File encryption dos and don'ts

I've been involved with multiple projects with file encryption lately, and even though I've been assisting with data encryption projects for years, I'm still learning something new every day. They say if you don't learn something new each day, then the day is wasted. Me, I'd settle for not looking like a goon in front of the client.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

If you're embarking on a file encryption project, here are some ideas, questions, and caveats to be aware of.

Is file encryption right for you?
Many clients I deal with end up complaining about some of the issues inherent with file encryption. Issues such as plaintext remnants of encrypted files, files saved outside the expected encryption zones, and files that were locked during encryption and therefore left unencrypted. If these things bother you, consider volume or full disk encryption instead. The trend is heavily favoring these methods of data protection over file-by-file encryption.

Key archiving, key archiving, key archiving
You can define the long-term success of your project by the success of your data recovery events. People will forget passphrases and lose keys. They will corrupt encrypted volumes. Your CEO will lose access to her data when traveling. Plan ahead and make sure your data recovery methodology is flawless and accessible. It all begins by ensuring that crypto keys are automatically archived, by default, every time. Don't leave it up to end-users or allow gaps to creep into the process. And test, test, test before beginning deployment. It takes only one high-visibility data loss to mark your data encryption project as a failure.

Where is your data?
Survey where your data is stored and where it is transmitted. How can you begin a data protection plan if you don't know where your data is? Not only is it on hard drives (servers, workstations, and laptops), but USB keys, CD-ROMs, tape backups, and so on. Decide where you need to encrypt and pick the appropriate solutions.

What about data in transit?
Most data encryption programs protect information at rest. How do you protect the data crossing your network or WAN? Is it encrypted? Most of the projects I've been involved with have addressed data at rest scenarios (hard drives, USB keys, and so on), while completely neglecting transmitted data. That's OK -- you have to start somewhere, but don't overlook the second issue. In most cases, you'll need additional solutions to protect data in transit, although you can often rely on the old standby standards of SSL/TSL and IPSec.

Are your apps compatible?
This may surprise some readers, but are you sure your applications don't mind the encryption? Most encryption implementations are seamless and work in the background, but they all require specialized disk drivers and API calls. Many legacy programs may not use the expected disk calls, bypassing the encryption routines and corrupting data. After you've encrypted your data, you should thoroughly test all programs for interaction problems. And, oh yeah, make sure your data backup programs are compatible.