1051 NW 14th St., Suite 165
(UM mail routing R-26)
Miami, FL 33136

Receptionist: 305-243-6475
Hours: 830am - 500pm, M-F

Help Desk: 305-243-5999
Hours: 24/7

General fax: 305-243-6417
Admin. fax: 305-243-2622

16 April 2009

Encrypting your flash drive

Flash drives are today’s most common portable digital storage device. Flash drives with encryption capabilities are now common, for a modest increase in cost. It’s a cheap way to make your data more secure.

Why do I need to encrypt my flash drive?

It’s not a question of if you will be separated from a flash drive, but when. Anything that small and portable is going to be lost (or stolen) eventually. The question is how much damage you want to risk when that happens.

Encryption of portable storage media containing sensitive or confidential information will eventually be required by UM policies, but there’s no reason to wait for a requirement to do something smart.

I am shopping for a new drive. Which models do you recommend?

Most of the major flash drive manufacturers have encrypted models. Choices include offerings from Lexar (JumpDrive Secure), Kingston (DataTraveler Secure), Memorex (TravelDrive Secure), PNY (Secure Attache), SanDisk (CruzerSecure). Generally, all the secure devices work on Windows. If you use a Mac, your choices will be somewhat more limited.

If you are in the market for a particularly robust solution, consider IronKey. Its models, though more expensive, are waterproof, tamperproof and come with data “self-erase” safeguards. (It works with Mac and Linux, albeit with less functionality than for Windows.)

Can I encrypt a flash drive I already have?

Yes. You can use add-on software, such as the freeware from TrueCrypt. However, unless you enjoy do-it-yourself activities (and have the spare time), your cheapest option is to replace the drive.

What content does UM consider “sensitive” enough to merit encryption?

In general, you should consider any information about the operations of the University to be sensitive, whether it be about clinical, research, educational or administrative activities. Health, education or financial information that is associated with identifiable persons is considered particularly sensitive, and protected by an alphabet soup of federal and private requirements (e.g., FERPA, GLBA/FSMA, HIPAA, PCI DSS).

You can read UM Data Classification Policy for guidance on information sensitivity. If you’re not sure about what qualifies as sensitive in your work environment, ask your supervisor.

Anything else I need to consider?

Encryption will prevent exposure of data on a lost or stolen flash drive to others. It obviously can’t do anything about the your own loss of access to the data on a missing device. You should never rely on something portable to hold the only copy of critical data. Always keep secure backups on something non-portable.

More information

· Review of 7 Secure Flash Drives (ComputerWorld)