S 4.29 Use of an encryption product for portable IT systems

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: User

In order to prevent data requiring protection from being read out from a portable IT system stolen despite all precautionary measures, an encryption program should be used. With the help of the commercially available products, it is possible to encrypt individual files, certain areas, or the entire hard disk in such a way that only the person disposing of the secret key may read and use the data.

In this case, the level of security of the encryption mainly depends on three different items:

• The encryption algorithm used must be designed in such a way that it is not possible to reconstruct the clear text from the encrypted text without knowing the key used. Here, not possible means that the required efforts for breaking the algorithms and/or for decrypting bear no proportion to the information which could be obtained by doing so.
• The key must be selected appropriately. If possible, a key should be generated randomly. If it is possible to select a key similarly to a password, the rules from S 2.11 Provisions governing the use of passwords regarding this should be taken into consideration.
• The encryption algorithm (the program), the encrypted text, and the keys must not be stored together on one data medium. It is recommendable to keep the key separately. This may be performed by writing the key on a cardboard card shaped like a credit card and then keeping the card like a credit card in the user's wallet. The cryptographic keys should be stored to a removable data medium, e.g. a diskette, a chip card, or a USB stick, and separately from the portable IT system (e.g. in the wallet).

Encryption may be performed online or offline. Online means that all data of the hard disk (and/or of a partition) is encrypted without the user having to initiate this actively. Offline encryption is initiated expressly by the user. In this case, the user must also decide which files are to be encrypted. Module S 1.7 Crypto-concept should also be taken into consideration when selecting and using cryptographic procedures.

For stationary and portable PCs used in government administrations, BSI can provide, if certain prerequisites are met, an offline encryption program meeting the security requirements for data requiring a normal level of protection.

Review questions:

• Is an encryption algorithm used which does not allow any possibility of reconstructing the clear text without knowing the key used?
• Are all keys used generated randomly? (Alternatively, the rules from S 2.11 Provisions governing the use of passwords must be observed)
• Are data and keys stored separately?