Software-based encryption

There are a great many applications available (some of which are free) for encrypting files and folders or even entire drives and disks. Some data compression programs can also encrypt the data once it is compressed - the open source application 7-Zip is one example.

In this section, however, we would like to talk about software that concentrates on encryption only.

TrueCrypt

In June 2014, the developers of TrueCrypt announced that they would no longer be developing the product and also noted that the software might contain vulnerabilities. In response to this, the BSI commissioned the Fraunhofer Institute for Secure Information Technology SIT to conduct a security analysis of version 7.1a of the encryption software. After completing their analysis, the security experts concluded that TrueCrypt is still a suitable option for encrypting data on both local and external storage media.
TrueCrypt version 7.1a can be downloaded from heise online, for example.

GNU Privacy Guard for Windows (Gpg4Win)

Gpg4Win is a suite of programs for encrypting files and data on Microsoft Windows operating systems. The creation of Gpg4win was supported by the Federal Office for Information Security. The package includes the component GpgEX, which can be selected during installation.

Once installed, the package adds entries to the context menu in File Explorer. If you right-click a file or folder, the option "Sign and encrypt" then becomes available. As has been explained in detail in the corresponding Compendium in section 18.2, this permits data to be encrypted for a range of users or recipients.

However, the software is only able to utilise keys and certificates already present in the system. As result, users must first become familiar with the functions offered by Gpg4win, and then create or import keys and certificates. Once again, the Compendium provides detailed instructions on this topic.

Gpg4Win also offers functionality for encrypting email.

Hardware-based encryption

PCs and laptops

Some computers, and especially laptop models for business customers, are equipped with what is known as a Trusted Platform Module (TPM). This chip can act as the keystore when encrypting data. This is utilised by the Microsoft Windows software Bitlocker Drive Encryption for the encryption of partitions on hard disks. However, this software is only included in the Professional and Enterprise versions from Windows 7 onwards.

When encrypting the hard disk, Bitlocker stores the key that is needed to decrypt the disk on the TPM. Information is also stored on the TPM about the current system configuration. If the system configuration changes, then the hard disk cannot be decrypted: the TPM blocks access to the key. This is a security feature to stop encryption being bypassed by using a different operating system to access the disk. The disk can then only be decrypted by entering a recovery password. This password is chosen during encryption and must be stored in a safe and secure place. Anyone using Bitlocker on Windows 10 should also be aware that the recovery password is stored automatically in the user's OneDrive account (the cloud service provided by Microsoft).

With Windows 7 (Ultimate/Enterprise), Microsoft also introduced "Bitlocker to go", which can be used to encrypt external storage media such as USB memory sticks. These memory sticks can also be decrypted on Windows computers without the Bitlocker software. In this case, Bitlocker is started directly from the USB storage medium and stored automatically in an unencrypted area.

Hard disks

Both conventional hard disks (HDDs) and discs without any moving parts (SSDs) sometimes offer built-in encryption functionality. To prevent tampering by third parties, access to the storage medium via BIOS should be protected with a password (ATA Security Feature Set). This password will need to be entered by the user every time the system boots. Various techniques are used for actual encryption on these drives. However, all major manufacturers have agreed on a standard for hard drive encryption. Hard disks that feature this standard technique are often referred to as "Opal" drives. In the case of hard drive passwords, however, this does not always imply encryption: instead, the password is simply used to provide access to the data stored on the drive, which is not itself encrypted. This provides a basic level of protection in the case of theft, for example.

External hard disks and memory sticks

Drive housings for external hard disks and USB storage media are often sold with built-in encryption software. These hard disk housings allow access to data only after users have authenticated themselves. Authentication methods may include a fingerprint scanner, the entry of a code on the built-in keyboard or the use of a supplied RFID chip, which works in much the same way as a contactless key card. In the case of USB storage, these drives often use an application that must be started on the computer and which then requires password entry.

Network-attached storage (NAS)

Depending on the individual model, some storage media on local networks, known as NAS (Network Attached Storage) devices, can encrypt the data stored on them. Users will need to decrypt the data every time the device is rebooted. Decryption strategies vary from manufacturer to manufacturer: while some devices use a USB memory stick inserted with the key, others require users to enter a password into a browser-based interface.

In some cases, the device can store the key itself and then apply the key automatically for decryption when it reboots. However, if the decryption key is stored on one and the same drive, then the drive might as well not be encrypted in the first place! Instead, some devices store the key on an internal storage chip. While this protects data in the event of the hard disk being stolen or replaced, this is not the case if third parties have access to the device itself.

Anyone using NAS storage devices for their data should keep an eye not only on data encryption but also the overall security of the corresponding network.