HIPAA and FIPS-140
ENC DataVault is one of the best security controls available for protecting information on a hard drive or attached device drive, and properly used can effectively meet and exceed the data protection standards component of any HIPAA compliance assessment. Please understand that HIPAA would still require you to report details regarding lost or stolen drive to the appropriate authority, even when the information stored is encrypted. However, properly used, the data protection controls in ENC DataVault will help you to mitigate the damages incurred in such situations. Further, the data backup and recovery facilities offered in most of our software can also help to prevent data loss.
We use the OpenSSL library for all cryptographic functions in our software application. Our cryptography modules use ONLY Advanced Encryption Standard (AES) algorithms. AES cryptographic ciphers meet the specifications and requirements for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.
Although the cryptographic module in our software does not use the FIPS-enabled OpenSSL library, the level of encryption used complies with the requirements and standards for cryptography modules as set out in the FIPS-140 publication adopted by NIST.
Even when AES ciphers are publicly available or "open source", they are considered the "gold standard" in cryptography, and are used by virtually all branches of the U.S. government, including the U.S. military, in encrypting documents with classification up to "Top Secret".
Further information regarding our encryption engine
ENC DataVault software gives users the option of using different levels (or strengths) of AES symmetric algorithms in our encryption: AES 128, 256, 512 and 1024-bits encryption. Our 512 and 1024-bits encryption are AES-based and employ only AES 256-bit algorithms.
However, the strength of the encryption algorithms is multiplied many times by the fact that our software uses a system of dual authentication. The key stored with the encrypted vault must be matched with a second key, the vault owner's password, in order to open the vault and access the data.
This dual level authentication makes access to the vault virtually impossible, since that would require both physical possession of the flash drive, and knowledge of the user's password.
The AES-128 and AES-256 implementations call the OpenSSL functions directly, while the AES-512 and AES-1204 call these functions indirectly. When the user enters a password, the password is converted to a binary key of the appropriate key size by calling a Key Derivation function.
We use PBKDF2 with multiple rounds. By calling the 256-bits function multiple times with a different part of the key, we mimic a larger key space.
Using these methods, we can state the following:
The output of the encryption function depends on every single bit of the key; change one bit and the outcome is different.
If one would want to brute force the cipher text, the entire key space has to be tested; there is no shortcut.
The encryption with a 1024 bit key will take about 4 times as long as with a 256 bit key.