Encrypting Files and Folders
Encryption is an effective measure to protect sensitive data. In this lab card we provide instructions for file/folder encryption on platforms commonly used by LCSB staff.
IMPORTANT NOTICE: One important requirement of using Encryption is that you must manage your Encryption Passwords/Keys. Failing to do so will mean loosing your data indefinitely. In this link we list tools that can be used for password management. Please make sure you have arrangements for password management before starting the encryption of data.
The built-in mechanism for file-level encryption on a Mac is Encrypted Disk Images (.dmg files). In order to create a disk image:
- Using Finder open up /Applications/Utilities/Disk Utility
- From the Disk Utility menu select /File/New Image
- You will have two options; either to create a Blank Image or to create an Image from Folder. Choose the option that fits your situation.
- You will be prompted for configurations for the image.
- Make the following settings
- Set a name for your image (also set a size if this is a blank image),
- Set a format for the image. Format should be read/write for blank images. When creating an image from a folder to an image the format can be read/write or read only.
- Turn encryption on by selecting either 128 or 256 bit option, you will then be prompted for a password for your image. Provide a password and save.
- A .dmg file will be created with the name you supplied.
- Whenever you want to load the image you will be prompted for the password. Remember to eject the disk image when you’re not accessing the files within.
Make sure you have all relevant data in a single file. In case you have multiple files, put them in a folder and create a compressed archive (aka tarball).
tar cvzf your-compressed-file-name.tar.gz your-directory/
You can use the below command to encrypt a file on Linux.
gpg -c file_to_be_encrypted
You will be asked for a passphrase.
Enter passphrase:<YOUR_PASSWORD> Repeat passphrase:<YOUR_PASSWORD>
The following command can be used to decrypt the file.
Instead of using a passphrase, you can also encrypt files using an encryption key. You can use GPG to create an encryption key as follows.
If the above command hangs for a long time, and complains about entropy then run the following commands and then re-run key generation.
yum install rng-tools rngd -r /dev/random
On Windows, file level encryption can be achieved using the Encrypting File System (EFS) feature. Note that EFS is only available on Windows 10.
In order to use turn on EFS for a folder:
- Using File Explorer locate the folder you want to encrypt. Right click and select Properties.
- Select Advanced. From the Advanced Attributes screen check the option Encrypt contents to secure data and click OK, then Apply. If this option is appearing dimmed or disabled please contact University IT Support.
- When prompted select the option to apply changes (encryption) to subfolders and files and click OK.
- Notice that this process does not ask you for a password as the files are protected with a key enabled only when you login. When other users, including admins, login to your machine they will not be able to see the contents of encrypted folders/files.
- When you enable EFS on your machine Windows will start prompting you to backup your encryption key. It is advised to backup, as you may not be able access encrypted folders after a Windows re-install.
- When prompted for backup, choose Backup now. This will take you to the Certificate Export Wizard. for the export format select Personal Information Exchange (.PFX) also select Enable certificate privacy.
- In the Security step select Password and set a password on the encryption key.
- In the final step navigate to the location you want the key backup (the .pfx file) to be stored. This could be a USB drive or your personal ownCloud folder.
As per LCSB Policy, you should not store sensitive human data on commercial cloud services (e.g. Google Drive, Dropbox). However, there may be situations where commercial clouds are used:
- There is a project/consortium level agreement to use external cloud storage,
- You’re working with sensitive data, and need to temporarily co-access it with research collaborators,
- You’re working with non-sensitive data and using the cloud as a backup target.
In such cases, you may use the following desktop tools to encrypt cloud folders.
- boxcryptor (Paid). If you’re holding sensitive LCSB research data on commercial cloud (case 2 above), you must use Boxcryptor. Contact the LCSB IT team to request a license.
- Cyberduck (Free).
The Uni-LU HPC Team is planning to install EncFS on the HPC clusters. EncFS allows for the creation of an encrypted volume (similar to a folder). EncFS provides transparent encryption, once you mount the encrypted volume, anything that goes into the volume will automatically be encrypted. Also, whenever you try to view or process a file in a mounted EncFS volume, it will be decrypted for you (behind the scenes) automatically.
We will provide instructions for EncFS once it becomes available .