S 4.29 Use of an encryption product for laptop PCs

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: IT-user

In order to prevent sensitive data being read from a laptop PC which, despite all precaution, has been stolen, an encryption program should be used. By means of the commercially-available products, individual files, certain areas or the entire hard disk can be encrypted in such a way that only the individual holding the secret key will be able to read and to use the data.

For secure encryption, three different requirements are of crucial importance:

• The encryption algorithm must be designed in such a way that it is impossible to reconstruct the plain text from the encrypted text without knowledge of the relevant key, i.e. the effort required to crack the algorithm or cipher should be much greater than the value of the information obtained as a result.

• A suitable key should be selected. If possible, it should be generated randomly. If a key can be selected like a password, the relevant instructions in S 2.11 Provisions governing the use of passwords must be observed.

• The encryption algorithm (the program), the cipher text and the keys must not be saved on the same data media. It is advisable to store the key separately. This can be done by recording it on pasteboard and then keeping it like a credit card in the purse/wallet. If the keys are stored on floppy disks, the diskettes should be kept separate from the laptop (e.g. in a briefcase).

Such encryption can be effected either online or offline. "Online" means that all data of the hard disk (or of a partition) is encrypted without any active intervention by the user. Offline encryption is explicitly requested by the user. In that case, he will also have to decide which files are to be encrypted. For the selection and use of cryptographic procedures, chapter 3.7 Crypto-concept should also be read.

For use on stationary and portable PCs, BSI can, under certain basic prerequisites, provide public agencies with an offline encryption program meeting medium-level protection requirements. A printed request form is located in the section covering Auxiliary Materials of this IT Baseline Protection Manual.

Additional controls:

• Are the users trained in the use of the encryption program?

• Are the data and keys stored separately?