Disk Encryption

From BNL Physics Computing

Contents

[edit]

DOE requirements regarding encryption

The DOE CIO has stated in Guidance CS-38A as well as Requirement TMR-22 (draft) that:

  • It is assumed that all portable/mobile devices contain PII unless a designated authorizing Federal management official determines that there is no PII on the device.
  • Any storage media that hosts SUI is required to be protected using encryption. Full-disk encryption is recommended

Some definitions:

SUI 
Sensitive, Unclassified Information. Unclassified information requiring protection mandated by policy or laws, such as Official Use Only (OUO), Export Control Information (ECI), Unclassified Controlled Nuclear Information (UCNI), Naval Nuclear Power Information (NNPI), Personally Identifiable Information (PII), and other information specifically designated as requiring SUI protection, such as information identified under Cooperative Research and Development Agreements (CRADA).
PII 
Personally Identifying Information. Any information about an individual maintained by an Agency, including but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual's identity, such as their name, social security numbers, date and place of birth, mother's maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual. In some instances PII overlaps with Privacy Act information.
[edit]

Discussion

Although full-disk encryption is recommended by the DOE, it is recognized that full-disk encryption is not always possible on a system and often not desirable due to the usage of the machine in question. What is required is to have encryption capability on a machine such that the user of the machine can encrypt any sensitive files that may eventually be stored on the machine.

Since all Windows machines have Windows Encrypting File System (EFS) on them and all non-Windows machines have Gnu Privacy Guard (GPG) on them due to the Ordo installation, it can be argued that all machines at BNL have file encryption capability. The issue is whether or not the user of the machine is aware of the encryption capability on their system and do they know how to use it in the event that it is necessary. If the user of the machine explicitly installs encryption software, then it is easier to argue that the user is aware of the need for encryption, and that he or she knows of the software on their machine and how to use it. If the user wishes to rely on on a tool built into the Operating System or installed as part of an unrelated product (e.g., Ordo), then that user will have a more active role in convincing people that they were aware of the need for encryption and that they had the tools to encrypt files.

The recommendation then is to explicitly install encryption software on your machine. Software that can be audited by an independent agent to show that it is installed on the machine. The auditable software in the following list has "(A)" after the name.

[edit]

Aside

It is often useful to have encryption capability on a machine for personal use beyond any need for encrypting PII or SUI. People sometimes have more passwords than they can conveniently remember and storing them in an encrypted file is often a solution. Some people may want to encrypt their letters of recommendation to avoid the not unheard of accident of sending the wrong file. Other uses of encryption are probably not difficult to come up with, so people may find encryption software a benefit above and beyond any perceived need for it by the DOE.


[edit]

Recommended Encryption Software

The following topics describe recommended encryption software (Software marked with (A) can be easily audited).

[edit]

Windows

[edit]

Linux

[edit]

Mac OS X

Retrieved from "http://www.phy.bnl.gov/computing/index.php/Disk_Encryption"