Encryption Tools for Workstations and Laptops

Linux Workshop presentation 27-May-2009

On January 7, 2009, Dr. Stead broadcast an email message in which he discussed the importance of protecting sensitive information. (William W. Stead, M.D. is Associate Vice Chancellor for Strategy/Transformation and Director of the Informatics Center at Vanderbilt University Medical Center. He serves as Chief Information Officer of the Medical Center and Chief Information Architect for the University.)

"The Information Privacy and Security (IPS) Executive Committee ... has been monitoring the increasing risks associated with accidental loss or intentional theft or breach of Protected Health Information (PHI), Research Health Information (RHI), or other individually identifiable personal information on end-user and mobile devices.

Vanderbilt University Medical Center is committed to protecting the privacy, security, and integrity of confidential information created, maintained, used, or disclosed in the course of conducting its health care, education, research, and business operations. To that end, the Medical Center adopted policies in 2008 defining expectations for protection and security of Protected Health Information and Research Health Information. Given the wide-spread use of electronic data and technology, it is no longer reasonable to assume that the information will remain stored only on centralized servers in protected data centers. Even a computer that accesses the VUMC networks for email use may very well have PHI or RHI saved to the hard drive through automatic caching. Over the past six months it has become clear that the risk exposure has begun to exceed the costs of mitigating solutions. ... "

We have to assume that there will soon be policies in place that dictate how we handle data that contain PHI or RHI. Encryption will no doubt be a part of that policy. In this presentation I will discuss some open source software products that encrypt data.

What is encryption?

"In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). In many contexts, the word encryption also implicitly refers to the reverse process, decryption (e.g. “software for encryption” can typically also perform decryption), to make the encrypted information readable again (i.e. to make it unencrypted)." [from http://en.wikipedia.org/wiki/Encryption]

In our case, we are talking about using encryption to make certain computer files unreadable in the event the files somehow end up not in our control. This can happen if a computer is stolen or a flash drive is lost. It can also happen if a computer is accessed by some unauthorized person. A file is certainly not in our control when we send the file to another party using email.

Why? Policies and Advice

The HIPAA References and Resources page (http://www.mc.vanderbilt.edu/root/vumc.php?site=HIPAA) is the starting place for information about Vanderbilt's policies and requirements concerning protected health information and research health information. We are required to understand what constitutes information that must be protected and how to protect it. ("HIPPA" means "Health Insurance Portability and Accountability Act of 1996")

The best way to avoid revealing protected information to not have any on your computer! See http://en.wikipedia.org/wiki/Protected_health_information for a list of what is considered protected health information. Removing this information from a data file will usually result in a file that does not need to be protected. For more a detailed discussion see Research Repositories, Databases, and the HIPAA Privacy Rule from the National Institutes of Health.

Personal File Encryption

Next we will look at two programs that can be used to encrypt files stored on our personal computers and laptops. bcrypt runs on Linux and Windows computers and TrueCrypt will run on Linux, Windows, and MacOS platforms

bcrypt

bcrypt encrypts and decrypts files using the blowfish algorithm. Blowfish is one one many encryption algorithms. Others include Data Encryption Standard (DES) and Advanced Encryption Standard (AES). Please excuse all the Wikipedia links, but it does have good introductions to these topics.

  • If you are running Ubuntu Linux, bcrypt can be installed easily using a package manager like apt-get or aptitude, etc. Here is the first part of the man page for bcrypt.
    bcrypt_man.png

  • The next three screen captures show an example of bcrypt in use. Let's say we have a file called "file_full_of_protected_information.csv". The bcrypt command causes a new, encrypted version of the file to be produced and the un-encrypted version is deleted. Note one problem here: I was editing the file before I encrypted it and my editor left behind a backup version. I have to make sure I deal with things like that.
    bcrypt1.png

  • The encrypted file has the extension ".bfe". Using the bcrypt command again on that file give back the original file (assuming we remember the password!).
    bcrypt2.png

  • The restored file:
    bcrypt3.png

Encrypting and decrypting files this way can be awkward. Also, one has to be careful about backup files and work files left behind by editors and other programs. Still bcrypt can be useful, especially for protecting files that you will take away from work on a CD or flash drive. All you need is the same program installed at work and on your other computer.

TrueCrypt

According to the TrueCrypt documentation:

TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device). On-the-fly encryption means that data are automatically encrypted or decrypted right before they are loaded or saved, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. Entire file system encryption (e.g., file names, folder names, contents of every file, free space, meta data, etc) is supported for Windows, but not for Linux.

TrueCrypt is free, open-source disk encryption software for Windows Vista/XP, Mac OS X, and Linux. The main features of TrueCrypt are:

  • Creates a virtual encrypted disk within a file and mounts it as a real disk.
  • Encrypts an entire partition or storage device such as USB flash drive or hard drive.
  • Encrypts a partition or drive where Windows is installed (pre-boot authentication).
  • Encryption is automatic, real-time (on-the-fly) and transparent.
  • Provides plausible deniability, in case an adversary forces you to reveal the password.

They make a big deal of this last point, but I don't think it is a big issue in our environment. Although...XKCD on Security

  • TrueCrypt doesn't have a package that can be installed using, for example, apt-get. An installer has to be downloaded from http://www.truecrypt.org/ and then run on your computer (i.e. sudo ./truecrypt-6.2-setup-ubuntu-x86. Once the program is installed, it can be run with the truecrypt command. In Linux open a command windows and type the command "truecrypt" or use use Alt+F2 and type "truecrypt" in the command box. The TrueCrypt windows look much the same on Linux and on Windows. There is excellent documentation at http://www.truecrypt.org/docs/.
    truecrypt1.png

  • The first thing to do is to create a file that will hold the encrypted file system. TrueCrypt uses a file to act as a virtual file system to hold the encrypted files. This file then gets mounted and can be used just like any other directory on the computer.
    truecrypt2.png

  • The defaults seem to be OK in most cases.
    truecrypt3.png

  • Here's where we tell TrueCrypt the name we want to use for the container file. In this case, I am using a file called "my_secret_data" in my home area.
    truecrypt4.png

  • Again, the default choices seemed to be OK. There is a lot to learn to be able to make intelligent choices about kinds of encryption. I decided to go with the government approved default.
    truecrypt5.png

  • I decided to make a 1 gigabyte container file. 2 GBs would be the limit for most file systems, but there are ways to make an encrypted partition that wouldn't be restricted by file size limits.
    truecrypt6.png

  • Make sure you remember this password!
    truecrypt7.png

  • Since I am going to use this encrypted container exclusively on my Linux system, I picked a Linux file system type. There are others that can be used if sharing with Windows computers is needed.
    truecrypt8.png

  • I picked the "only on Linux" option (regardless of what the screen shot shows).
    truecrypt9.png

  • The virtual file system then gets created inside the container file.
    truecrypt10.png

  • Now we are ready to mount the encrypted file system so that we can use it to store files. You are asked for the password selected earlier. You might also be asked for your root password so that the mount can proceed.
    truecrypt11.png

  • Now the encrypted file system is mounted in "slot 1". If this was running on Windows this slot would be a drive letter like E: or H: or whatever. There are no drive letters in Linux so the program uses this "slot" notation. "slot 1" refers to /media/truecrypt1/, "slot 2" is /media/truecrypt2/, etc.
    truecrypt12.png

  • Here is a directory listing that shows the truecrypt1 mount point.
    truecrypt13.png

  • We can now copy some files to our encrypted file system.
    truecrypt14.png

  • As long as TrueCrypt is running it will have an icon on the task bar. Clicking on this icon brings up the TrueCrypt window where we can create and mount other encrypted file systems.
    truecrypt15.png

TrueCrypt has a number of other modes of operation. It can create encrypted file systems in a complete partition or on an entire disk and it can be configured to start when the computer is booted so that all the set up steps run automatically.

Here are a couple of "how-to" sites that talk about TrueCrypt:

Encryption for files that are transferred to others

bcrypt and TrueCrypt are good choices for encrypting files that reside on your computer or are being stored on hardware that you control. Protecting a file that is to be sent to another party requires a different approach. GNU Privacy Guard (GnuPG) is probably the best known and most widely used software for this situation. GnuPG is a complete and free implementation of the OpenPGP standard (PGP stands for "pretty good privacy"). GnuPG allows you to encrypt and sign your data and communications, features a versatile key management system as well as access modules for all kind of public key directories.

PGP is often used for signing, encrypting and decrypting e-mails to increase the security of e-mail communications. "Signing" a file or email message allows the recipient to be sure that the sender is who they claim to be. PGP encryption uses public-key cryptography and includes a system which binds the public keys to a user name and/or an e-mail address. The Wikipedia article on Pretty Good Privacy has a helpful description, with references, of how public key cryptography works. See also GNU_Privacy_Guard (Wikipedia article) for a description of the implementation being recommended here.

There are a lot of steps involved in installing and setting up GnuPG and the plugins needed. It is not too complicated, but it does require some time and attention to detail. These links point to pages that have good descriptions of the steps necessary.

https://help.ubuntu.com/community/GnuPrivacyGuardHowto
http://www.ubuntu-unleashed.com/2008/02/beginners-guide-for-gnupg-in-ubuntu.html
http://ubuntuforums.org/showthread.php?t=680292
http://ubuntuforums.org/showthread.php?t=220629 (concerning multiple e-mail addresses)

  • I have GnuPG and the Enigmail Thunderbird extension (http://enigmail.mozdev.org/home/index.php) installed on my computer. Enigmail is a security extension to Mozilla Thunderbird and Seamonkey In Thunderbird we can see the additional OpenPGP menu that indicates that I got the installation done right.
    thunderbird1.png

  • Besides letting me encrypt and sign my email, Enigmail lets me do some key management from withing Thunderbird. Here I am displaying the various keys I have defined.
    thunderbird2.png

  • Here I am composing a message that I want to encrypt and sign. I clicked on the OpenPGP icon and then I could make my selection.
    thunderbird3.png

  • Then I clicked on the Send button to send the encrypted and signed message. I have to enter my password so that the program can retrieve the recipients public key and use it to encrypt the message. The recipient, called Adele, is an automated mail box that we can use to test our configuration. Adele will decrypt the message and send us a reply.
    thunderbird4.png

  • The reply from Adele is encrypted using our public key. Since I am logged on and properly authenticated, the message get decrypted automatically so I can read it.
    thunderbird5.png

  • Here I am viewing the same message using Outlook Web Access. There is no decryption being done by OWA so I see only the encrypted version of the message.
    thunderbird6.png

Vanderbilt links

Information Privacy & Security Website : Information about Vanderbilt policies, HIPAA, and information security

Vanderbilt HIPAA References and Resources

Other links

Public-key cryptography (wikipedia article)

Enigmail OpenPGP

http://www.wisegeek.com/what-is-public-key-encryption.htm

KGPG

See "What to Protect and Where?" for some additional tips.
Topic attachments
I Attachment Action Size Date Who Comment
bcrypt1.pngpng bcrypt1.png manage 165.5 K 26 May 2009 - 10:44 DalePlummer  
bcrypt2.pngpng bcrypt2.png manage 159.7 K 26 May 2009 - 10:44 DalePlummer  
bcrypt3.pngpng bcrypt3.png manage 61.8 K 26 May 2009 - 10:44 DalePlummer  
bcrypt_man.pngpng bcrypt_man.png manage 119.6 K 26 May 2009 - 10:43 DalePlummer  
thunderbird1.pngpng thunderbird1.png manage 118.3 K 27 May 2009 - 09:55 DalePlummer  
thunderbird2.pngpng thunderbird2.png manage 85.3 K 27 May 2009 - 09:55 DalePlummer  
thunderbird3.pngpng thunderbird3.png manage 91.6 K 27 May 2009 - 09:56 DalePlummer  
thunderbird4.pngpng thunderbird4.png manage 83.5 K 27 May 2009 - 09:56 DalePlummer  
thunderbird5.pngpng thunderbird5.png manage 103.4 K 27 May 2009 - 09:56 DalePlummer  
thunderbird6.pngpng thunderbird6.png manage 179.6 K 27 May 2009 - 09:56 DalePlummer  
truecrypt1.pngpng truecrypt1.png manage 62.2 K 26 May 2009 - 13:05 DalePlummer  
truecrypt10.pngpng truecrypt10.png manage 128.0 K 26 May 2009 - 13:07 DalePlummer  
truecrypt11.pngpng truecrypt11.png manage 55.6 K 26 May 2009 - 13:08 DalePlummer  
truecrypt12.pngpng truecrypt12.png manage 41.0 K 26 May 2009 - 13:09 DalePlummer  
truecrypt13.pngpng truecrypt13.png manage 63.7 K 26 May 2009 - 13:09 DalePlummer  
truecrypt14.pngpng truecrypt14.png manage 139.4 K 26 May 2009 - 13:09 DalePlummer  
truecrypt15.pngpng truecrypt15.png manage 45.3 K 26 May 2009 - 13:09 DalePlummer  
truecrypt2.pngpng truecrypt2.png manage 121.4 K 26 May 2009 - 13:05 DalePlummer  
truecrypt3.pngpng truecrypt3.png manage 125.8 K 26 May 2009 - 13:05 DalePlummer  
truecrypt4.pngpng truecrypt4.png manage 134.1 K 26 May 2009 - 13:05 DalePlummer  
truecrypt5.pngpng truecrypt5.png manage 124.4 K 26 May 2009 - 13:06 DalePlummer  
truecrypt6.pngpng truecrypt6.png manage 119.1 K 26 May 2009 - 13:06 DalePlummer  
truecrypt7.pngpng truecrypt7.png manage 132.2 K 26 May 2009 - 13:06 DalePlummer  
truecrypt8.pngpng truecrypt8.png manage 120.7 K 26 May 2009 - 13:07 DalePlummer  
truecrypt9.pngpng truecrypt9.png manage 114.9 K 26 May 2009 - 13:07 DalePlummer  
Topic revision: r12 - 31 Mar 2010, DalePlummer
 

This site is powered by FoswikiCopyright © 2013-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Vanderbilt Biostatistics Wiki? Send feedback