Encrypt sensitive information Encrypting data makes the information unreadable, it can only be read using a secret key to unlock it, called decryption. Data encryption can be applied to both stored data (on computer drives or removable media) and data shared via networks.

Mobile devices and removable media, including laptops, USBs, hard drives and DVDs pose particular risks and encryption can be used to reduce these risks when sharing or storing sensitive information using these methods. Find out how to Protect mobile devices.

If you are dealing with sensitive or personal information, you may need to encrypt it. If you are not sure, check with the ICT Security team via the ICT Service Desk.

There are a number of supported options available for encrypting your data on different media.

Options for encrypting sensitive information

Encrypting data on central file space/group space/H:drives

Research groups and members of staff working with sensitive data can encrypt their data using Symantec File Share Encryption. If you are interested in using this service, contact the ICT Service Desk.

Note

This service is only available for Windows users. 

Encrypt your mobile device

Encrypting data makes the information unreadable unless the viewer uses a secret key to unlock it, called decryption. Data encryption can be applied to both stored data, on computer drives or USB storage devices) and data being transferred via networks. If you store data, emails or photos on your portable device then you should encrypt the information to protect it. If the device is also protected with a PIN or password, encryption will further reduce the risk of your data being subject to unauthorised access. Check the manufacturer's instructions for more information to encrypt your mobile device.

Encrypting email

To send digitally signed or encrypted emails, you need to obtain and install a personal certificate. Read Encrypt emails (digital signature).

Encrypting laptops

Windows machines

All laptops purchased with College funds must be encrypted to safeguard data. For laptops to be encrypted they must be business-level models and include a Trusted Platform Module (TPM) chip.

All laptops available for purchase from the preferred Imperial supplier, Hewlett Packard (HP), meet requirements for encryption and can be encrypted by ICT. Visit the Shop.

If you purchase a laptop from another manufacturer, you must ensure that it has a TPM chip, as this is required to encrypt the laptop.

Mac machines

FileVault 2

We are able to offer College-supported full-disk encryption for Mac laptops using Apple's built in FileVault 2.

FileVault 2 full-disk encryption in OS X Maverick (10.9) uses the government-approved encryption standard, the Advanced Encryption Standard with 256-bit keys (AES-256). In OS X Mountain Lion and below it uses 128-bit keys (AES-128).

Need help?

If you need assistance, contact the ICT Service Desk.

Encrypting desktops

Desktops are not encrypted by default but this can be done on request. Contact the ICT Service Desk to arrange encryption of a desktop.

Encrypting removable media

There are two main methods for encrypting removable media, such as USBs and hard drives:

  • Using hardware (devices that encrypt all data automatically).
  • Using software (software encrypts files stored on the media).

If you are unsure which solution is most appropriate, contact the ICT Security team via the ICT Service Desk.

Hardware encryption

There are a number of USB storage devices that support hardware encryption. Using this method will ensure that all data stored on the media is encrypted. It can be more expensive that the software options and some hardware needs drivers to be installed on the computer before the hardware can be used.

Kingston DataTraveller are compatible with Windows and OS X machines and are available via our preferred supplier, BT Business Direct.

Software encryption

Software encryption solutions tend to be cheaper than hardware but may require you to store the data in a certain way, to ensure that it is encrypted. If data is stored in the wrong place, the data would not be encrypted as expected. The onus is on you to make sure that your data is correctly saved in an encrypted area.

See encrypting files on Windows or Mac and Linux machines, below.

Encryption options using Windows

There are two options for encryption when using a Windows machine - WRM and 7-zip.

Windows Rights Management

The ICT Security team provides support for Windows Rights Management (WRM). WRM provides encryption and control of document distribution to users of Microsoft Office (including Outlook).

WRM is available when using Microsoft products and allows you to quickly encrypt and share files safely with other members of Imperial College London.

Instructions on using WRM
  1. Open the document, spreadsheet or email you wish to protect.
  2. Go to the Office button in the top right hand corner of the document and select Prepare.
  3. Select one of the options: Encrypt Document, Restrict Permission, Add a Digital Signature.

For advice on how to use WRM with your Outlook, see Encrypting Email, above.

7-Zip

7-Zip should be preinstalled on all College-owned Windows desktop machines and is used to encrypt the contents of a Zip or 7-Zip file. It is available on Linux, OS X and Windows. 7-Zip does rely on a decryption key to encrypt and decrypt files.

Encryption options using a Mac

Mac OS X offers built in encryption of your Home folder, with the FileVault.

Read Apple instructions for FileVault.

You can also create an encrypted disk image to store encrypted files, using the Disk Utility tool.

7-ZIP

7-Zip should be preinstalled on all College-owned Windows desktop machines and is used to encrypt the contents of a Zip or 7-Zip file. It is available on Linux, Mac OS X and Windows. 7-Zip does rely on a decryption key to encrypt and decrypt files.

Encryption options using Linux

You can use various tools to encrypt files stored on a computer running the Linux operating system. 

VeraCrypt

For volume/disk level encryption, we recommend VeraCrypt.

  • Online help for VeraCrypt
  • Please ensure that you backup a copy of the password you use to encrypt the volume/disk. If you lose it, you will no longer be able to access your data.

7-ZIP

7-Zip should be preinstalled on all College-owned Windows desktop machines and is used to encrypt the contents of a Zip or 7-Zip file. It is available on Linux, OS X and Windows. 7-Zip does rely on a decryption key to encrypt and decrypt files.

Encrypting data stored in the cloud

If you are currently a Box, Dropbox, Google Drive or OneDrive user, we recommend that you use nCrypted Cloud to secure your data. nCrypted Cloud software can be used to encrypt (protect) folders and files stored in the cloud. The software will help to lessen the risks of using cloud storage providers. Read Encrypt data stored in the cloud.