S 4.433 Use of data medium encryption

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, IT Security Officer

Confidential information on rewritable data media can be encrypted in various ways and thus be protected against unauthorised access. For example, the entire data medium, an individual partition or only individual files can be encrypted. From a security perspective, it is better to encrypt the entire data medium, since less user interaction is then required and all data is protected against unauthorised access. The encryption of an entire data medium or a complete partition is virtually transparent for the users. Only for booting or first access to the partition, the users must authenticate themselves. If only individual files or file containers are encrypted, there is the risk of data worthy of protection accidentally being stored in unencrypted areas of the hard disk. Furthermore, an encryption program must be started explicitly by the users for this purpose.

Even if individual partitions are encrypted completely, this may cause confidential information to end up on unencrypted partitions for different reasons. Therefore, encrypting the data media completely is the best and most efficient method to protect confidential data reliably against unauthorised access.

Data medium encryption can be implemented using software, but also by means of hardware support. Software solutions are, for example, BitLocker by Microsoft (see S 4.337 Use of BitLocker drive encryption) or the open source program TrueCrypt.

Whenever possible, mobile data media such as USB sticks and laptops should always be encrypted completely even if they are only occasionally used for confidential information. For stationary IT systems, the data media should be encrypted completely if there are high protection requirements in terms of confidentiality. When encrypting server hard disks, it should be checked if the selected encryption method provides adequate performance for the number of user accesses.

In addition to the encryption program itself, cryptographic keys are necessary to encrypt data media. The cryptographic keys should be generated according to safeguard S 2.46 Appropriate key management and kept separately from the encrypted data media. For this purpose, chip cards or USB tokens, for example, can be used. In general, such a separation is not possible for the encryption of USB sticks, which should be taken into account during the security analysis.

Of course, it is necessary to back up the data stored on the encrypted data media at regular intervals (see S 6.56 Data backup when using cryptographic procedures).

Several programs to encrypt data medium or partition or use encrypted file containers offer the possibility to "hide" the encrypted areas. As such functions are difficult to apply and improper use can result in the complete data loss, they should not be applied.

Review questions:

• Was an appropriate data medium encryption solution chosen and installed for all mobile clients and mobile data media?
• Was an appropriate data medium encryption solution chosen and installed for all stationary IT systems processing information with at least high protection requirements in terms of confidentiality?