Encryption
On this page: encryption, cryptography, cryptographic technique, secure storage,
encryption software
Date of last review: 2023-05-15
Encryption is a technique to convert digital information into a code or cipher, which can only be read by someone who has the key to decipher or decrypt it. It can be applied to many digital objects, such as text strings, files, folders or entire storage drives. The format of the decryption key can also vary between a password, a randomly generated code, or a file.
For personal data, encryption can be seen as a pseudonymisation technique, where the encrypted data are pseudonymised and the encryption key is the additional information needed to identify individuals. In research, encryption is often applied for data “at rest”, that is, data that are stored and not actively used. However, data can also be encrypted in transit (i.e., during transfers) or even in use (i.e., performing computations on encrypted data).
Types of encryption
There are several types of encryption. How they work can get complicated very quickly, but here is a general overview of the different types:
- Symmetric encryption: the same key is used for both encryption and decryption. This is a relatively quick way to encrypt data and is most often used for research data. Because only one key is needed to leak the data, a hard-to-guess key, secure storage and secure transfer of the key is crucial. Example algorithms that use symmetric encryption are AES, (3)DES, Blowfish, and IDEA.
- Asymmetric encryption (public-key): two different keys are used for encryption and decryption: a public key is used for encryption and can be shared with anyone, and a private key is used for decryption, which must be kept secret. This is also known as end-to-end encryption and is used in many messaging platforms to prevent service providers from decrypting private messages. Example algorithms are RSA and elliptic curve cryptography.
- Hybrid cyphers: hybrid cyphers combine the speed of symmetric, and the security of asymmetric encryption. Typically, a symmetric algorithm is used to encrypt the data, and an asymmetric algorithm to encrypt the symmetric key. This type of encryption is commonly used in secure communications, such as email and virtual private networks (VPNs).
In general, the more “bits” that are used by an encryption algorithm, the larger the number of possible keys is, and thus the harder it is to guess the correct key using a brute-force attack.
When to use
Encryption can be applied on different levels. In research, data are encrypted usually either on a drive-level or on file/folder level:
- Full-drive encryption (“volume” encryption) makes sure that data on
storage drives or devices are not readable if someone gains unauthorised access
to the device or drive. This is generally recommended to always apply to
devices that contain research data, but particularly when:
- you want to protect data on your personal laptop (encrypt the entire laptop or specific hard drives).
- you collect data on portable devices like USB sticks and audio recorders.
- Encryption of individual files or folders (“container” encryption) can be
used when you need to protect individual files or folders. Use it when:
- you cannot physically separate different types of personal data on different storage locations and need to make sure that a limited number of people can access the encrypted data.
- you have to store personal data on a non-encrypted drive that multiple people have access to, which they do not need.
- you need to send personal data to a collaborator, for example via the cloud or via a file sender.
Implications for research
- Encryption only guarantees protection while the data are encrypted, which is usually during storage or in transit. For example, encryption is generally not a suitable safeguard to protect data during data analysis, because usually data need to be decrypted in order to be read by analysis software. This implies that when you need to decrypt the data, other safeguards must be in place to protect the data, such as controlled access and a secure workspace.
- Responsible key management is crucial. In principle, the data cannot be accessed without a decryption key. Although some encryption software offers the possibility to create recovery keys, there is still someone who needs to manage the key(s), as long as the data are encrypted.
- When you use file/folder encryption, please note that in some cases, folder and/or file names are not encrypted. If these names contain sensitive information, consider renaming the folders/files or putting them in a zipped folder with a non-sensitive name and then encrypting the zipped folder.
- Just because you encrypt data with a state-of-the-art encryption algorithm now, that does not mean the data are necessarily protected in the future as well. Encryption algorithms can become unsafe due to, for example, new technological developments or bugs in the encryption algorithm that make it more vulnerable to attacks. Therefore, if you store encrypted files for a long period of time, you need to regularly re-assess whether the algorithm is still secure enough and if needed, re-encrypt the data.
Tools and resources
- We have created an overview of commonly used encryption tools in our GitHub repository. Note: many institutes have institution-wide encryption software available. Please consult with your information security officer to determine which tool you can best use for your situation.
- Ghent University has created a guidance on several common encryption tools in different scenarios.
- In this introductory book, you can read further if you want to know more about cryptography.