File encryption
You can encrypt files that you want to be accessible only to yourself or to a limited group of people. Encrypt files at least when confidentiality of the data so requires. Files containing data classified as category 1R, such as special categories of personal data, must always be stored in encrypted form.
A method suitable for encrypting all types of files is to use appropriate encryption software, for which instructions are provided below. In addition, Microsoft Office files can be stored encrypted in a specific way: save the file to Teams or OneDrive and set its data classification to “Confidential 1R – Confidential Restricted access” in the Sensitivity menu. Encryption then takes place in the background without the use of a separate software.
Choosing an encryption program
There are three alternative programs from which you can choose the one that suits your needs. All the programs provide strong protection that is sufficient for storing all types of data, including special categories of personal data (Article 9 of the EU General Data Protection Regulation). You can find the programs in the Software Center on a TUNI Windows computer. If you cannot find the program for a TUNI Mac or Linux computer, contact IT Helpdesk. The programs are free of charge and free of usage limitations, and users of their own home computers or people outside our higher education community can install them from public sources.
Choose a suitable program for your needs by evaluating the advantages and disadvantages of the following alternative programs.
| Program and link to instructions | Advantages | Disadvantages | Suitable use cases |
| VeraCrypt | Only one person can use the vault at a time. You must define the vault size when creating it, and you cannot increase it later | When you may also need to store Office documents. For backups | |
| Cryptomator | Multiple users can open the vault at the same time. The vault size grows dynamically as you add files | It does not work well with Microsoft Office applications; see details and instructions in the intranet news. Storing very large files in a vault located on a shared drive (S drive) or personal storage (P drive) is very slow | When there is no need for Office documents. When there is no need to store large files (videos) on the S drive. When you need simultaneous access by multiple users |
| 7-Zip | Fast and easy to use. Widely used, so the recipient can easily open the archive | Not suitable for storing files for editing, as you cannot save modified files back into the archive | Sending by email. For backups |
Additional instructions
Handling encrypted files
When you handle (i.e. view and edit) files encrypted with encryption software, always open the files directly from the virtual drive created by the encryption software and save any outputs generated during processing directly to that virtual drive. Do not copy (extract) files from the virtual drive elsewhere for processing, as this easily leaves an unencrypted copy behind unintentionally. You may need to deviate from this principle in special situations, but in that case you must delete any extra copies left in unencrypted locations as soon as possible and with great care.
Encrypting to a USB drive or memory stick
- If you want to store data classified as 1R, such as sensitive personal data, on a standard USB drive or memory stick, you must first encrypt the USB drive at the file system level. On a Windows computer, this means encrypting it with BitLocker; instructions are provided below. For Mac computers, see the corresponding instructions on Apple’s website. Only after this may you store data on the USB drive, encrypted with one of the encryption tools mentioned above. Note that on Windows, a USB drive encrypted at the file system level works only on Windows computers. The same applies to Mac computers.
- You can also request from IT Helpdesk a USB drive that automatically encrypts its contents and works with all operating systems. Data classified as 1R, such as sensitive personal data, must still be encrypted with encryption software even when stored on such a drive.
- If the drive needs to be delivered to another person, provide the password or code required to open the drive separately from the password used in the encryption software, for example one via text message and the other via encrypted email. Inform the recipient from where to install the encryption software you used, or store on the drive the installation files or a portable version of the encryption software for all required operating systems.
Transferring encrypted data
You can transfer data classified as 1R, such as sensitive personal data, securely by packaging and encrypting it into a single file using VeraCrypt or 7-Zip and sending the file via the Funet FileSender service. Send the password used for encryption by text message to the recipient’s personal phone number. In this way, you can send files outside our higher education community or transfer them between systems, such as from Windows to Mac or vice versa.
IT Helpdesk
0294 520 500
it-helpdesk [at] tuni.fi (it-helpdesk[at]tuni[dot]fi)
helpdesk.tuni.fi