Skip to content
Naked Security Naked Security

To encrypt or not to encrypt?

There are lots of different viewpoints about whether to encrypt or not. Paul Ducklin helps you decide what to do...

– To encrypt, or not to encrypt? –

Encryption is a hot topic in security circles these days.

There are lots of different viewpoints about whether to encrypt or not.


All of us here on Naked Security will tell you that you can’t have enough encryption.

Wisely used, encryption gives you a valuable extra layer of protection against hackers, eavesdroppers, intellectual property thieves and many other sorts of cybercriminal.


Regulators and auditors will not only advise you to encrypt your data, but even insist that you encrypt some or all of it.

Regulators are becoming increasingly strict about encrypting sensitive data, to the point that the US Appeals Court recently ruled that it is unfair business practice not to protect your customers’ information.


A few politicians and policy makers are trying to go in the other direction.

They want us to turn back the clock and stop using encryption, or to accept weakened implementations, to make it easier to catch crooks and terrorists.

(We can’t see how security can be strengthened by deliberately weakening it, but this controversy around encryption is only making it an ever hotter topic!)


And there are many businesses – particularly small ones – who are, quite simply, a bit shy about using encryption.

Either they don’t think their assets are of any interest to cybercriminals, and therefore they don’t need to encrypt at all, or they think encryption is likely to be more trouble than it’s worth.


To help you find your way through the myths and misconceptions, here are five tips to help you answer the question, “To encrypt or not to encrypt?”

1. SHOULD I STICK TO ENCRYPTION
ONLY WHERE REQUIRED BY LAW?

In any organisation, data is valuable.

That may be customer information (names, email addresses, credit card information, and other personally identifiable information like Social Security or national identity numbers), internal financial information, employee information, intellectual property, and more.

Unfortunately, that data isn’t valuable only to you.

It’s also valuable to criminals who get hold of it illicitly, whether that’s through lost USB keys, stolen laptops, unsecured backups, unprotected databases, or any other means.

Even if the criminals who steal your data don’t intend to use it themselves, they can sell it on underground markets, where other criminals who have a clear plan for it may buy it up for nefarious purposes.

Additionally, some hackers see value merely in havoc, by exposing your data in what’s called a “dump,” where they publish everything they can get about your organisation, even the most private correspondence with staff members or customers, for the whole world to dredge through at its leisure.

In those cases, the damage to your brand, your workforce and your customers can be inestimable.

Simply put, encryption is an excellent way to protect all kinds of data, so we recommend you encrypt your data whether you are legally obliged to or not.

2. WON’T ENCRYPTION
SLOW DOWN MY COMPUTER?

There’s an old saw that says, “You can’t get something for nothing.”

But most modern computers, even laptops and mobile devices, rarely run at full capacity. Some of today’s phones, for example, have quad-core, 6-core and even 8-core processors.

A few years ago, you might have found a measurable difference between an unencrypted and a fully-encrypted hard disk, and even have noticed the difference during regular work.

We think that you will be hard-pressed to spot the difference in performance today.

Of course, the crook who steals your laptop will definitely tell the difference: he (or the criminal he sells it on to) will typically be able to copy absolutely everything off an unsecured laptop, but nothing at all off a properly encrypted one.

→ Just having a password isn’t enough. Boot-time passwords and logon windows can stop crooks using your computer directly. But by transferring your hard disk or SSD to a computer of their own, they can grab all your data and analyse it at their leisure.

3. ISN’T ENCRYPTION COMPLEX AND RISKY?
WHAT IF I FORGET MY PASSWORD?

Encryption is like locking your data up in a safe – it’s secure against anyone who doesn’t have the key.

So, encryption without proper key management is risky: if the bad guys get at the keys, they can access your secrets; but if the good guys forget their keys, they can’t do any work.

A good encryption product makes it easy for an organisation to keep track of what is encrypted, and how, as well as providing a secure mechanism for what’s called key recovery.

That’s useful if someone forgets their password, or quits the company in a huff.

But beware: there is a big difference between “key recovery” and a “backdoor”.

A backdoor is like a safe that can always be opened with the secret built-in combination 31-33-7 if the real combination gets forgotten.

Backdoors have a nasty habit of not staying secret very long, so avoid any product with a backdoor.

Key recovery, in contrast, provides an alternative decryption key that can only be retrieved by someone (or sometimes by two or more people acting together) whose authority over the encrypted data is the same as or better than the user who forgot their password.

4. DO I STILL NEED ENCRYPTION
IF I AM USING THE CLOUD?

Some cloud providers transparently encrypt your data after you upload it, and decrypt it for you before you download it again.

That’s good, because it means that if someone breaks in and steals their hard disks containing your data, the crooks will probably end up with shredded cabbage.

But cloud-only encryption is not enough, which is why we recommend that you encrypt your data before it leaves your computer or your own servers, and decrypt it after you’ve downloaded it, even if the cloud provider encrypts it as well.

The problem with pure “in the cloud” encryption is that the cloud provider has to be able to decrypt your data to send it back to you, so he could, in theory, decrypt it at any other time, too.

And even if you trust your provider implicitly, you can’t always control where in the cloud infrastructure your data is stored.

So your data could end up – for example as part of a law enforcement operation that has nothing to do with you – decrypted by order of a court without you having any say, or even being told.

A good encryption product makes it easy to encrypt cloud uploads automatically before they leave your computer or your network, in just the same way as ensuring that files stored onto removable devices are encrypted before they are copied across.

5. SURELY NO-ONE IS INTERESTED
IN LITTLE OLD ME?

Why wouldn’t they be?

If a crook can steal your data with an effort costing $0.02 and sell it for $200, why wouldn’t he?

Especially if he can write a script to scour the internet looking for weakly protected computers, and then steal the data automatically while he’s asleep.

According to the 2015 Verizon Data Breach Investigation Report, over 700 million records were compromised in 2014, and 53% of confirmed data loss incidents were in organisations with fewer than 1000 users.

THE BOTTOM LINE

No organisation anywhere in the world is immune to data theft and loss, regardless of geography, size or industry sector.

Encryption won’t guarantee to prevent or mitigate every possible sort of data breach.

But, like firewalls, email filtering, an intrusion prevention system, anti-virus, patch assessment and many other security tools, encryption adds another important layer of protection.

Encryption can help you ensure that if the worst happens, and criminals make off with your laptop, phone, server, removable disk, and so on, then when they try to extract your precious data…

…they really do end up with just shredded cabbage.

Image of Hamlet and Yorick (deceased) courtesy of Shutterstock.

19 Comments

Is this true for Macs?

“→ Just having a password isn’t enough. Boot-time passwords and logon windows can stop crooks using your computer directly. But by transferring your hard disk or SSD to a computer of their own, they can grab all your data and analyse it at their leisure.”

Yes.You can boot from USB or shift the disk to a USB enclosure and plug it in on another computer. OS X and Linux can readMac volumes by default.

Thank you.

Beyond that, are bootable backups – such as can be made with SuperDuper or CarbonCopyCloner – open to being accessed without even needing to get past a login password?

I suppose TimeMachine backups are similarly open to being accessed?

No idea about the third-party products you mentioned.

But Time Machine backups can be encrypted, as can any external OS X volume. If you restore encrypted backups on another computer you need the password to decrypt the data.

AES (AES-NI) is now supported by instruction set level at processors. So you can not complain about the speed of it.

According to Wikipedia (must be true!), AES-GCM takes less than 4 CPU cycles per byte on an Intel CPU with AES-NI (New Instructions for AES) support.

Even on a budget laptop (what used to be called a netbook) without AES-NI and a modest (read: cheap) twin-core CPU, I have found myself unable to spot the difference with and without full disk encryption.

Was there not once a Sophos free encryption tool?
This would be ideal.
I download it, my contacts download it. We exchange passphrases over the phone and Bingo! Secure file transfer.
Then we can eliminate the learning curve and expense for PGP and S/MIME.
Even if it were offered as a subscription…

There was – “Sophos Free Encryption.” However it’s been discontinued. Sorry about that.

shame on you. But thanks 7Zip does it better.

GPG is available for Windows, Mac, and Linux. GUIs available if needed. GPG file encryption on the command-line is easy for the defaults (gpg -c file.txt / gpg file.txt.gpg), tiresome for strengthened options.

My analysis of 7-Zip’s source code (version 9.20) didn’t exactly fill me with confidence (http://copysense.co.uk/encryption.php).

Unfortunately I have had mixed results using 7Zip… Sometimes others cannot open my encrypted files. Other times I can’t open some of theirs.

Since you talk so warmly about encryption, it seems as a contradiction discontinuing your own free encryption, so why…
Was it not good enough?
Did NSA tell you to stop distributing encrytion to the masses?

I typed in half a reply before I realised…

…I’d been trolled.

(Your questions are rather peculiar because you seem to be suggesting that our product was both not good enough and too good at the same time.)

We’ve got X amount of resource available to buid and deliver free tools, of which we have quite a large number – see the right bottom sidebar on our main page. The free encryption toolkit (which was Windows only, as it happened) wasn’t our most popular…so we decided to put the resources needed to produce it into other projects instead.

Not sure where the contradiction is in that…

Would it not make sense to bring this free encryption tool back then because as you mentioned in the first line “Encryption is a hot topic in security circles these days”.
So would it gain more traction now especially as its free and “encryption is a hot topic”.
I for one would look at installing this on my laptop.

Now considering the widespread use of Bitlocker on new Windows machines, I would imagine that it’s less useful.

You can keep using it if you already have it. There’s no timeout.

(In fact, but don’t tell a soul, you can still download it. If you can figure out a search term that will locate the Naked Security article that contains the needed “download now” link :-)

I may be wrong, but I seem to recall Sophos dropping their disk encryption around when Windows started including BitLocker for free on their OS.

Which does still leave most Windows 7 users in a lurch with TrueCrypt defunct. But I’m starting to see more home AV solutions that have encryption come with them, so that’s something.

As a previous posted mentioned, there’s always GPG. Slick it is not, but it can do simple and secure symmetric file encryption, given enough command line qualifiers. I use it sometimes when shifting stuff from OS X to Linux and back.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?