Encryption for all

It’s hard to review a newspaper or security mail list these days without reading yet another story about some slack company losing other people’s financial and identity information. Either the information was compromised from poorly protected servers, stolen laptops, or misplaced portable media.

The latter two issues are easy to prevent: All confidential information should be encrypted when stored on portable computers and media, including backup media. Actually, all confidential data should be protected, but I’m assuming your nonportable assets and media have other offsetting controls.

Although no federal laws or guidelines require encryption to protect confidential information, disk or data encryption is the easiest way to prevent unauthorized access. If your company stores confidential data on said equipment or media, follow these rules:

1. Create a data encryption information policy and educate employees.
2. Select and use a proven and secure encryption software product.
3. Enable automatic encryption of data or the media it resides on.
4. Ensure that the password, passphrase, or secret key used to protect the data is nontrivial and stored securely.
5. Create and maintain a key escrow program so that encrypted data can be recovered if the main user loses the key.

That’s it. Following this advice will go a long toward protecting confidential information if the portable computer or media gets lost or stolen. How nice it would be for your company to not have to report lost information to its customers, government, and the media.

The hardest choices will be what to encrypt and what product to use. You can encrypt the entire media or just the data. Encrypting the entire media is a better choice because application software often leaves plain-text remnants of crypto-text in unprotected areas. An attacker using a bit-level analysis tool could extract the plain-text remnants.

As for encryption products, there are dozens and dozens to choose from. My advice is to select a vendor that has stood the test of time and has undergone third-party and expert review.

Here are my suggestions for some good products to review. (To figure out which products to avoid, you can’t go wrong by querying any Internet search engine with the words "Bruce Schneier dog house." Bruce, CTO of Counterpane Internet Security, routinely points out questionable crypto products in his Crypto-Gram newsletter.)

Phil Zimmerman’s PGP (Pretty Good Privacy) product is still around in both free and commercial forms. GnuPG is an excellent product that supports Linux, Unix, Windows, Mac, and Risc platforms. Make sure you get latest Version 1.4.2.2, patched to close the vulnerability reported in early March.