|
Overview
Support for encryption at Berkeley Lab
is best effort only; The below are CPP recommendations,
not lab standards.
Remember that Personally Identifiable Information and Personally Identifiable Health Information as defined here may only be stored in the central business systems approved for PII (HRIS, FMS, etc).
If you hold sole source institutional information under encryption,
you must archive your key and passphrase with your supervisor,
two different individuals, or a designee. This is required
in order to allow recovery of sole source institutional information
in the event that it is deemed necessary by the Laboratory.
Encrypting Email
PGP - one of the commonly used methods to encrypt email
is Public Key Encryption, or specifically PGP. For Email
encryption, CPP recommends using Enigmail,
an extension to the lab standard email client Mozilla. With
Enigmail and Mozilla, you can seamless use GnuPG,
an open source replacement for PGP, to encrypt email communications.
CPP has prepared a presentation that documents the setup
of Enigmail and GnuPG for Mozilla. The presentation can
be found here.
This is the strongest and best alternative for encrypting
email.
Encrypting Files
PGP - using a PGP application such as GnuPG,
mentioned above for email encryption, you can encrypt files.
In addition, tools such as Windows
Privacy Tools facilitate file encryption and key management
for GnuPG..
Built-in - many modern operating systems have built-in
capabilities to encrypt files. The use of these built-in
capabilities is a recommended.
Utilities - the following utilities can be used to encrypt
files.
- 7zip is a utility
that can be used to password protect [encrypt] and compess
a file.
- TrueCrypt
is a free utility to encrypt entire disks or files:
- Password protected MS Office documents Your colleague
password protects an Office document and calls you with
the password. MS office encryption is not robust and is
easily breakable, however, this may be sufficient for
transmitting OUO or other low-sensitivity information.
Entrust Use at LBNL
Entrust is a product used in some parts of DOE to provide
Public Key Infrastructure based encryption. This section covers
important information about Entrust at LBNL. Entrust is neither
provided by nor supported by LBNL. LBNL does not have an Entrust
server deployed nor do we expect to deploy an Entrust server
in the near future.
Since all LBNL work is unclassified and non-sensitive, most
LBNL employees do not have a regular need to exchange encrypted
email with other DOE entities.
Entrust is commonly utilized within DOE to transmit information
that is PROHIBITED on LBNL computers and on the LBNL
site. You must take responsibility
to inform your colleagues about the restrictions on your use
of Entrust.Most "DOE Sensitive" information is prohibited
at LBNL. UCNI is also sometimes transmitted in Entrust, but
UCNI information is also prohibited at LBNL. OUO information
is commonly exchanged in Entrust, however, OUO can be transmitted
in other ways. The DOE OUO Directive recommends, but
does not require the use of encryption in transit if
a means of encryption is not readily available. As an alternative
to either unencrypted or Entrust encrypted transit of OUO
information, consider utilizing the tools referenced above
for OUO information.
If you still need Entrust, you may be able to receive an
Entrust certificate by being sponsored by a collaborator or
colleague at another DOE Laboratory, at DOE HQ, or at a site
office other then BSO. Inquire with your collaborators about
getting Entrust through their facility. If you still need
assistance getting or using entrust, contact cppm@lbl.gov Here are some instructions for the approved entrust users.
|
