- Portable devices like laptops and thumb drives can be lost or stolen. If
they contain sensitive data such as SSNs, bank account numbers, or
electronic patient health information, they should be encrypted to avoid
fines and criminal misuse.
- E-mail offers little or no privacy, making it a bad medium for confidential
communications. To share sensitive data, either use Secure Share or send an encrypted attachment (see below).
Encrypting Laptops and Thumb Drives
- Ensure you have a good backup.
- Windows: Use BitLocker
- Mac OS X: Use FileVault
Sharing Files with Sensitive Data
TechRepublic published an analysis that stated "Office 2007 uses
AES (Advanced Encryption Standard) with a 128-bit key and SHA-1 hashing.
For stronger protection, you can increase the key length to 256 bits by
editing the registry or using Group Policy. This improves the security of
password-protected files, especially when long, complex passwords are used."
The sales page for AOPR password recovery software from Elmcomsoft states "With computation-intensive encryption used in latest versions of Microsoft Office [referring to Office 2007+], password recovery tools relying solely on computer's CPU are no longer able to provide reasonable recovery times." This assumes the user sets an unguessable password, of course.
The wikipedia AES article states "As for now, there are no known practical attacks that would allow anyone to read correctly implemented AES encrypted data."
Various versions of Microsoft's "Enhanced Cryptographic Provider (RSAENH)" and "Cryptographic Primitives Library (bcrypt.dll)" are listed on NIST's FIPS 140-1 and 140-2 validated cryptographic modules page as being validated to 140-2. Versions of Office prior to 2007 apparently used a compatibility mode by default that subverted the strong encryption that was available.
Starting with version 18.5, WinZip Enterprise can be configured to operate in a FIPS 140-2 compliant way. Otherwise, WinZip provides what they say is "FIPS 197 certified" AES encryption although it is not listed on the NIST site. It's possible that in 18.5 Enterprise, they link with platform-specific NIST-certified libraries.
Last updated: Thursday, December 10, 2015