by Andre Kolodochka,
Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. You already use encryption everyday without even knowing it. Your computer never keeps your password, instead it stores an encrypted version of it. Each time you type a password in Windows/Linux, the computer uses a cryptographic function to encrypt whatever you typed and compares the result with stored encrypted password. If the lines are the same – it is assumed that you entered the correct password. The encryption used in this example is one-way, i.e. there is no way to get the original password if you have the encrypted string and, essentially, there is no way for anyone to steal such a password.
There is another, two-way type of encryption where it is possible to get back the original information out of the encrypted string. However, to decrypt the string and get the original information you would need a key that looks something like this:
-----BEGIN PGP PRIVATE KEY BLOCK----- Version: PGP Desktop 9.0.1 (Build 2185)
lQPGBELQ9HIBCADIe9GQBgHieNVDYxe0xWXWqoCYCQB8n1zz3zB2xzIYUR4OH7l0 Rdo6aQl6zi+Qxsk6w0vVJ4J9nC9FeYzeTuYsJfab8UuXj4IjBuNIEMdBM0AD9TAe MBnH/9hi8sDasraUYtr8w6bBPrv5mGSxhNGTStYOVVjU6GqvrGCAMOniAEs42Owa tr9VfYz+K2YBcQRO/c860OFEEXj1iykFSguVwVJGjEoyWxVvfwaDVoCTwC4Osyj1 BnmJI2nMw1velJtXmxk1oeqaIO9Lg6n9BLlUtM+o1sS9q0QDA3jeS7V/zJglRQ9q 9DyvX77bR6hG3fihs19xQlPvTG8QharN2tiK3anazrEV06FU94yn1X9mlhDD0OtR crRKU59lZDVZnP+1LGFE5i9klPlBw1yLmx+tpvaYNE3vUU3LjktrlEQ4XrreDtas 3CRATRTjy3FlhD644XfnXLD1dC3AVcXESKk2QFefQyxjPaKgqusnQkoWVFglE0qR E+gZ86mp4Gh68kKWJlgDZsqR+1ee2LiFbeO1pN92LA== =q7e3 -----END PGP PRIVATE KEY BLOCK-----
Yes, gibberish, but you would never type it in, instead the encryption software usually handles it.
The bottom line: If you don’t have that key – it is practically impossible to decrypt the original information. That’s the type of encryption used in our Security and Encryption Add-On for Atlassian’s Confluence.
Why Would I Need Encryption?
The main reason to use encryption is to avoid disclosure of confidential information in case of theft or unauthorised access. If the file or drive with confidential information on a stolen laptop is encrypted, the thieves will get the hard drive, but won’t be able to get the data. Yes, we lose the laptop ($3k), but will avoid a potential penalty for disclosing customer’s data ($10k-$1M+?). We are starting to work more and more with larger customers as well as with customers from parts of the world where privacy laws are quite strict and encryption comes up often in discussions. Encryption for a Confluence instance is a critical issue for organizations for which privacy and data protection is mission critical.
I Want One. What Are the Options?
There are two types of encryptions for files stored on hard drives: file system level encryption and disk encryption (also called “full disk encryption” or “whole disk encryption”). The tools based on the first one will only encrypt a particular file or directory. You may have, say, “My Documents\Projects” directory where you store all data related to customer projects. You can encrypt just that directory and keep the rest of the drive with your own data unencrypted. Or you could encrypt “My Documents\Projects\Adobe”, “My Documents\Projects\Walmart” and “My Documents\Projects\SoundCloud” with three different keys, just to make sure whoever gets access to one key still won’t be able to access the other two folders.
There are a few advantages to filesystem level encryption tools.
On another side full disk encryption is like a “main switch.” It’s all or nothing. Trusted Platform Module is becoming standard on most of computers these days; it matches drive to motherboard, making it even harder to break into. Full Drive encryption is also very easy to use. You simply can’t, by mistake, copy file into unencrypted folder; the whole drive is encrypted, so copy the files wherever you want. You don’t have to remember to do anything, you just use your computer as usual. Also, when customer comes and asks “are my data protected?” it’s much easier to say “yes” if the whole-disk (rather than file system) encryption is used.
There are plenty of encryption tools out there, for both file system and disk encryption. Which one to use? The choice will mainly depend on your OS and hardware. If you are on Windows (and have TPM on your PC) – BitLocker is the first one I’d be looking at. If you don’t have TPM or on Linux/Mac – look into VeraCrypt. If you are on Mac – FileVault (especially the one with whole-disk encryption).
And, if you’re an OS X user, ZDNet recently produced a nice article with suggested encryption tools.
Great, I Am All Set, Right!?
Not quite. Encryption tools take away the hassle or typing in your private encryption keys (yes, those 20 lines of unrecognisable text), but in order to somehow protect those you will need to set up a password. And your files are as secure as your password is. If “123456” or “password” is your password – sorry, no encryption software will help you. Always set a good password. And if software generates an encryption key and tells you to store it in secure place – STORE IT IN SECURE PLACE! Without that key even you won’t be able to recover the data. And by “secure place” they don’t mean the same laptop; instead, keep it on USB key in your locker or upload to your folder in Box (having the key file in Box saved me a couple of times).