Encryption: Any procedure used in cryptography to convert plain text into cipher text to prevent anyone but the intended recipient from reading that data (Source: National Institute of Standards and Technology )

Data resides in numerous places, whether it be desktops, laptops, and removable storage media (USBs, external hard drives, and CD/DVDs). Attention is especially necessary if this data is considered sensitive. In order to protect sensitive information, the use of encryption is a key way to safeguard this data.

Sensitive data stored on any environment, system or media that is subject to loss or theft — including laptops, USB drives, diskettes, CDs/DVDs, personal computers, departmental servers, and cloud environments — must be encrypted whenever not in active use. Encryption is highly recommended for all other systems as well, whenever feasible. Systems susceptible to theft should also be physically secured, e.g. with use of secure laptop cables, whenever possible.

Data-at-Rest vs. Data-in-Transit

  • Data-at-Rest: Data-at-Rest (DAR) refers to data on storage devices not actively being used or transmitted. Storage devices include the hard drives in desktops, laptops, and external drives. Examples of external drives include USB drives, external hard drives, and memory cards. External drives are transportable in nature, which means there is an increased chance of being lost or stolen. A key safeguard to protect the DAR on external drives is through the use of encryption.
  • Data-in-Transit: Data-in-Transit (DIT) refers to data moving from one location to another. This includes data moving from one network to another, which includes across the internet. The protection of DIT, also known as data in motion, is when safeguards are put in place to protect data while it is moving from one location to another.

Full Drive Encryption vs. Container Encryption

When deciding which encryption method to use for the protection of DAR on storage devices, the two most common options are doing full drive encryption or creating an encrypted file container.

Full Drive Encryption (FDE)


  • The entire drive is encrypted, which means files and applications are encrypted

Pros and Cons

  • No need to worry if files are encrypted in the event of device theft
  • When computer is in use, malware is able to steal the data

Container Encryption


  • This is where you create a “container” which can be mounted.
  • Files can then be copied, moved, and deleted inside of the “container” like any other drive
  • With this option, your encrypted file container appears as a file. This file can be stored on the local hard drive or on an external drive, like a USB drive.

Pros and Cons

  • File containers are normal files so you can work with them as with any normal files (file containers can be, for example, moved, renamed, and deleted the same way as normal files). Partitions/drives may be better in regard to performance. Note that reading and writing to/from a file container may take significantly longer when the container is heavily fragmented.

CIS Control 14: Controlled Access Based on the Need to Know

As outlined in the ITS Information Security Minimum Security Standards, encryption is part of the Center for Internet Security’s (CIS) Control 14:

CIS Control 14: Controlled Access Based on the Need to Know: The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.

  • CIS Control 14.4: Encrypt All Sensitive Information in Transit
  • CIS Control 14.8: Encrypt Sensitive Information at Rest

Encryption Setup Guides

This article deals with Data-at-Rest. Below is information on setting up Data-at-Rest encryption for the following devices: