Data Encryption

Data encryption is the process of converting data from a plain text, or readable, format into a form that can be understood by the sender and the intended recipient and no one else. Encrypted data usually look like a long sequence of random letters and numbers. The intended recipient has the key needed to change the data from its encrypted form back into plain text.

Encryption is a critical component of data security. It ensures that, if the data are accessed by an unauthorized person, they will not be able to read or misuse the data.

What Should Be Encrypted?

All digital communications and storage media that contain confidential data and leave the security boundary of the registry network should be encrypted. This includes—

  • Transmitted data files or communication (web, FTP, email).
  • Portable storage devices (laptops, external drives, CDs, tape backups, USB flash drives).
  • Databases on servers.
  • Backups of confidential data.

Encryption Requirements

The procedures and requirements for encryption vary.

  • Transmitted data files. Web-based tools usually have this functionality built in though Transport Layer Security (https://) and secure certificates.
  • Portable storage devices and backups of confidential data. Encryption software that uses a Federal Information Processing Standard (FIPS)-approved cryptographic algorithm must be installed on every device on which confidential data are stored.
  • Databases on servers. Databases should meet FIPS 140-2.

Encryption’s Effect on Performance

Encryption must be planned carefully to make sure it does not slow your system’s performance. Encryption can be done at three levels, ranked from best to worst performance: hardware such as chips or hard drives, operating systems such as Microsoft® Windows® or Linux, and encryption applications from vendors certified by the National Institute of Standards and Technology.

Vendor benchmarks for all three levels of encryption indicate that systems will experience only a fraction of a percent loss in performance from this process, and end users should not notice the difference. More benchmarks may be needed to verify these claims. Staff who provide technical support to other programs in your institution may have this information. If not, NPCR staff can work with NPCR registries to compile a list of benchmarks.