Encryption on ETSU and Personal Devices, on ETSU OneDrive for Business, with Outlook email, and with MS Office and Adobe Software
General Precautions Regarding Encryption
- Never attempt to encrypt a network drive or departmental folder on a network drive.
- Back up your research data files to your ETSU OneDrive for Business account or to an ETSU network drive before starting an encryption process.
- Do not interrupt an encryption process in progress.
- Immediately record and back up any passwords or encryption/decryption keys generated.
- If you are using multiple passwords, use a password management service that requires authentication.
- When a file from an encrypted device is shared (copied to another device or sent as an email attachment) the shared copy is not encrypted.
- Save offline device passwords as secure "notes" in your digital password manager. Include a brief physical description of the encrypted device - e.g. 1.5" long flash drive, rectangular, attached steel swivel cover, blue/silver.
- If you are not using a digital password manager to generate strong passwords, please follow the ETSU password guidelines.
- If you are using biometrics (fingerprint, facial, or voice recognition) to open devices, be sure to record the backup passcode in your digital password manager.
Are research data files stored in ETSU OneDrive for Business encrypted?
Yes! Faculty, staff, and students have 1 TB OneDrive for Business accounts accessed with ETSU login credentials. Data are encrypted in transit to and from OneDrive and are double encrypted at rest on OneDrive. Further encryption is not required. OneDrive can be accessed on and off campus via its secure web interface. Only those with permission to view a file or folder are able to access the contents. Remember that ETSU has not approved OneDrive for HIPAA data.
What sorts of research data may be stored on ETSU OneDrive for Business?
ETSU OneDrive for Business is approved for storage of all data other than HIPAA data.
I want to send an encrypted e-mail to a non-ETSU recipient.
Type the word encrypt anywhere in the subject line and your email content and attachments will be encrypted. If the recipient is using Outlook, the email and attachments will simply open. If the recipient is not using Outlook, they will receive an email telling them to download an attached message. The downloaded message contains a link that provides a one-time passcode and opens a dialog box to accept the code. The recipient enters the passcode in the dialog box and the encrypted email and attachments open. Each time the recipient wants to open the email, they repeat the procedure to obtain a new passcode.
I need a password manager to keep track of all of my passwords.
ITS-RCS recognizes the need for cloud-based password management as more researchers encrypt their data and more passwords are generated. As such, we tested highly rated password managers that store passwords and generate unbreakable passwords. We have recommended adoption of the enterprise version of LastPass by the university; there are numerous other versions of LastPass including free, premium, family, and team versions.
ETSU Laptops: ETSU-owned Mac and Windows laptop drives are already encrypted per TN state requirement. If someone steals your ETSU laptop, the contents can only be decrypted with your ETSU password. A strong enough password will defeat a brute-force attack. When you share a file from your laptop (e.g. e-mail it to someone or copy it to a flash drive), the copy is not encrypted. Your ETSU laptop (Mac or PC) should have device location software installed - ITS-RCS recommends that you activate "Find My Mac" or "Find My Device." Be certain to back up research data files on your laptop to your ETSU OneDrive for Business account or to an ETSU network drive. If the hard drive in your laptop crashes, it may only be possible to retrieve your research data files from your backups.
ETSU Desktops: By default, ETSU desktop drives are not currently encrypted. While it is possible to encrypt the hard drive in your Mac, PC, or Linux desktop, our current recommendation is that you store your research files (all other than HIPAA) on ETSU OneDrive for Business or on an ETSU network drive. OneDrive provides encryption in transit and at rest and provides automatic backup of your research data. If concerns for the value or sensitivity of your research data compel you to encrypt your local hard drive, it can be done. ITS-RCS strongly recommends that you only encrypt your hard drive if you are already backing up your research data files to ETSU OneDrive for Business or to an ETSU network drive - if an encrypted drive crashes, you will have to recover your research data files through your backups. Be sure to continue to back up your research data on OneDrive or on an ETSU network drive after encrypting your hard drive. As you begin the encryption process, immediately record the encryption key and password in your cloud-based digital password management system.
To encrypt a PC, navigate to BitLocker Drive Encryption and turn on BitLocker beneath Operating System Drive. Please let the ITS-RCS or the ITS HelpDesk know if you would like someone from ITS to assist. On a Mac, use System Preferences, Privacy and Security, and turn on FileVault for the Macintosh HD. VeraCrypt does not support full disk encryption for Linux but does allow encryption of containers and partitions.
EFS Encryption of Files and Folders on ETSU PC Desktops (recommended for those with only occasional files to encrypt) - EFS encryption is an easy process that protects files and folders at rest on your hard drive. If someone unlawfully accesses or steals your hard drive, unless they know or break your ETSU password, they will not be able to decrypt files encrypted with EFS. When you share EFS-encrypted files with other devices or send them as email attachments, the copies are not encrypted. To encrypt with EFS, just navigate to a file (or folder) with File Explorer, right click on the object name, select "properties," click "advanced" on the general tab, check the "encrypt contents to secure data" box, click OK, and click "apply." If you are encrypting a file, you will be asked if you want to "encrypt the file and its parent folder" or "encrypt the file only." Select your preference and click "OK."
Microsoft Office Encryption of Files with a Password on ETSU PCs (recommended for those sharing Office documents) - This effortless process prevents MS Office files from being accessed without a password. With a file open in the appropriate MS Office program, click on "file," then select "Info," then click on "Protect Document," then select "Encrypt with password," then enter a password for the document, then re-enter the password for the document. The password requirement will follow the file when it is shared with others or copied elsewhere. If you use "save as" to save a Word document as PDF, you can click on "options" when saving, and opt to save the PDF with a password.
Adobe Acrobat (and Photoshop) Encryption of PDF Files with a Password - This easy procedure allows you to limit access, printing, copying, and editing of PDF files to those with a password. Open the PDF in Acrobat, select Tools, then Protect, then Encrypt, then Encrypt with Password, and then select the options you wish to put in place. You can also password protect a file saved as PDF in Photoshop but be aware that, unless you save the original PSD file as a "layered PDF" with "Photoshop editing capabilities preserved," the file will be saved in a flattened PDF image format.
Create an Encrypted Virtual Hard Drive for Files on ETSU PC Desktops (recommended for those who want a storage bin that automatically encrypts files) - This challenging procedure uses "Disk Management" to create a Virtual Hard Drive (VHD), assign a drive letter to the VHD, and encrypt the VHD with BitLocker. Files stored in the VHD are encrypted. To begin, right click on the start button and select "Disk Management." Under "Action," select "Create VHD." Use "browse" to specify a location for the VHD and name it "something.vhd." Assign at least several GB to make VHD creation worthwhile. Select the VHD format and type (defaults are fine). When the new disk appears in Disk Management, right click on it and "Initialize Disk." Select GPT partition style. Right click on the "unallocated" space shown for the new VHD in Disk Management and select "New Simple Volume." The New Simple Volume Wizard will open. Use the Wizard to assign an unused drive letter to the VHD, use other default settings and give the VHD a label of your choice. Click Finish to close the wizard. To encrypt the new VHD, use file explorer to find and right click on the drive letter associated with the new VHD and "Turn on BitLocker." Enter and confirm a password for the new VHD and then click next. Be sure to save the BitLocker Recovery Key and password. Choose the new encryption mode. Start encryption. After you re-boot your computer, your password will be required to access the new VHD. You may have to access the VHD through File Explorer in order to get the BitLocker password box to open. Think of this drive as a storage bin that automatically encrypts anything you store in it.
Create an Encrypted Disk Image/Volume for Files on ETSU Mac Desktops (recommended for those who want a storage bin that automatically encrypts files) - This challenging procedure uses "Disk Utility" to build a "disk image" (.dmg) containing a password protected "volume." Files stored in the volume are encrypted. The disk image can be hidden anywhere on the Mac, if desired, while the encrypted volume can be "ejected" from view. With "Disk Utility" open, click on "new volume." Complete the required information. "Save as" lets you name the disk image (.dmg). The "tag" option might visually identify the "disk image" as an encrypted storage bin or identify it as yours if you share the computer. The "name" identifies the encrypted "volume" within the "disk image." The size of the disk image must be greater than 10 MB. Set the desired format, encryption level (128 or 256 bit AES), and partition as desired (defaults are fine). Set the image format as "read/write." Select create, and then record the password you enter and verify. If you share the computer, uncheck the box that says, "remember password in my keychain." Finally, "eject" the "volume." The "volume" will disappear from view but the "disk image" remains visible. If you did not save the password to your keychain, when you activate the "disk image" to access the "encrypted volume," you will be prompted for your password.
Total Mac Desktop (or Drive) Encryption (this process potentially encrypts everything) - This demanding procedure requires considerable time and care. ITS-RCS recommends that you only follow this procedure if you have backed up your research data to ETSU OneDrive for Business or to an ETSU network drive and plan to continue to do so following encryption of the desktop. If an encrypted hard drive fails, it may be necessary to recover your research data from your backups on OneDrive. Be certain to store passwords and encryption/decryption keys generated in your cloud-based password management account. Use "system preferences" to get to "security and privacy" options. Select "FileVault." Turn on FileVault by clicking the lock image and entering your administrator password. If there are other administrators, you will be asked for their passwords. You will be provided with a public and a private recovery key in a filevaultmaster.keychain file. You should record these keys immediately. Save them somewhere other than on the machine you are encrypting. You may want to save the private key or a copy of the filevaultmaster.keychain file in cloud storage and on paper. FileVault will not let you store the private key in the Mac keychain. If you wish to have a Mac specialist on hand to help, please contact the ITS HelpDesk at 94648 or https://www.etsu.edu/helpdesk/contact.php.
Encryption of Mac Backups with Time Machine (recommended for encryption level protection in the event of theft) - If you are backing up your Mac to an external drive, you can use Time Machine to "encrypt backups," as long as you have not partitioned the external drive. If you are backing up to ETSU OneDrive for Business, recall that data are encrypted in transit to OneDrive and are double encrypted at rest in OneDrive. There is no need for further encryption on OneDrive.
Personal Computing Devices (required of anyone collecting or temporarily storing HIPAA data on the device): Your personal devices may or may not be encrypted depending on default settings of the manufacturer or vendor. Encryption of any device increases data security but requires that you securely maintain copies of the password and/or encryption/decryption key used to access the encrypted content or device. ITS-RCS recommends that you use a cloud-based password management system. Do not interrupt an encryption process in progress.
Personal Mobile Devices (required of anyone collecting or temporarily storing HIPAA data on the device): Phones, tablets, and other mobile devices may or may not be encrypted depending on default settings of the manufacturer or vendor. Generally, total device encryption options are found in device security settings. Contents are usually saved during encryption but check with the manufacturer or vendor if you are not certain. Be sure to immediately record any password or encryption/decryption key. ITS-RCS recommends that you use a cloud-based password management system. Do not interrupt an encryption process in progress. If, for some reason, you decided to un-encrypt a device, back up the data first as the device will be re-formatted when you remove encryption.
In general, when you encrypt a flash drive, it is for temporary storage (eg. transit) of data that you want to secure. Unless you are an experienced user, we recommend that you do not put files intended for public presentation (eg. PPT or similar files) on an encrypted flash drive because of possible difficulties opening the file on equipment at the site of presentation.
Flash Drive for Mac + Windows + Linux - If you require an encrypted flash drive recognized by multiple platforms (Mac, Windows, and Linux), we recommend that you i) purchase a "hardware encrypted" flash drive warranted to work on multiple platforms or ii) encrypt your flash drives with VeraCrypt.
VeraCrypt - VeraCrypt is an open source application that runs on Mac, Windows, and Linux. If you encrypt flash drives with VeraCrypt, back up your data first as the flash drive will be reformatted. Select exFAT32 as the Filesystem. Once encrypted, the flash drive can only be opened with VeraCrypt. That means that VeraCrypt must be installed on any computer used to access the data on the encrypted flash drive. If anyone attempts to mount your flash drive without VeraCrypt, the flash drive will appear to be unformatted. If you use PIM when you encrypt with VeraCrypt, be sure to record both your password and PIM value - both will be required to access data on the flash drive.
Mac users will need to install Fuse for OS X and Linux users will need to install exFAT-fuse and exFAT-utils before mounting encrypted flash drives with VeraCrypt.
Get Help with VeraCrypt in the ITS-RCS Laboratory - If you would like assistance with encryption of flash drives, we can encrypt them for you or we can help you as you encrypt them with BitLocker or VeraCrypt here in the ITS-RCS laboratory (Room 303 of the Campus Center Building). The encryption process takes roughly 2.5 minutes per GB of space on the flash drive.
Flash Drive for Mac Only - On your Mac, right click on any USB flash drive and select "encrypt (flash drive name)." This will encrypt the flash drive with FileVault. We recommend that you encrypt the entire flash drive. Existing files should not be lost. You can open the flash drive on any Mac.
Flash Drive for Windows Only - On your PC, right click on the flash drive and select "Turn on BitLocker." We recommend that you encrypt the entire flash drive. Existing files should not be lost. Select compatibility mode to open the flash drive on any computer running Windows 7 or newer Windows operating system.
Flash Drive for Linux Only - On a Linux running the Gnome Desktop, encrypt an entire flash drive using Disk Utility. The flash drive will be re-formatted and all files erased. The flash drive will work on any Linux running the Gnome Desktop.
Using Encrypted Flash Drives at Home - While Windows Home Editions do not provide full support for encryption with BitLocker, it is possible to read a BitLocker encrypted flash drive on a Windows Home edition machine - don't forget the password. All Macs seem to be able to read FileVault encrypted flash drives, so if you encrypt on an ETSU Mac but want to use the flash drive on a home Mac, you will not have any issues. The same is true for Linux machines running the Gnome desktop environment; anything running the Gnome desktop should read a flash drive encrypted with the Disk Utility on another Linux running the Gnome desktop.