Encryption and Decryption
Data that can be read and understood without special protective measures is called plaintext, or cleartext. Much of the information transferred across the internet is done so in plaintext. The use of email, removable drives and some file sharing services for the storage and transfer of customer data that only uses cleartext is simply insecure. For this reason, the use of email or messaging programs to transfer sensitive data should be done so with extreme caution.
The method of disguising plaintext in such a way as to hide its substance is called encryption. Encrypting plaintext content results in unreadable gibberish called ciphertext. Encryption is used to ensure information is hidden from anyone for
whom it is not intended, even those who can view the encrypted data (they can only see the gibberish). The process of reverting ciphertext to its original plaintext is called decryption.
Protecting Data with PGP and Encryption
PGP keys are used to encrypt and digitally sign outbound files as well as to decrypt and verify inbound files. PGP encryption protects the contents of a sensitive file from unauthorised viewing. For all manual data transfers of sensitive information to and from Jomablue we highly suggest transferring only PGP encrypted files. Encrypting with PGP requires specialised software and know-how. An introduction can be found here. You can find our public key of MIT’s PGP register (https://pgp.mit.edu).
Our preferred method of delivery is SSL secured endpoint (either the customer’s or provided by Jomablue). Less desirable methods include email, FTP, and fle sharing services. It is highly recommended no matter what the transfer method, the files should be PGP encrypted.
File Sharing Services
File sharing services (such as Dropbox, Onedrive, Google Drive) can also be used if preferred but it is highly recommended that anything transferred via these services are PGP encrypted. It is recommended that two-factor authentication be implement in all places or services where this information may reside.
To ensure the data sent to us has not changed in transit (e.g. been damaged/corrupted) we suggest the use of a MD5 file checksum. The process of creating and using a checksum is one where a unique string is created that is used to identify the data file. We then compare it to our unique string upon receiving the file. This allows us to ensure the file is uncompromised and as expected when sent to the recipient.
The process to generate this Checksum is straightforward. Windows users can start here: http://www.winmd5.com/
Although PGP encryption is the most secure method of transfer, understandably there are some complexities to using PGPencryption. Should your Privacy Officer or other authorised staﬀ determine they do not wish to use an encryption and secure file transfer method here are some things to consider:
- Spreadsheets with sensitive data should always be locked with a strong password.
- Place that spreadsheet within a zip (archive) folder and password protect that file.
- Never share a password and data file within the same email.
- The preferred method is that passwords should be advised by another means (eg. send the password via SMS or verbally by calling the recipient).
- Instead of emailing content, use a file sharing service (such as Dropbox) which provides industry standard encryption.
- When using services such as Dropbox, use the link expiration feature. Place the file in a shared location and provide the link set to a 24 hour expiration.