Family Holloway

disclaimer: I’m not in government so if you’re going to consider encryption first talk to someone authoritative like the GSCB about NZ government practices around encryption.

ComputerWorld reports that the Privacy Commissioner Marie Shroff says that government agencies have inadequate USB stick security. The problem is that sensitive data is being taken out of government agencies and occasionally the sticks are lost. As they say in the article “only last week someone told her that he had given a presentation to staff of a large government department and a memory stick containing departmental information had been handed to him in mistake for the one containing his presentation”

Mistakes happen, but with digital files we have the opportunity of encryption so that we lose nothing of value when misplacing a USB drive. Without a decryption password the stick is useless (well, unless an unscrupulous person wants to spend millions of dollars and years trying to break the password).

The GCSB set standards for government agencies and encryption in section 2.9.18 of their NZ ICT Security Manual [1MB, PDF]. For “IN CONFIDENCE, SENSITIVE and RESTRICTED” data they say to use an AES such as AES-256. Naturally the best security software is open to allow analysis and peer review and the free and open source software True Crypt supports AES-256.

A common excuse for not using encryption is that people want to plug the USB stick into any computer… any computer won’t have the decryption software necessary and it’s inconvenient to download the decryption software to access the encrypted files. A way around this is to format the whole drive as FAT32, copy the decryption software installer to it, and then fill up the rest of the drive with a ‘virtual partition’ file. That way when you want to access your files on a machine without decryption software you can install it and access your encrypted virtual partition file.

Of course plugging a USB stick into just any computer has it’s own problems (keylogging, file caches, etc.) so you should always ensure that you trust the machine used for decryption.

Update: earlier versions of this blog post said that future encryption standards would be set by the DIA but as Mark points out in the comments this is wrong.

This entry was posted on Tuesday, May 12th, 2009 at 8:38 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.