Transferring data securely

Two methods of transferring personal or confidential data.

www.nuffield.ox.ac.uk/go/it-secdata

Ever struggled with how to transfer personal or confidential data to someone in the outside world but you know that, for security reasons, that the data really should be encrypted?  You're not alone.

Finding out is not straightforward because there's a lot of confusing advice out there.  The guidance is confusing, as there are too many unknowns for the advice to be straightforward.  Unknowns like: one file or many? How secure does it need to be? What format? etc.

In the page below, we recommend two methods.  One assumes that you may be working with only one or two files.  The other assumes a set of files which need to be kept together.

Do not

  • Email personal or sensitive data
  • Save (even encrypted) personal data on servers running outside the European Economic Area.  Bad places include:
    • Most Office 365 locations (but the University's Oxford Nexus Office365 is OK)
    • Google Docs
    • Dropbox

Transferring one or two files securely

If you only have one or two files, consider using the built-in encryption of some of the software we use every day, and then putting the files somewhere to be downloaded.  If you intend to transfer the data by removable media (USB stick or DVD etc.) the steps below still apply, bar step 5 (using Oxfile).

Using Microsoft Office (e.g. Word, Excel or PowerPoint)

  1. Add a password to protect the document.
    This is usually done via File > Info > Protect Document.  Here is some further guidance and some screen shots if you need more information.
  2. Add a pass phrase of at least 32 characters.
    Use something which is easy to say and understand over the telephone (something like the examples at the top of this page).
  3. If you have another document, repeat using the same password.
  4. Place the file(s) on Oxfile (see instructions below). Use a sensible time limit of a few days only.
  5. Telephone the intended recipient and explain about Oxfile (they will have received an email) and dictate the pass phrase to them.
    Make it clear to the recipient that they must not forward on the file(s) unless you explicitly require them to (in which case underline their responsibility for encryption and security).
  6. It may also be appropriate for you to tell the recipients to delete the file(s) after they have no further use of the [personal] data.

 

Using Adobe PDF

Many things can be saved as PDFs, or 'printed to PDF' if you have Adobe Acrobat installed.  Assuming you already have your PDF, and have it open in Acrobat:

  1. Protect the document with a password.
    This varies from version to version of Acrobat, but is often Tools > Protect(ion) > Encrypt > Encrypt with Password or File > Properties > Security > Security Method = Password Security.
    See the Adobe help if you need more guidance.
  2. Add a pass phrase of at least 32 characters.
    Use something which is easy to say and understand over the telephone (something like the examples at the top of this page).
  3. If you have another PDF, repeat using the same password.
  4. Place the file(s) on Oxfile (see instructions below). Use a sensible time limit of a few days only.
  5. Telephone the intended recipient and explain about Oxfile (they will have received an email) and dictate the pass phrase to them.
    Make it clear to the recipient that they must not forward on the file(s) unless you explicitly require them to (in which case underline their responsibility for encryption and security).
  6. It may also be appropriate for you to tell the recipients to delete the file(s) after they have no further use of the [personal] data.

Transferring a group of files together

If you need to transfer a set of files of different types OR if you have a file type that uses software without any encryption facilities, consider creating an 'archive' (e.g. zip file, or exe file), then placing this file somewhere it can be downloaded.  If you intend to transfer the data by removable media (USB stick or DVD etc.) the steps below still apply, bar step 5 (using Oxfile).

Firstly, it is good to know whether your correspondent has 7-Zip installed.  If they do, then you can use the .zip or .7z format.  If they do not, you may need to use the .exe format.  Remember that some firewalls and almost all mail systems will block .exe files, so you should liaise with your correspondent (before and afterwards) to work out the best method, and whether they were able to receive the file(s).  If in doubt, save the archive as .exe, put it in Oxfile and liaise with your contact via telephone.

To transfer a group of files:

  1. Collect the files together in one folder.
  2. Install the 7zip program (see below for details)
  3. Create a password protected archive, which contains the files, using 7zip.
    Sophos has a good article on how to use 7-Zip but please take note of the following:
    Use the AES 256 encryption method. (Do not use ZipCrypto.)
    Note that your correspondent may encourage you to use the ZipCrypto encryption method as this format does not need specialist software to decrypt the archive.  Do not agree to this, as ZipCrypto is easily broken.
  4. Add a pass phrase of at least 32 characters.
    Use something which is easy to say and understand over the telephone (something like the example at the top of this page).
  5. Place the file(s) on Oxfile (see instructions below).
    Use a sensible time limit of a few days only.
  6. Telephone the intended recipient and explain about Oxfile (they will have received an email) and dictate the pass phrase to them.
    Make it clear to the recipient that they must not forward on the file(s) unless you explicitly require them to (in which case underline their responsibility for encryption and security).
  7. It may also be appropriate for you to tell the recipients to delete the file(s) after they have no further use of the [personal] data.

Installing and using 7-Zip

Windows users can easily download and install 7-Zip.  Mac users can consider an alternative (such as Keka).

7-Zip is free to download and use, and without onerous licencing restrictions.

Windows users

  • If you do not have administration rights to your (Nuffield-managed) machine, please contact IT who can install 7-Zip easily for you.
  • Download the 7-Zip installer for your computer from www.7-zip.org.
    • Select the correct download (32 or 64 bit)
    • 32? 64 bit? Check which at Control Panel >System and Security > System
  • Run the program and install 7-Zip to your computer. 

N.B. If your preferred method of transferring files securely is via USB or CD/DVD, you may wish to consider saving a program (on the CD or memory stick etc.) which can run and work with the 7-Zip files.  Consider saving 7-Zip Portable next to the data files.

Apple Mac users

Apple Mac users may wish to consider a product such as Keka.

Using 7-Zip

The instructions from Sophos are good to get started.  The best way to get your files encrypted is to do this at the beginning, before the archive exists - i.e. right-click on the file(s) and from the sub menu, select 7-Zip > Add to archive.  Only use AES 256.  Use a pass phrase of at least 32 characters.

Using AES 256 encryption will mean that Windows users (or users of Winzip) will not be able to decrypt the archive.  However, you must use AES 256.

Don't worry if, after you have created your archive, you can see the names of the files without entering a pass phrase.  This is normal.  If you try to open one of the files, you should be prompted for a password.

Using Oxfile

Oxfile is a University facility for transferring large files, or files to the outside world.  Shares are time limited (a good thing) so that someone cannot pick up the secure file at a later date (possibly years later) and then crack it open with newer technology.

To put your encrypted file(s) on Oxfile for download:

  1. Go to https://oxfile.ox.ac.uk/
  2. Click on the icon about sending files to other people.
  3. Log in using your Oxford Single Sign On username and password (as you use for Nexus email)
  4. Create a new folder to send files.  Useful help/instructions for Oxfile can be found here.
  5. Upload the sensitive files.
    N.B. Don't forget to Add the file(s) and then Upload the file(s).
  6. Add the email address(es) of the recipients and a brief message
    (N.B. It is a good idea to send your recipient a covering email separately to explain what you're doing).
  7. Expand the Advanced options and set a reasonable duration for the file.
    N.B. Do not give access to personal data for more than a few days.  Usually you would not enable anonymous access, although the danger of enabling it is minimised if the file(s) are encrypted using 7-Zip and AES 256.

 

Do not

  • Use any service which may use servers outside of the European Economic Area: you could be breaking the law (this includes Dropbox).
  • Test Oxfile by sending a file containing (encrypted) personal data to your hotmail or gmail account and extracting it to a file system there (e.g. Google Docs).  Whereas it is good to run such a test if you're using Oxfile for the first time, do not run your test with the personal data: do it with a test file of innocuous contents.

Using USB flash drives or external disks which were designed to be encrypted

Saving your data to an encrypted memory stick or removable drive which was purchased for that purpose (encryption) is a great option.  If you need to transfer data to a colleague or an external person, especially if you are going to meet them in person, this can be very useful.  In some cases you could even send such items via courier or postal service (but please consider the risks carefully before taking that option).

If you are purchasing such a memory stick or drive, the encryption could be performed either by software you load on your computer or by the device itself (e.g. after entering a PIN code).  Which should you choose?  Here are some considerations:

  • Does the device need to be physically very robust, even waterproof?  (This could be important if it represents the only copy of the data at some stage in the process.)
  • How much data do you need to transfer in one go? (Will it always be a few MBs, or could it be audio or video taking up many GBs?)
  • Is the encryption good enough?  Use a search engine and find an unbiased review or check the encryption protocol (e.g. AES 256) used.
  • Does it meet an internationally-recognised standard, such as FIPS 140-2?
  • Software supplied by the manufacturer can be easy to use, but you may have the problem that the person receiving the device from you also needs to install and run the same software.  Is this practical?
  • Devices which avoid the above problem and just need a PIN code tend to be easy to use, but tricky to set up when first purchased.

 

Bitlocker (for Windows) and FileVault (macOS) can be used to encrypt USB drives.  To date these have been used mostly for personal use (i.e. the same person encrypts and decrypts) but it it is possible that you could use these technologies to encrypt drives and pass to others.  It is likely that the compatibility problems which plagued this approach are diminishing.

IT@Nuffield have some experience with USB Flash drives which use a PIN to unlock/decrypt.  We would be happy to share our findings if you believe that you need to purchase such an item.