Data Guardian: Mod 2

Encrypt Your Data

In this module, you will learn how to encrypt files or folders using free software. Creating encrypted backups for placement on external hard drives or saving to cloud storage (e.g. Google Drive, Microsoft OneDrive, Dropbox) will also be modeled.

Ready to Encrypt Your Data?

Topics

Obstacles to Overcome
Encryption Tools
1. File and Folder
2. Text Encryption
3. PGP/GPG
Creating Backups of Data to Local or Cloud Storage
Making Encrypted Data Containers

1 - Obstacles to Overcome

Recent attack vectors have left educators reeling from massive data breaches due to ignorance and a lack of consistent procedures for safeguarding sensitive data.

Just as hackers employ encryption to deny access to data on an ransomware-infected machine, so can educators and students learn to use encryption to prevent unauthorized access to data. Popular data encryption tools are available. Are you using them?

Obstacle #1 - Not a Priority?

For many districts, safeguarding sensitive data isn't a priority. Some tips for making it one:

1. Conduct a benchmark assessment of current practices
2. Get executive leadership to form a stakeholder committee
3. Develop Policies and Procedures for Safeguarding Sensitive Data
  - Review paper processes
  - Review digital processes
  - Compare them to what other's do
  - Develop incident response team
4. Provide professional learning

Obstacle #2 - Enterprise Level?

Establish procedures for handling sensitive data in your classroom and/or office. Ensure that data containing personally identifiable information (PII), as well as usernames/passwords to popular services, is encrypted.

Obstacle #3 - Shoulda, Woulda...

Safe Harbor and State of Texas Breach Notification Laws - ZymitrySafe Harbor refers to specific actions that an individual or an organization can take to show a good-faith effort in complying with the law. This good-faith effort provides a person or organization "Safe Harbor"

Texas Privacy Laws - Tough New Changes

Did you know that if data is encrypted and a data breach occurs, you are not obligated to report it? This is the power of data encryption and can potentially spare the District from unnecessary litigation and expense. This is known as an encryption safe harbor.

Texas defines a data breach in terms of sensitive personal information only if the data items are not encrypted (Source: Data Breach Charts, Baker-Hostetler). See other links to the left.

This is a question you will get. Make sure you keep your response simple and make it a requirement of dealing with sensitive data.

Avoid embarrassment and high-cost of identity theft protection for students and staff. Texas Safe Harbor law protects organization that encrypt data should that data be lost or stolen.
Avoid sending decrypted confidential information via email or as email attachments. Phishing attacks can compromise users' accounts and spread to all quickly via email groups (a.k.a. distribution lists). Decrypted data on compromised accounts can be a treasure trove and lead to costly issues. Encrypted email attachments are no big deal on a stolen smartphone, tablet or laptop. Decrypted email attachments or files on stolen devices puts the district at risk for liability and lawsuits.
Avoid saving decrypted files to portable devices (e.g. laptops, tablets) and/or storage media (e.g. USB flash drives, pendrives, sticks, hard drives).
Always encrypt sensitive data before sending it to a third party solution provider. Negotiate up front, over the phone how you will encrypt data and come up with a solid password to use. If data is transferred from a server, encrypt it FIRST before placing it on the server, then use Secure FTP to transfer it. An alternate approach is to grant the 3rd party solution provider Virtual Private Network (VPN) access to a specific device. This may be easier since you can setup a network share, a mapped drive, to make it simpler to create and share files quickly. Again, it is better to encrypt than to have decrypted files at rest on an intranet server.
NEVER place decrypted sensitive files online on an internet server and/or in cloud storage.

When Will I Use This in the Real World?

This is a question you will get. Make sure you keep your response simple and make it a requirement of dealing with sensitive data.

Avoid embarrassment and high-cost of identity theft protection for students and staff. Texas Safe Harbor law protects organization that encrypt data should that data be lost or stolen.
Avoid sending decrypted confidential information via email or as email attachments. Phishing attacks can compromise users' accounts and spread to all quickly via email groups (a.k.a. distribution lists). Decrypted data on compromised accounts can be a treasure trove and lead to costly issues. Encrypted email attachments are no big deal on a stolen smartphone, tablet or laptop. Decrypted email attachments or files on stolen devices puts the district at risk for liability and lawsuits.
Avoid saving decrypted files to portable devices (e.g. laptops, tablets) and/or storage media (e.g. USB flash drives, pendrives, sticks, hard drives).
Always encrypt sensitive data before sending it to a third party solution provider. Negotiate up front, over the phone how you will encrypt data and come up with a solid password to use. If data is transferred from a server, encrypt it FIRST before placing it on the server, then use Secure FTP to transfer it. An alternate approach is to grant the 3rd party solution provider Virtual Private Network (VPN) access to a specific device. This may be easier since you can setup a network share, a mapped drive, to make it simpler to create and share files quickly. Again, it is better to encrypt than to have decrypted files at rest on an intranet server.
NEVER place decrypted sensitive files online on an internet server and/or in cloud storage.

2 - Encryption Tools

In the individual exercises, you will explore how to encrypt both text and files using AES-256 encryption. There are various ways to accomplish this. Find the way that works best in your environment and implement it consistently.

Make sure to use a secure password generator and to protect sharing that password with end to end encryption tool (e.g. Signal).

Text Encryption

You can use a variety of text encryption solutions. These are ideal for text/email messages you might send on your smartphone, as well as via a computer.

Tool #1: Paranoia Text Encryption

iOS | Android | Windows | Mac | Web version

Tool #2: Browser-based Text Encryption

Web version

Activity - Encrypt and Decrypt Text

Part 1 - Decrypt Text

To facilitate decryption, open the Paranoia Text Encryption Online tool (via the web browser on your device, including smartphones) and paste in the text that appears below. Use the password - kQgWbQhc58wc - and send it to "mguhlin@tcea.org" via email. Obviously, this password would not be shared on a web page for anyone to access. It is shared here for demonstration purposes.

==Begin Encrypted Text Below (only copy encrypted content, not anything with == in front of it)

fIqoBFlGIJibGhbYnHhdKkrpjQs2a]DKvDuxGOIEosjfgk)bHvqKB693PuPdSGCbtT9rS]KB3PFNo0MVKm95B)yF06rj)]KrLJnPfpogU1yIT]DgCzbsw8PlqxSZ]ndqcefwocfLOX9)q3tDSWtNg9WPw85yMyI47H6t8y1)LESw3P3roKKx3)3QscDPifOOTPhwOzmMkvl5ZgzvkzIbX8gQrcXrXJR2O9r5axA63]L6Ja9L6UeVt1Q810oZlDkLD2RIu0RS6ilV8aIR)TIrs66MxYYOqgh2HQ1UgSuI33EMuV8jGENDYxjxGA)5K]g6YJekzBGr5iWGYymUTP)UQvRIU2TSfmkIYzpAIozEMcBsrZ9KBzfchP1LdkB7oOH6ZSnFIrDskFwgx31AjCGeOEjy8bhkvF9gx2UkCDr28rMfR6DIPUGX7vjZY5fuDR])blioTUqE1I66ltMkJ9lMHTjntNQhu1rED232iV727yBPuNHJWu1qfNDgQLNsxngWIuxu7Y2Wt3jH1ql3IpePG3w1sjicGwmfzsj]1lW)1MoXzkFuLI8fC5556Q8FSG6R44XS)Sy5z5Xq412u6XPPU4M3HanQrIb1SGGTcjf1QDStWTREzQQKeT9G5blz499O8YxWqq9Q4Q1poQYFqDXYBPZjV9i93AiP9W4JStyShTU)ezjqBWpQmEy4UVCPD7yR]QLBcSUZT7OshQ)Ow6lxZm)lU6A!

==End Encrypted Text Below (only copy encrypted content above)

Part 2 - Encrypt Text

To encrypt text, type your own message in the Paranoia Text Encryption Online tool and then send the encrypted text to "mguhlin@tcea.org" with subject line of "Encrypted Text." Use the password - T5ecaJiMepSU - to encrypt. Or, if you prefer, use a different password.

File Encryption

Encrypting files with AES-256 can be done with a variety of tools. Here are a few you can use that are free. A few tools include:

7zip for Windows - This is a zip/7zip compression program that combines multiple files into one. Works great with a wide variety of files. Think of it as putting a folder of files into ONE file that is compressed for space and encrypted for security.
Keka Zip for Macs - This is the same thing as 7zip but for Mac computers.
Paranoia's Secure Space Encryptor (SSE) - Here is (what I think) is the best cross-platform encryption tool available. It works on the most platforms (e.g. Android, Mac, Windows). One of the features is that it can take a folder of files and encrypt them all into ONE file.
FileLock.org - A browser-based solution that works well for Chromebooks. Encrypt individual files via your web browser.

Another video on encryption tools.

Activity - Encrypt and Decrypt Files

Part 1 - Encrypt File(s)

Get Secure Space Encryption (SSE) tool, 7zip (Windows) or Keka (Mac). Set it up on your computer.
Find a file or folder (avoid folders with hundreds of files for this activity...a folder with 2-5 files is sufficient).
Encrypt the file/folder with your preferred tool using AES-256 encryption protocol. Use this password: M9pXYbENF5mp
Send the file as an attachment to Miguel at "mguhlin@tcea.org" with Subject: Encrypted File

Part 2 - Decrypt File(s)

Save the file available online and decrypt it. A copy of the encrypted file is available in ZIP (*.zip) or SSE (*.enc) encrypted format.
Open the files successfully on your device.

Final Step

Make sure to shred/wipe the ORIGINAL decrypted files/folder(s) when "at rest." Of course, first check that your decryption password works.

Dragging items to the Trash/Recycle Bin is insufficient since they can be recovered using a free tool like Recuva or Kickass Undelete on Windows or your hard drive accessed on a GNU/Linux system then files recovered.

File Shredder (Windows)
Bleachbit (Windows/GNU-Linux)

Secure Space Encryptor (SSE):

7zip Encryption:

Email Encryption Tips

You can easily encrypt emails in Google Suites or Outlook using one of these tools. Remember that you can also use ProtonMail or Tutanota encrypted email providers for personal use.

Virtru Email Encryption - Encrypt email messages you send to anyone (e.g. Gmail, Yahoo, etc.) (Watch video)
Mailvelope - Another way to encrypt email using public/private key encryption (Watch video)
Paranoia Text Encryptor (PTE) - Call someone, give them the password then email the encrypted text (Watch video)

PGP/GPG Tools (free and open source)

"Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991." (Source: Wikipedia).

OpenPGP Tool, Option #1 - Gpg4win

Gpg4win is the official GnuPG distribution for Windows and provides the high cryptographic standards of the GNU Privacy Guard. GnuPG follows the recommendations regarding algorithms and key length of the German Federal Office for Information Security (BSI).

To create OpenPGP and X.509 certificates Gpg4win uses a key length of 2048bit by default. The default algorithm for signing and encrypting is RSA.

- Sign single files or complete folders directly from the Windows Explorer with GpgEX or Kleopatra. You can select multiple files and folders to sign and encrypt them recursively into a gpgtar archive.
- The provided Outlook plugin GpgOL allows to sign and encrypt emails directly in Microsoft Outlook. Attachments can be encrypted as well, in one go with the email body. Verifying signatures and decrypting messages is done directly in Outlook too.

A step-by-step installation guide is provided as part of the Gpg4win Compendium.

Download/get Gpg4win now

OpenPGP Tool, Option #2: GoAnywhere

Read Tutorial | Watch Video | Get OpenPGP Studio

Open PGP (free), also known as GPG, is a popular encryption standard that protects the privacy and integrity of sensitive files. Open PGP implements asymmetric (public key) cryptography to provide strong security and repudiation of files. GoAnywhere MFT provides robust support for PGP, allowing you to:

Encrypt files with one or more Public Keys
Decrypt files with Private Keys
Sign files with Private Keys
Verify digital signatures in files using Public Keys
Generate full audit logs of all PGP encryption and decryption processes

Open PGP software is used by banks, financial institutions, healthcare organizations and other highly regulated industries to protect their most sensitive files. (Source)

3 - Data Backups to Local/Cloud Storage

From ransomware to simply human error, it's easy to lose data. That's why it's important to make regular data backups. Most people don't know how, so they tend to rely on cloud storage or nothing.

One way to avoid that is to get a USB external drive (2 terabytes is plenty. USB external drives last three to five years on average, so you may want to invest in one every three years to backup your data). You can use free tools to automate backups.

One free automated backup solution is FileFreeSync. Watch these video tutorials to get started.

Another tool is Free Commander (Mac alternatives).

Take advantage of these tools, and spend the time to learn how to backup your files.

4 - Encrypted Data Containers

Cross-Platform Solution: VeraCrypt

VeraCrypt is a source-available freeware utility used for on-the-fly encryption (OTFE). It can create a virtual encrypted disk within a file or encrypt a partition or (in Windows) the entire storage device with pre-boot authentication (Source: Wikipedia).

Veracrypt has fixed problems identified via an audit of its predescessor, TrueCrypt. This makes it MORE secure and an excellent solution.

"VeraCrypt supports two types of plausible deniability–the existence of encrypted data is deniable because an adversary cannot prove that unencrypted data even exists. Hidden volumes reside in the free space of visible container volumes–space which would otherwise be filled with random values if the hidden volume did not exist. Hidden operating systems exist alongside visible operating systems. If an adversary forces you to hand over a password, you can just give them the password for the visible OS" (Source: Five Best Disk Encryption Solutions).

Windows Only Solution: CipherShed

CipherShed relies on TrueCrypt's code, is primarily available for installation on Windows.

You can build the program from the source code for Mac and GNU/Linux, but you can save yourself some headaches and skip that. Best to use a solution like VeraCrypt that's well-supported and cross-platform with OS specific setup programs.

Disk Encryption Solutions

There are many types of encryption. Ask yourself, "Do I really need to encrypt this data? Do I need to have it around unencrypted?"

That's why I have two separate folders on my hard drives. One is encrypted and has top secret files that I wouldn't want to get out (e.g. medical, personnel, financials). The other is encryption free and where I store family photo albums, public work files, and more.

You can see in the image (left) that file/folder level encryption allows you to encrypt individual files or folders, but your operating system works without encryption.

Full-disk, or whole-disk, encryption, involves putting your whole hard drive, including the operating system, into a lock box. While this is desirable in some situations (e.g. you're a spy), it can cause a serious performance hit. And, if there is a hard drive failure of any sort, you lose all your data.

Which solution works best for you?

The main benefit of these two solutions, neither of which is open source, is that they come with your device. That said, I don't recommend either.

Bitlocker is a Windows specific solution that offers whole disk encryption. Some organizations use it, but due to the performance hit, many avoid it. Instead they rely on encrypted data containers (e.g. VeraCrypt) or file/folder encryption with AES-256.

FileVault is Apple Mac specific.

Scenarios to Consider

Scenario #1 - External Drive

“John,” began Liz, the PEIMS Data Clerk at the high school. Tears started to stream down her face. “I saved some work out of iTCCS to take home and analyze last night onto my USB drive. This morning, when I went to pick up my coffee from Starbucks, I think it fell out of my purse while I was paying. I can’t find it and I’ve looked everywhere.”

Liz paused then said, “I had the entire freshman class’ data on an encrypted file. What do I do?”

Scenario #2 - Emailed File

"Melodie," said her superintendent. "Turn on the news." It was 5:30pm and Melodie was just getting home from an after-school event.

As she watched the news broadcast play on the television, her heart dropped into her stomach. "What do we do, Jim?" she asked her super.

"Let's plan to meet tomorrow morning after Cabinet to discuss what our next steps are. While I am meeting with Cabinet, take a moment to discuss this with Charles (the tech director). Come up with our next steps and we'll figure this out."

Scenario #3 - Paper

“I just need a quick print-out so I have something I can reference in my hand,” Jill exclaimed. As Darlene printed out the report from iTCCS, she promised to put the document in Dropbox so Jill could get to it more easily. Jill dropped the sheaf of papers into her briefcase and ran out the door.

“Maybe,” she thought to herself, “I’ll have time to stop at HEB on the way home tonight, get a good night’s sleep so I’ll be fresh for this data presentation tomorrow morning.” She looked at her briefcase, carefully locking it in the trunk and casually throwing a blanket on top of it, just in case.

Source: Insurance Information Institute, 2017

Scenario #4 - Outside our control?

“I have thought about disaster recovery, but I haven’t given any thought to our hosted solutions and how we’re backing up that data.

How am I going to ensure that data is protected when it’s outside of my control?”

Google Sites

Report abuse