Data encryption

Data carrier encryption

When using mobile devices or data carriers, the encryption of the data carrier is specified by circular 20/2019 "Encryption of mobile storage media used for business purposes". The data carrier encryption can be implemented at firmware level in the device, at operating system level or as an application program.

There is an exception for USB storage media. These must only be encrypted from protection levels D and E.

Data encryption of the operating system

Data carrier, partition encryption or FileBaseEncryption is provided by all common operating systems.

Disk & container encryption with separate applications

Containers, files that serve as a container for a file system in which files can be stored, can also be used for the secure storage of data. However, containers are not suitable for exchange via cloud services.

VeraCrypt enables access from Windows/OSX/Linux to containers and offers

  • Full encryption of Windows systems
  • storage of files requiring protection in a separate container
  • Encryption of mobile data media

Full encryption in the unit firmware

Due to vulnerabilities in the implementation of hardware encryption in modern data carriers, BitLocker in Windows 10 will no longer use it as of September 2019.

File encryption

The encryption of individual files does not comply with the circular. Even if the encryption of individual files is generally not advisable, there are usage scenarios for this. Special attention must be paid to generating and managing a secure password for each file. The secure transmission of confidential data to third parties may necessitate the encryption of individual files. Possibilities are:

  • Encrypted email - for small amounts of data
  • Use of the central Seafile cloud service in combination with the programme 7Zip, whereby the procedure AES-256 is to be chosen. You can find instructions for this on the pages of the RRZK (University of Cologne), for example.
  • Seafile offers the option of creating encrypted libraries. However, this option is not suitable for exchange with third parties.
  • Sending encrypted ZIP files by e-mail is not recommended, as it is a common practice to introduce viruses into systems bypassing security software and the encrypted attachment will probably not be delivered.

Directory encryption for cloud synchronisation

Cryptomator works in a similar way to an encrypted file system: it creates a separate drive on which work can be done locally. In the background, Cryptomator encrypts the individual files and saves them under encrypted file names in a directory to be specified during installation. The encrypted file versions can be synchronised into the cloud via the usual cloud storage clients.

Instructions and explanation on how to set up and use Cryptomator


IT Security
Security team
IT Security
Security team