Overview
Texas A&M employees who work with confidential or sensitive information must protect that information from disclosure. To protect confidential information, Texas A&M Information Security Controls Catalog SC-13 (Cryptographic Protection) provides information about protecting data that is in storage or in transit. In addition, Standard Administrative Procedure (SAP) 29.01.03.M1.16 requires that sensitive data stored on portable devices must be encrypted.
Whole-Disk Encryption
Windows - BitLocker
- Since it is built into Windows, BitLocker works well in an Active Directory environment, can be deployed using group policy, and can automatically store recovery keys.
- Please note that by default BitLocker requires a Trusted Platform Module (TPM) but this can be bypassed if necessary.
- BitLocker can also be used to encrypt portable storage.
- To encrypt portable storage, right-click on the drive in Explorer, select “Turn on BitLocker,” and follow the on-screen instructions to complete the process.
- For more information on BitLocker, please see https://technet.microsoft.com/en-us/library/hh831713(v=ws.11).aspx
macOS - FileVault
- FileVault can be enabled during the initial setup process of the Mac or at a later time by the administrator through System Preferences.app or through the fdesetup command if managed remotely.
- Apple provides an institutional recovery feature that can be enabled in the event of a forgotten password. Please note that this feature must be set at the setup time and not when a password is forgotten.
- For more information on FileVault, please see https://support.apple.com/en-us/HT204837
- Apple also provides separate portable media encryption. If you’d like to encrypt portable media, right click on the mounted volume in Finder and select “Encrypt <volume>” or reformat the drive with an encrypted file system through Disk Utility.app.
File-Specific Encryption
Pretty Good Privacy (PGP)
PGP (also known as OpenPGP) is a standard defined in RFC 4880 which attempts to make methods of encryption and decryption easily available for public use. GNU Privacy Guard (GPG) is a full implementation of the OpenPGP framework and is the foundation of many PGP programs.
GPG based programs can encrypt files, folders, and emails with either a single symmetric key (same key to encrypt and decrypt) or asymmetric keys (public key to encrypt and private key to decrypt). Asymmetric keys are useful for sharing data since PGP allows files to be encrypted with more than one public key; this allows many people to access the same encrypted file with their own unique private key. If you’d like more information on some of these and other similar terms, please visit the GPG FAQ.
The GPG website also provides a list of well-known GPG applications: https://www.gnupg.org/download/index.html If you are looking for programs that are user-friendly and provide GUIs, please check out Gpg4win (Windows) or GPG Suite (macOS). Many Linux distros already have GPG installed or can be installed using the distro’s package manager. If you are a Mac user and want to use GPG in Terminal.app, we recommend installing the gpg2 package from Homebrew to avoid having to separately install dependencies.
Secure File Transfer
Remember: Confidential information should never be sent over email. Please use one of the secure solution below.
Filex
Filex is an easy tool for securely transferring data from one user to another. During the upload process, you can select the option to encrypt your files in transit. Get started by going to https://filex.tamu.edu/. To view detailed instruction on Filex, see Using the Filex file distribution system.
Safe File Transfer Tools
If you need to transfer confidential information between two systems that you manage, use secure protocols like SCP or SFTP. WinSCP is an easy-to-use, Windows tool for SCP and SFTP.
Need Help? Questions?
If you’d like any assistance with the tools described above or have suggestions/questions, feel free to email helpdesk@tamu.edu.