Best Practices for Data Encryption

In this chapter we will provide guidelines to ensure effective encryption practices and offer solutions to common encryption challenges.

Table of Contents

• Lesson Objectives
• Choosing a strong password
  • What makes a strong encryption key or password?
  • Examples:
  • Additional Options
  • Quick Quiz!
• Storing, updating, and sharing your encryption keys
  • Safe Storage
  • Sharing Securely
  • Updating Keys
• Backing up your data
• Troubleshooting Common Issues
• Key Points / Summary

Lesson Objectives

• Know how to make a strong encryption password
• Know best practices for storing, updating, and sharing encryption passwords securely

Choosing a strong password

Encryption is only as strong as the password used to protect it. A weak password makes encrypted data easy to crack.

What makes a strong encryption key or password?

A good encryption password should be:

• Long: At least 12–16 characters; longer is better
• Complex: Includes uppercase, lowercase, numbers, and symbols
• Unpredictable: Avoid dictionary words, names, dates, or predictable sequences
• Unique: Don’t reuse passwords from other accounts or systems

Examples:

✅ Strong password: N6z!e$Qp9W@bLm#4

❌ Weak password: password123, John1990, qwerty

Additional Options

For higher security, there are a few additional options to consider:

Passphrases: A combination of random words and symbols, for example: Blue!Tiger-Canoe7_Parade

Password managers: Password management tools like Bitwarden aren’t just useful for storing your passwords (see below), but can also be used to generate strong, unique passwords.

Keyfiles: Some encryption software, including VeraCrypt, allow you to set certain files as keyfiles, which must be present on the encrypted drive for it to unlock. Without the files, the drive cannot be decrypted, even with the correct password.

PIM: Some algorithms allow you to set a Personal Iterations Multiplier (PIM), which determines how many times the key must be “turned” to unlock the encrypted data. (For a more technical explanation, see VeraCrypt’s documentation.) You enter the PIM alongside your password, and only the correct combination will work. This makes your data more secure, but also increases the time necessary for decryption.

Quick Quiz!

Storing, updating, and sharing your encryption keys

Safe Storage

YOU MUST BACK UP YOUR ENCRYPTION PASSWORDS! This is the most important thing to do when encrypting files. If you lose your encryption password you will lose access to your data, likely permanently. Therefore you must back up your passwords. Do not rely on yourself to remember them – if they are long, complex, unpredictable, and unique, you will likely forget them at some point!

There are a few do’s and don’ts when backing up your password:

• DO store individual passwords in a trusted password manager (e.g. Bitwarden)
  • Password managers save all your passwords in a secure, central location, which can only be unlocked using a master password. All of the same recommendations for passwords apply to this master assword: Make it strong, and back it up.
• DO use a physically secure location (e.g., locked cabinet, encrypted USB drive, password-protected file) to save your passwords – including your master password
• DON’T store passwords in plain text on your computer (e.g., in a .txt file or sticky note)

Sharing Securely

Never share encryption passwords over unsecured email or messaging apps (e.g., Slack, Teams, SMS).

Use secure tools for sharing:

• A shared folder in your password manager
• University-approved secure file transfer tools (e.g., McMaster’s MacDrive, encrypted email systems)
• Temporary encrypted sharing tools like an encrypted OneDrive link with expiring access
• Verbally over a secured phone connection

Updating Keys

Rotate your encryption keys or passwords regularly, especially if:

• The password has been shared
• You’re ending a project or changing personnel access
• There’s been a potential breach

Backing up your data

All data is at risk of being lost or corrupted, so it is recommended to follow the 3-2-1 rule for backing up your data and keep:

• 3 copies of your data (at least)
• 2 copies on hand on different systems (internal hard drive, external hard drive, cloud storage provider, etc)
• 1 copy in a separate location (“off-site”) from the others, with a trusted service provider

This is still – perhaps especially – true with encrypted data, which is difficult to impossible to recover if lost while encrypted.

Storing multiple copies of encrypted data can be daunting. While you are getting used to encryption, start small. Make an account with a trusted password manager and immediately write down and securely save your master password. Then manually encrypt your files individually or one folder at a time, storing them with encryption on your research device, a secure external drive, and an encrypted cloud folder. Store your passwords in the password manager so you don’t have to worry about forgetting them. This way, if something happens, you haven’t lost access to your entire drive, maybe even your system boot drive. As you become more confident with encryption, or if you handle increasingly sensitive data or increasing volumes of sensitive data, entire drive encryption may become a simpler option.

Troubleshooting Common Issues

Sometimes things go wrong. Here are some common encryption-related problems and how to solve them:

Key Points / Summary

• A strong password is long, complex, unpredictable, and unique
• Store encryption keys securely using trusted methods and update them as needed
• Avoid common mistakes like writing down passwords or sharing them over insecure channels
• Use institutional tools to share passwords where possible, like an encrypted OneDrive or MacDrive
• Back up your data!
• Encryption is only useful if the key is protected as carefully as the data itself

---