In this article Graeme Batsman looks at open source and proprietary (both paid for and free) encryption software. Encryption software encrypts (or encodes) data and means that the human eye cannot understand it without the means to decrypt it, for example, if gets into the wrong hands.
Why encrypt?
Cryptography has existed for thousands of years, starting off with the ancient Egyptians, to the Greeks and Romans, and most recently (and most famously), Bletchley Park and the Enigma code breakers of World War II.
Encryption can be used on all kinds of digital media - USB flash drives, USB hard drives, documents (files), emails, website forms, laptops, optical media (CDs, DVDs) - and can even encrypt a printed A4 sheet of paper (think MI5/MI6). Today it’s essential for securing data and meeting compliance rules, mainly the Data Protection Act (DPA), regulated by the Information Commissioners Office (ICO), and other regulatory bodies like the Financial Services Authority.
ICO's advice is: “I can advise, however, that our office would generally expect that portable media are encrypted. In regard to deciding what security measures to take in respect of personal data processed on static equipment, in each case an organisation must take into account such factors as the nature of the data and the harm that might result from any unlawful processing or loss of that data”.
To put it simply, ICO is saying that any data which is portable needs to be encrypted. This mainly refers to laptops, USB devices and optical media.
What encryption software to use?
As with all technologies, there is a choice. A well-known open source encryption tool is True Crypt. However, not all proprietary (closed source) software is paid for - there are some free tools available, an example being DESlock+ which has a free personal licence edition (check with DESlock+ for not-for-profit organisational use).
The following table highlights the differences between generic open source and proprietary software:
The following table highlights the differences between True Crypt and DESlock+ personal edition:
All of the above increase data security and compliance with the UK DPA and other laws.
Compliance?
What do we mean by the word compliant? Compliant means the software and/or encryption algorithm has been tested by a government (UK or USA). Federal Information Processing Standard (FIPS) is a United States Government standard administered by the National Institute of Standards and Technology (NIST). CAPS and CCTM under CESG UK Government's National Technical Authority for Information Assurance. Both standards mean the encryption algorithm or software/hardware product has been tested and passed.
What do we mean by the word compliant? Compliant means the software and/or encryption algorithm has been tested by a government (UK or USA). Federal Information Processing Standard (FIPS) is a United States Government standard administered by the National Institute of Standards and Technology (NIST). CAPS and CCTM under CESG UK Government's National Technical Authority for Information Assurance. Both standards mean the encryption algorithm or software/hardware product has been tested and passed.
So what should you choose?
The main difference between and open and closed source is compliance and support. If you install True Crypt and you need help or something goes wrong you cannot call the vendor. If you pay for software then support and a warranty is normally included, giving you access to email or phone support. Just because software is free it doesn’t mean it is poor quality and not secure. True Crypt offers quite a few features but is quite technical to set up and some features are fiddly to use even once set up.
DESlock+ personal edition is great to lock down files, folders, emails, archives by encrypting them. It restricts access and means if the encryption file is leaked, it’s nearly impossible to read. If you wish to encrypt emails both parties need the software installed but the personal edition is free.