Encryption at Rest

When storing sensitive information an important protection control is encrypting the information with a password or key. If your equipment is ever stolen or your system compromised an attacker must know the proper decryption key to access your information. Encryption of sensitive information is a required security control included in many regulatory requirements such as 201 CMR 17.

Key Escrow Planning

The point of encryption is to obfuscate data from attackers that don't possess your decryption key. If you lose or forget your decryption key there is no option to reset your decryption keys. Whenever you use encryption make sure that you have redundant decryption keys or a back up of your keys somewhere safe. For example in a physically locked office or file cabinet. 

Full Disk Encryption For Windows Using Bitlocker

Bitlocker is a feature found on enterprise and ultimate versions of Windows Vista and 7. This feature encrypts the entire hard drive rather than specific files or folders. More information on Bitlocker can be found on the Microsoft website.

Full Disk & Folder Encryption For Windows, Mac and Linux Using TrueCrypt

TrueCrypt is free software that runs on most platforms. This is particularly useful when groups are collaborating using a variety of operating systems. TrueCrypt also guides you though creation of a backup boot CD that can decrypt in case you forget your keys in emergency situations. More information on this software can be found on the TrueCrypt website.

Encrypting Folders For Windows Systems Using EFS

Windows operating systems have a feature known as Encrypted File System or EFS. With this feature you can encrypt individual folders using your Windows password as the encryption key. This method of encryption works if you know exactly where sensitive information will be stored. If you are unsure where on the system sensitive data is stored Bitlocker or an equivalent full disc encryption program is the best solution. More information on EFS can be found on the Microsoft website.

Encrypting Folders For Mac Using FileVault

Mac computers come with a feature called FileVault. This encrypts your home directory which is located at /Users/YourUsername/*. Files kept elsewhere on the file system are not encrypted. Further information on FileVault can be found on the Apple website.

Encrypting Archives Using Winzip

Most know WinZip for its compression capabilities. In addition to compression you can encrypt. Make sure when using Winzip that you choose to use AES encryption and never Zip 2 legacy encryption. You can find further information on the WinZip website here and here.