Guidance on Data Encryption
Guidance on Data Encryption and the use of TrueCrypt Encryption
When should data be encrypted?
Confidential or sensitive data such as personal information that
is stored and transmitted on portable devices such as laptops
should be secured against unauthorised access.
Historically, passwords have been considered sufficient to
protect portable devices. However, it is now recommended by the
Information Commissioner to “encrypt any personal information held
electronically that would cause damage or distress if it were lost
ICT Services staff will install and configure encryption
software on university laptops on request. If you are
unsure if the data you need to store or transmit using a portable
device should be encrypted in addition to the use of passwords,
please contact ICT Services and the Data Protection Officer for
What encryption software is used?
ICT Services have selected TrueCrypt as the university’s
encryption tool. It is open source software and can be used
on Windows, Mac and Unix. It can be used to encrypt folders,
USB flash drives as well as internal hard drives.
Mac users may wish to use the built-in ‘FileVault’ encryption
utility as an alternative to TrueCrypt.
Essential Information about the use of Encryption and
- You should keep a master copy of any encrypted data on the
- The TrueCrypt password must not be written down and kept with
the portable device as this would be deemed as negligent as not
having the data encrypted.
- You should only take confidential or sensitive data off-site
where it is essential.
- TrueCrypt does not have a password recovery feature. If the
password is lost or forgotten it will not be possible to decrypt
the data. ICT Services will keep a copy of the initial
TrueCrypt password for a device on file for end-users of University
devices but if the password is subsequently changed and ICT are not
informed they will not be able to decrypt the data.
How do I arrange for my laptop to be encrypted?
All newly issued laptops from March 1 2011 will have TrueCrypt
installed and it will be configured in liaison with the laptop
user. If you have a laptop issued prior to March 1 2011,
please contact ICT Services to arrange installation and
Privately owned laptops / computers
If university data is stored on non-university owned devices,
then the owner is responsible for the security of that data.
It should be protected by all appropriate security software and
mechanisms for that device to ensure minimise the risk of a data
breach. If you wish to install TrueCrypt encryption software
(at your own risk) then information on installation and
configuration can be found at http://www.truecrypt.org/.
ICT Services are available to offer advice and guidance if