Data encryption

Data carrier encryption

When using mobile devices or data carriers with data of protection levels D and E, the encryption of the data carrier is specified by circular 20/2019 "Encryption of mobile storage media used for official purposes". The data carrier encryption can be realised on the firmware level in the device, on the operating system level or as an application programme.

Data encryption of the operating system

Data carrier, partition encryption or FileBaseEncryption is provided by all common operating systems.

Disk & container encryption with separate applications

Containers, files that serve as a container for a file system in which files can be stored, can also be used for the secure storage of data. However, containers are not suitable for exchange via cloud services.

VeraCrypt enables access from Windows/OSX/Linux to containers and offers

  • Full encryption of Windows systems
  • storage of files requiring protection in a separate container
  • Encryption of mobile data media

Full encryption in the unit firmware

Due to vulnerabilities in the implementation of hardware encryption in modern data carriers, BitLocker in Windows 10 will no longer use it as of September 2019.

File encryption

The encryption of individual files does not comply with the circular. Even if the encryption of individual files is generally not advisable, there are usage scenarios for this. Special attention must be paid to generating and managing a secure password for each file. The secure transmission of confidential data to third parties may necessitate the encryption of individual files. Possibilities are:

  • Encrypted email - for small amounts of data
  • Use of the central Seafile cloud service in combination with the programme 7Zip, whereby the procedure AES-256 is to be chosen. For details, see e.g. DSB-RLP
  • Seafile offers the option of creating encrypted libraries. However, this option is not suitable for exchange with third parties.
  • Sending encrypted ZIP files by e-mail is not recommended, as it is a common practice to introduce viruses into systems bypassing security software and the encrypted attachment will probably not be delivered.

Directory encryption for cloud synchronisation

Cryptomator works in a similar way to an encrypted file system: it creates a separate drive on which work can be done locally. In the background, Cryptomator encrypts the individual files and saves them under encrypted file names in a directory to be specified during installation. The encrypted file versions can be synchronised into the cloud via the usual cloud storage clients.


IT Security
Security team
IT Security
Security team