Data Encryption


There are numerous reasons for encrypting your data but, in today's environment, avoiding a data theft is possibly the most important.  The SDHS is heavily protected against such an occurrence, but an extra layer of protection is available, in the form of on-the-fly encryption from VeraCrypt, enabling you to encrypt the data you have stored within the SDHS.  Instead of reproducing the beginner's guide here, we have given you a link to VeraCrypt's own help guides below.


Should you choose to encrypt your data, you must remember your password/passphrase.  If you forget it, you will not be able to decrypt your data and it will be lost forever.

CSCS will not be able to recover encrypted data for you.

Step-by-step guide

  1. Visit the VeraCrypt Beginner's Tutorial for a step by step guide to using VeraCrypt for the first time.
  2. Visit the VeraCrypt documentation main page for more advanced (and recommended) information on using VeraCrypt.
  3. VeraCrypt is installed on the Citrix XenDesktop you use to access the SDHS environment.  Simply access it as you would any other application and follow the guides.
  4. Contact CSCS Service Desk for assistance if required.

VeraCrypt is a software product for establishing and maintaining an on-the-fly-encrypted volume (data storage device).  On-the-fly encryption means that data is automatically encrypted right before it is saved and decrypted right after it is loaded, without any user intervention.  No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys.  The entire file system is encrypted (e.g., file names, folder names, contents of every file, free space, meta data, etc).  Files can be copied to and from a mounted VeraCrypt volume just like they are copied to/from any normal disk (for example, by simple drag-and-drop operations).  Files are automatically being decrypted on the fly (in memory/RAM) while they are being read or copied from an encrypted VeraCrypt volume.  Similarly, files that are being written or copied to the VeraCrypt volume are automatically being encrypted on the fly (right before they are written to the disk) in RAM.  Note that this does not mean that the whole file that is to be encrypted/decrypted must be stored in RAM before it can be encrypted/decrypted.  There are no extra memory (RAM) requirements for VeraCrypt.  For an illustration of how this is accomplished, see the following paragraph.

Let's suppose that there is an .avi video file stored on a VeraCrypt volume (therefore, the video file is entirely encrypted).  The user provides the correct password (and/or keyfile) and mounts (opens) the VeraCrypt volume.  When the user double clicks the icon of the video file, the operating system launches the application associated with the file type – typically a media player.  The media player then begins loading a small initial portion of the video file from the VeraCrypt-encrypted volume to RAM (memory) in order to play it.  While the portion is being loaded, VeraCrypt is automatically decrypting it (in RAM).  The decrypted portion of the video (stored in RAM) is then played by the media player.  While this portion is being played, the media player begins loading another small portion of the video file from the VeraCrypt-encrypted volume to RAM (memory) and the process repeats.  This process is called on-the-fly encryption/decryption and it works for all file types (not only for video files).

Note that VeraCrypt never saves any decrypted data to a disk – it only stores them temporarily in RAM (memory).  Even when the volume is mounted, data stored in the volume is still encrypted.  When you restart Windows or turn off your computer, the volume will be dismounted and files stored in it will be inaccessible (and encrypted).  Even when power supply is suddenly interrupted (without proper system shut down), files stored in the volume are inaccessible (and encrypted).  To make them accessible again, you have to mount the volume (and provide the correct password and/or keyfile).