This paper was written for data exchange practitioners who may not have sophisticated technology backgrounds. It was especially written for those workers and their managers using desktop computers to prepare bulk information to be sent outside their own organizations to others. Such information is primarily raw-text data.
The need to protect data exchanged between organizations is increasing. New legal requirements are being imposed with increasing frequency. The computers, software, and networks in use today increase the likelihood that somebody may come across sensitive data and attempt to abuse it - things are much more "open" than in the past. Quite often today our data is sent using commodity media such as IBM-formatted floppy disks or the public Internet. We need readily available and easy to use encryption tools.
Someday high-encryption tools may become ubiquitous, they aren't today despite the availability of some really good options. The main problem seems to be understanding the issues, being comfortable with encryption tools, and waiting until some standard interoperable tools are widely deployed.
The place where encrypting data is most important is when sending data from one organization to another. But this is precisely where one has the least confidence in assuming a compatible decryption tool is available at the receiving end.
There are many encryption tools available today but few of them are truly easy to use and most of them are difficult to deploy among data-trading partners. I hope to show how the encryption technology embedded in "Zip" compression tools may be used safely for all but very high security purposes.
2005 Update:
Even exchanging encrypted zip files by a channel like email is fraught with hazards today. Your data may be secure, but corporate email systems sometimes catch and block even an encrypted zip file. While efforts to improve computer security are generally a good thing it has become very clear that network security officers and product vendors have gone overboard, to the extent of preventing people from getting work done. There is no danger in receiving a zip file, none in saving such an email attachment to disk, and none in opening zip archives with standard utilities.
It may seem like a clever (and easy) way for network security folks to do their jobs by locking the doors and throwing away the keys. I condemn such practices as lazy and parasitic upon the organizations they purport to serve.
A business, education, government, or other organization has to get its work done. So-called "security professionals" are taking an easy way out and doing their customer/employer organizations great harm. They have the responsibility for offering safe alternatives, not to simply weld all of the windows shut. We need to begin holding these people accountable for their irresponsible practices.
This paper is in Microsoft Word® format and can be downloaded here.
Updated October 2002
