With all the snoops trying to get their hands on, well, every bit of information they can, encrypting sensitive content makes perfect sense. But there are various kinds of encryption you can use to protect yourself and your data, each with its pros and cons.
In this article, we will look at two types of encryption:
- Disk encryption – The encryption of a Disk drive (or another storage device). To read any data on the disk, you need to know a password or a secret key.
- Document encryption – The encryption of a complete document (or another file). To read the document, you need to know a password or a secret key.
We’ll take a quick look at how each type of encryption works, and talk about when you would want to use each type.
How To Encrypt Files With Disk Encryption?
Disk encryption works by encrypting part or all of a disk drive or other storage device. When you encrypt the entire disk, it is known as Full Disk Encryption (FDE). When only parts of the disk are encrypted, you have Encrypted Partitions on the disk.
In a system using FDE, all the data on the disk is encrypted. When a user starts the system, they enter the encryption key, and the encryption software uses the key to encrypt/decrypt data on the fly.
Whenever data is read from the disk, it is decrypted before being used. Likewise, whenever data is written to disk, it is encrypted. Since the data on the disk is always encrypted, it is always inaccessible to anyone without the proper key, even if they physically take possession of the disk. And since the entire disk is encrypted, there is no way that sensitive data can find its way to an unencrypted file on the disk.
Encrypted Partition Basics
In a system using Encrypted Partitions, data automatically gets encrypted/decrypted only when it is stored on an Encrypted Partition. The user must take care to store documents and other files in the proper partitions.
The necessity to decide whether or not each file belongs on an Encrypted Partition means there is a chance that the user will make a mistake and leave sensitive data exposed. It is also possible for data stored in an Encrypted Partition to simultaneously appear in unencrypted form in a cache or swap file elsewhere on the disk.
Should I Encrypt My Disks?
In most cases, the answer is yes. You should encrypt your disks using FDE. It provides a basic level of protection with little or no performance impact once the disk is encrypted. Since the encryption is automatically applied to everything on the disk, you can’t forget to encrypt something, and the encrypted data can’t appear in an unencrypted file on the disk.
However, FDE does have some weaknesses. Perhaps most important, if the key is lost, the entire disk becomes unreadable. This makes the loss of the key much more damaging than when each document is encrypted individually with its own key. Some sort of key management system is almost mandatory to avoid eventual data loss.
Another weakness is that the system is vulnerable to hostile software while it is running. Reading and writing the encrypted disk is transparent to software once the disk is unlocked.
Finally, remember that FDE only protects files while they are stored on the encrypted disk. Sending a document to another computer by email, or even to an unencrypted disk on the same computer will leave the document unencrypted at its destination.
How To Encrypt Individual Files With Document Encryption
Document encryption (more properly file-level encryption) involves encrypting each document before it is saved. Ideally, every file will be encrypted with a unique key. This has several advantages over FDE or Encrypted Partitions.
Document encryption gives you fine control over who has access to which documents. Users only have access to the specific documents for which they have a key. On a system using FDE or Encrypted Partitions, a user with access to the disk or partition has access to every file on that disk or partition.
Encrypted documents remain encrypted when you email them or copy them to another disk. Only someone with the correct key can read an encrypted document, regardless of where it is located.
But the strength of document encryption is also a weakness. Anyone who needs to decrypt the document needs a copy of the key. Within an organization, distributing keys shouldn’t be a problem. Large companies and many small ones have Enterprise Content Management (ECM) Systems, Digital Asset Management Systems, or other tools that handle encryption and internal key distribution transparently.
But sending encrypted documents to external destinations can create a strange situation. While an encrypted document can be sent without worries, the key for decrypting it must be sent securely. Encrypting the key using PGP or some other Public-Key encryption system and the related Public Key Infrastructure (PKI) to send the key to the destination is one approach.
When Should I Encrypt My Documents And Other Files?
This is a hard one to answer. If you are in a corporate environment, this is all probably handled for you, or there are policies in place to tell you what to do.
On a personal level, you should ask yourself questions like these:
- How good is my current network security?
- How valuable is my data to outsiders?
- How sensitive is the information in any particular document?
- Is FDE sufficient, or do I need to take it further?
- Will I be storing any sensitive documents online, sending them through email or social media, or storing them in the cloud?
While you will need to figure out an approach that is right for you, we have some general suggestions:
- If a document contains sensitive information, and it will be leaving your computer or network, encrypt it.
- If it is so sensitive that it could impact your career, your marriage, or your bank balance, encrypt it.
- If you have reason to believe that you are being specifically targeted by someone or some government agency, encrypt it.
- If it contains random information of little value or information that is already out on social media, you probably don’t need to bother encrypting it.
Beyond those suggestions, figuring out the right balance is up to you.
Increasing Your Privacy with a VPN or Tor
There is one last thing to consider before you decide on your document encryption policies. NSA documents released by Edward Snowden show that they consider anything that is encrypted to be suspicious. They can keep copies of any encrypted document as long as they like.
This reasonably raises the concern that sending an encrypted document somewhere simply paints a target on your back for the spies. While we aren’t sure whether that is true or not, there is something you can do to reduce your risks: use a VPN or Tor when sending encrypted documents anywhere.
While neither type of tool provides perfect protection, both VPNs and Tor encrypt all data passing to and from your computer. Because anyone monitoring the connection between your computer and the Internet can see only encrypted data passing back and forth, they have no way to tell you are transmitting encrypted documents as well. NordVPN is worth looking into, should you decide to start using a VPN.
Should I use disk and document encryption together?
Here is a quick summary of the main strengths and weaknesses of disk encryption (FDE) and document encryption:
|Protects all data stored on a disk automatically||Yes||No|
|Protects data that leaves your computer or network||No||Yes|
|Result if key lost||Entire disk inaccessible||Specific document inaccessible|
|Vulnerable if an attacker has access to the computer while it is running||Yes||It depends on how document keys are distributed or managed.|
Computer security experts recommend using disk encryption and document encryption together. By using FDE and document encryption together, you are creating a defense in depth. Using both types of encryption takes advantage of the strengths of each approach while minimizing some of their weaknesses.
An attacker would need to get past your disk encryption to even see that you have an encrypted document on the disk. Then the attacker would have to get past the document encryption to actually read any sensitive data.