This is a routine on how to store and transfer files containing sensitive data.
If you need to email a file which contains sensitive or confidential information, the data must be encrypted. You should do this for example when you want to send lists with ID numbers, files containing internal company information, etc. The same method should be used when you store such files. However please note that storage of any personal information about others requires additional protective measures. There is a separate routine for this (see useful links).
When you encrypt a file, you use a password. In order to open the file, the same password is needed.
Please follow below security guidelines for the encryption of files and the use of passwords:
You need to use an encryption programme that is secure.
You will need a sufficiently long password, of at least 8 digits. We recommend using a passphrase (a sentence).
You need to transfer the password via another communication channel than the one you use to send the file with. This means that if you send the file by email, the password should be sent in a different way. Text messaging or a telephone conversation are good ways to communicate the password.
The IT-Department recommends the use of 7-zip as a programme to compress and to encrypt files. This programme is normally present on all PCs, and if missing it is easy to install. The quality of the encryption algorithm is satisfactory (AES256). Please note that the traditional “ZIP-encryption” is not secure enough.
The recipient must have the same programme, or another programme that supports the same format. You can download 7-zip from this site if necessary.
Add to archive
With your cursor on the file, right click and choose 7-Zip, Add to archive. Now you will be able to choose between more options than when you directly store a compressed file.
You will see the presented windows, and you must fill out the fields circled in red and click on OK.
The password must be at least 8 digits and should be hard to guess.
At Format you will have the option to select zip. However, in that case you should be careful to ensure that the encryption method is AES256 and not CipCrypto, which is the old zip-standard that is not secure enough. At 7z-format you will only be able to select AES256.
When you store the file, it is encrypted. It may now be sent by email or stored on a USB stick or shared disk.
Encryption of several files
7-Zip is a software programme that compresses files. If you use 7-zip on a folder instead of a file, you can encrypt all files exactly in the same manner and send several files compressed together as one encrypted and
compressed file. To do this, just right click on the folder, chose 7-zip and Add to archive.
Encryption of the name of the file
When even just the file name can reveal elements of its content, you should make sure to also encrypt the original name so that it will not be shown until after the password is entered. You can name the encrypted file (secret document.7z) whatever you like. The name that comes up is simply a suggestion to ensure that the file name does not reveal anything about the content.
As it is normally good to know what a file contains before opening it, the usual procedure is to not encrypt the file name.
As shown in the example below, it is possible to see the files names that are in the 7-zip file without having to fill-in a password if the file name is not encrypted. So please be aware of this!
A file named «students.docx» is not very risky, however a file like «Complaint-from-Ola-Nordman.docx» may already reveal confidential information. In such cases it is smart to cross off Encrypt file name.
Decryption
Decryption and uncompression occur when the recipient opens the encrypted file in 7-Zip. Here you will have the option to Open or Uncompress or Uncompress here. The latter means that you may not create a new sub-folder. You will be asked for a password and get access to the content.
Transfer of files – use separate communication channels
Files and folders that are encrypted in a secure way can be shared with others in need of the information, via a shared folder or via email.
However, as mentioned previously, it is important that the password to decrypt the data is not sent via the same communication channel. If anyone intercepts the email, it is important that they do not also get hold of your password. Oral communication or text message are good ways to communicate such passwords. And naturally you make sure that you do not use a password that you also use for other purposes.