Johns Hopkins policy encourages (and for JHM) requires Full Disk Encryption on laptop computers. We are deploying PointSec's FDE. Please check our update page. Nearly everyone at Hopkins has access to a local area network, and many LANS can be securely accessed outside of Hopkins through a virtual private network. If you have secure remote access to a LAN file server, you should almost never need to store sensitive data locally on workstations, flash drives or laptops. You should be able to access your files through the network, and you enjoy the benefit of regular back-ups and protection against malicious code that can be attached to Office documents. WinZip is not free (Go to SPARS to purchase or download the demo version). And it does not work with enormous files. And it is tricky when the recipient is using a Mac. But for most puposes it is a reliable form of encryption that can be used to encrypt one or more files for storing on mobile devices, transmissions through email and ftp. Now WinZip does not automatically encrypt a zipped folder. You will need to set the security for encryption but that is easy and discussed below. Just remember to use version 9.x or higher and that anyone else opening the file will need that version also. They can download a demo version. Microsoft Windows XP provides a 128 bit encryption utility known as Windows Encrypting File System (EFS)(Windows 2000 has a service pack for a similar utility). EFS allows users to encrypt folders, give or deny access to other users, etc., and it is relatively easy to use. Because the encryption utility is closely associated with the operating system, the user is not required to create a new password for encrypted files and folders – either to encrypt or decrypt. While this makes EFS easy to use, one drawback is that encryption has little portability. EFS will not allow you to move or copy a file to storage media or network drive without losing encryption. This, of course, also means that the EFS cannot maintain encryption for a file in transit. To encrypt a file or folder in Windows XP (in part from the Microsoft Web Site): - Open Windows Explorer.
- Right-click the file or folder that you want to encrypt, and then click Properties.
- On the General tab, click Advanced.
- Select the Encrypt contents to secure data check box.
- Apply the settings (it may ask you to consider encrypting the entire folder rather than just a file)
Wait a while. This could take all day, depending on the size of the hard drive. - To open Windows Explorer, click Start, point to All Programs, point to Accessories, and then click Windows Explorer.
- You can only encrypt files and folders on NTFS file system volumes.
- Files or folders that are compressed cannot also be encrypted. If you encrypt a compressed file or folder, that file or folder will be uncompressed.
- When you encrypt a single file, you are asked if you want to encrypt the folder that contains it as well. If you choose to do so, all files and subfolders that are added to the folder in the future will be encrypted when they are added.
- When you encrypt a folder, you are asked if you want all files and subfolders within the folder to be encrypted as well. If you choose to do so, all files and subfolders currently in the folder are encrypted, as well as any files and subfolders that are added to the folder in the future. If you choose to encrypt the folder only, all files and subfolders currently in the folder are not encrypted. However, any files and subfolders that are added to the folder in the future are encrypted when they are added.
In sum, EFS is easy to use and works well for encrypting files on a laptop or at-risk workstation. It is not as useful for files that will be moved to other machines or devices or through e-mail. Johns Hopkins has several encrypted USB thumbdrive options on the SPARS Website. These tools downoload management programs on to workstation or laptop and encrypt using that program. Our Kingston tool does not require administrative access but is limited to Windows. Lexar can be used by Mac and Linux but requires administrative access. We recommend that you consult with your IT administrator to determine whether the department has purchased these tools. To Encrypt: Winzip continues to use a kind of folder, called an “archive” for zipping individual files. After an archive has been created, you can “Add” files to the archive. - When adding a file, the dialogue box will have a checkbox in the bottom right hand corner that says “Encrypt added files.” Check the box.
- Add the file to the archive. Winzip will then interject a “Caution” dialogue box that provides a link to learn more. If you have little interest in learning more click OK.
- The next dialogue box is called “Encrypt,” asks for a password and provides three choices. “Zip 2.0 compatible” simply means encoding and is not encryption. This will only password protect (encode rather than encrypt) the file and is not our recommended approach to security. Using this method will, however, allow other users to open the file with earlier versions of Winzip. The other two choices are both forms of AES encryption – you can choose either 128 bit or 256 bit encryption. For our purposes, they are both very difficult to break, and feel free to use either one. It is possible that 128 bit encryption may provide slightly better performance that 256, but we have seen no major differences.
- Within an archive, you can use different passwords (or no password at all) and encryption methods for each file.
- Important – the primary advantage of Winzip over Windows Encrypting File System is that Winzip encrypted files are portable. Files can be-emailed, stored on CD, floppy or other format all while encrypted. The primary disadvantage of using Winzip 9.x encryption is that anyone wanting to open an encrypted file must also have WinZip 9.x. Earlier versions will not open encrypted files although they will open “Zip 2.0 compatible” files. Adoption of the latest version of Winzip is always gradual, so you should not assume that a recipient of a Winzip-encrypted file through, say, e-mail has the up-to-date version of Winzip. If not, that person will not be able to open the file. There is, of course, a no-cost evaluation version of Winzip available for download, but you should consider whether the intended recipient will be able to download and use Winzip 9.x.
- When e-mailing a zipped file, make sure to communicate the password to the recipient out-of-band, that is by phone, fax or in person (not another e-mail). Passwords should be difficult to guess and
In sum, Winzip 9.x provides strong and portable encryption in storage and in transit. It requires more effort than EFS for storing files locally, but encrypted files can be moved easily. The main drawback is that anyone trying to decrypt a file must have Winzip 9.x rather than an earlier version of the program. This can be a problem for e-mailing attachments. |
