZip uses the same password to encrypt and decrypt the file.  Do not send the password by e-mail - the recommended method is the phone.  Warning:  Encrypted zip files are blocked by some e-mail servers.

To encrypt WINZIP Files:
Open the Zip file and choose Actions > Encrypt from the menu.  WinZip will ask for a password and encryption method and then encrypt all files currently in the Zip file.  Do not choose ZIP 2.0 compatible - this is not strong enough.  Either 128-bit AES or 248-bit AES may be used.

Note:  Not every zip program is able to decrypt an AES encrypted zip archive. The receiver needs to have a recent version of WINZIP.

TrueCrypt

TrueCrypt is an open source tool for Windows Vista/XP, MAC OS X, and Linux allowing users to encrypt and decrypt data on a hard drive, portable drive, and USB drive as desired, including full disk encryption.  Passwords are supplied to encrypt and decrypt devices.  See www.truecrypt.org for the free download and short Beginners Tutorial.  Warning:  If you select TrueCrypt for a volume which has existing data, the data will be lost.  Contact Bowdoin IT Security for assistance installing and setting up at:

E-mail: itsecurity@bowdoin.edu
Phone:  207-725-3471

Other

Apple's Mac OS X Encryption Disk Utility tool
Apple's Mac OS X Encryption Disk Utility tool is used to send CD's or DVD's in encrypted form.  This is comparable to the WINZIP function available to Windows users.  Sender and receiver must have compatible software in order for the decryption to work.  Files or folders are placed within the disk that is encrypted.  Use the Secure Empty Trash command to ensure no traces of deleted files exist.

Apple's FileVault
Apple's FileVault may be used to encrypt home directories or pieces thereof.  It comes standard with the operating system, no additional cost or upgrades to hardware are needed.

Windows Vista - BitLocker
For Windows Vista operating system, BitLocker Drive Encryption used with additional TPM (Trusted Platform Module) microchip or a startup USB drive which are needed to unlock data stored on logical volume, may be used.  Along with files containing data, the operating system and applications are secured.

Windows XP, VISTA Encrypted File Service
You may use Windows Desktop File Encryption with EFS (Encrypted File Service), available for Windows XP and Vista to encrypt specified folders and files.  Choose the files or folders you wish to encrypt,  right click on the item and select Properties.  Go to the Advanced button (on General tab) and select Encrypt contents to secure data. Click OK twice to close the advanced tab and properties.  If the Confirm Attribute Changes window appears, choose the ‘Apply changes to this folder, subfolders, and files’ button to ensure that all files in this folder are encrypted.

PDF
Full versions of Adobe Acrobat can encrypt documents, however you should not use the default settings.  Use strong encryption selecting AES-128 or better.  Warning:  Encrypted PDFs are blocked by many e-mail servers.

Last updated April 15, 2009

Document author:
rgoldfin
Last modified:
Dec 22, 2009