Encrypted containers

Sometimes it is necessary to protect individual files because they are particularly vulnerable or valuable. A high level of security can be achieved with an encrypted container.

Use cases


External data carriers

USB flash drives are small, light, have an enormous capacity and are easily lost. DVDs or external hard drives can also go missing. If you have not taken precautions, you must expect that if you lose an external data carrier, all the information stored on it will fall into the hands of unauthorised persons.


E-mail 

E-mails are not as easily lost as USB flash drives. Nevertheless, there are risks:

  • Typing errors in the e-mail address can lead to erroneous messages.
  • The e-mail is usually routed via systems on the internet whose operators are unknown.
  • The e-mail is stored in the sender’s and recipient’s mailboxes for a long time.

It is therefore better to pack sensitive e-mail data in a container.


Cloud storage

The risk posed by cloud storage is controversial. Two questions help to assess the situation:

  • What tangible, verifiable guarantees does your cloud provider give you?
  • Can you assume that you will be informed in the event of a problem?

It is often recommended not to store any sensitive information in plain text in cloud storage – especially not with providers outside Europe.


As a second line of defence

In most cases, it is probably sufficient to protect data with a password on a well-maintained server (e.g. on the ZID’s online storage space) or by storing it in a locked office. If the need for protection is greater, a second line of defence should be provided. An encrypted container can also be used for this purpose.

Procedure

  • You have the choice between two utilisation models, which can be described as “edit, lock away, remove” and “work in the container”.
  • As soon as attackers have gained possession of the container, they can access it directly and for as long as they like. It is therefore essential that you set a secure password to open the archive. It should contain at least 12 characters and consist of letters, digits and other characters.
  • You also need to think about how the password is managed: How will authorised persons find out about it in a secure way? Is it stored to prevent data loss?
  • If the password is lost, the data can no longer be retrieved. Depending on the application, you should consider whether it is necessary to save it securely in a specific location.


Model 1: Edit, lock away, remove

This model is particularly recommended if files are to be created, perhaps edited a little and then sent or stored securely.

  1. Firstly, the files are created or edited as usual.
  2. If they are to be stored securely, a program is used to pack them into an encrypted archive.
  3. This archive can be stored on a USB flash drive, attached to an e-mail message or filed as required.
  4. The recipient or you take the encrypted archive file and extract the data with the secret key in order to view or edit it further.

The unencrypted originals remain on the computer and must be deleted separately. The extent to which this can be done securely remains to be seen.


Model 2: Working in a container

  1. An initially empty container is created with the encryption software.
  2. This is “connected” virtually, similar to an external hard drive, and appears like a drive in the file system.
  3. Files can now be created, edited and read in the container. They are transparently encrypted and decrypted.
  4. Finally, the container is “ejected”. This means that the files it contains are now only available in encrypted form.

The original file does not need to be deleted as it was encrypted from the start. However, some programs store temporary files in the file system. These are not encrypted.

Suitable software


ZIP archive

ZIP, along with other formats such as RAR, is known as a tool for compressing files. However, it is also well suited for occasionally encrypting a few files. One advantage is that ZIP archives can be unpacked on Windows, macOS and Linux using on-board tools.

To encrypt, you need to install an additional program, such as 7zip, which is available free of charge as open source software for Windows, macOS, Linux and other operating systems.


Built-in encryption

Some software products, such as Microsoft Office or Libre Office, already have the option of encrypted saving built in. The user-friendliness of this method is hard to beat.

It is not possible to say in general terms how reliable this protection is. It is advisable to enter the search terms “encryption security application name” in a search engine to get a few opinions.


VeraCrypt

VeraCrypt (a successor to the discontinued TrueCrypt) is suitable for working in containers. Containers created with VeraCrypt can be mounted like an external hard drive and are compatible with all supported platforms (Windows, macOS, Linux).