Encryption software - Free And Open Source Vs. Proprietary
By Graeme Batsman
In this article Graeme Batsman looks at open source and proprietary (both paid for and free) encryption software. Encryption software encrypts (or encodes) data and means that the human eye cannot understand it without the means to decrypt it, for example, if gets into the wrong hands.
Cryptography has existed for thousands of years, starting off with the ancient Egyptians, to the Greeks and Romans, and most recently (and most famously), Bletchley Park and the Enigma code breakers of World War II.
Encryption can be used on all kinds of digital media - USB flash drives, USB hard drives, documents (files), emails, website forms, laptops, optical media (CDs, DVDs) - and can even encrypt a printed A4 sheet of paper (think MI5/MI6). Today it’s essential for securing data and meeting compliance rules, mainly the Data Protection Act (DPA), regulated by the Information Commissioners Office (ICO), and other regulatory bodies like the Financial Services Authority.
ICO's advice is: “I can advise, however, that our office would generally expect that portable media are encrypted. In regard to deciding what security measures to take in respect of personal data processed on static equipment, in each case an organisation must take into account such factors as the nature of the data and the harm that might result from any unlawful processing or loss of that data”.
To put it simply, ICO is saying that any data which is portable needs to be encrypted. This mainly refers to laptops, USB devices and optical media.
What encryption software to use?
As with all technologies, there is a choice. A well known open source encryption tool is True Crypt. However, not all proprietary (closed source) software is paid for - there are some free tools available, an example being DESlock which has a free personal licence edition (check with DESlock for not-for-profit organisational use).
The following table highlights the differences between generic open source and proprietary software:
|Support||Partly, mainly a free forum||Yes, email or phone|
|Paid for||Not usually||Mostly|
|Compliant||Rarely||In most cases|
|Easy to use||Not usually||A little easier to use|
|Multi functional||Some||Even more|
|Strong security||Yes||Yes, sometimes stronger|
The following tables highlights the differences between True Crypt and DESlock personal edition:
|True Crypt||DESlock personal|
|Laptop encryption (secures an entire laptop – if lost or stolen).||Yes||No, but on paid editions|
|Removable media encryption (secures an entire device – if lost or stolen)||Yes||No, but on paid editions|
|Files and folder encryption (restricts/encrypts a folder or document – stops access internally and reduces impact if leaked)||No||Yes|
|File shredder (removes documents or folders for good – stops data recovery)||No||Yes|
|Outlook Email Encryption (secures emails – from interception and possibly hacking.)||No||Yes|
|Virtual Disks and Archives (creates a secure “Zip” style file - similar to a file/folder but compress and secured)||Yes||Yes|
|Text and Clipboard Encryption (ability to encrypt the clipboard or create Mi5 style letters)||No||Yes|
All of the above increase data security and compliance with the UK DPA and other laws.
What do we mean by the word compliant? Compliant means the software and/or encryption algorithm has been tested by a government (UK or USA). Federal Information Processing Standard (FIPS) is a United States Government standard administered by the National Institute of Standards and Technology (NIST). CAPS and CCTM under CESG UK Government's National Technical Authority for Information Assurance. Both standards mean the encryption algorithm or software/hardware product has been tested and passed.
ICO recommends FIPS certified products - “Since encryption standards are always evolving, it is recommended that data controllers ensure that any solution which is implemented, meets the current standard such as the recommended FIPS 140-2 (cryptographic modules, software and hardware) and FIPS – 197”. Typically open source software is not FIPS certified and a lot of closed source vendors are.
So what should you choose?
The main difference between and open and closed source is compliance and support. If you install True Crypt and you need help or something goes wrong you cannot call the vendor. If you pay for software then support and a warranty is normally included, giving you access to email or phone support. Just because software is free it doesn’t mean it is poor quality and not secure. True Crypt offers quite a few features but is quite technical to set up and some features are fiddly to use even once set up.
DESlock personal edition is great to lock down files, folders, emails, archives by encrypting them. It restricts access and means if the encryption file is leaked, it’s nearly impossible to read. If you wish to encrypt emails both parties need the software installed but the personal edition is free.
- Martini security - working safely online anytime, anyplace, anywhere
- Paul Ticher's Data Protection Update - November 2011