This week’s episode of the excellent Security Now! podcast (#599, starting at 53:10) discusses the use of AES Crypt by clients to encrypt tax data when sending it to practitioners. (I assume that those documents are destined to a professional preparer, like you, the gentle reader of this blog). While I won’t restate the original blog post (which is at http://cantus.us/encrypt-your-tax-documents-before-you-send-them/), the method described is a relatively simple way for an end user to encrypt and send a group of encrypted files over an insecure medium like Dropbox or other consumer-grade file sharing tools. While the method described in the post can be implemented poorly (weak passwords, sending the wrong file, using e-mail, etc.), the basic methodology appears sound – but you need to evaluate the methods you approve for clients to use transmitting data.
What’s missing from the original blog post is something which describes how the practitioner is supposed to decrypt the .AES file which is transmitted to the practitioner. This post is designed as an “FAQ” for practitioners on how to open/decrypt files transmitted with AES Crypt, and is provided on an “as-is” basis with no representations or warranties, and is used at your own risk.
1. What software do I need to decrypt a file protected with this method?
You’ll need to download and install AES Crypt for your personal computer or other computing device. You can get this software at www.aescrypt.com. The software is an open source solution, and there is no license needed to use this application at this time. (Most of you will likely want to install the 64-bit Windows version, but those of you who use really old or really cheap computers may need the 32-bit version.)
2. Why won’t my client just use my portal from (ShareFile, CCH, Thomson, Doc.IT, XCM, eFileCabinet)?
This happens for a variety of reasons.
- Many firms do a poor job of communicating with clients on how to use their portal
- Do YOU have a PDF/paper document you give clients which explains how to use your portal?
- Does your client know who is supposed to be your “portal concierge” who helps clients use the portal for the first time? (This is usually a good role for an administrative person or executive assistant who is competent at using the portal and has lots of patience.)
- If the answer to either of the last two questions is “NO”, they may not know how to work with your portal.
- · Some clients just don’t like using portals, and don’t want to learn how to use your portal – they probably also have a portal they’re supposed to use with their lawyer, doctor, and financial planner – and they may hate all of their portals.
- · You may be enabling their behavior by not sending a clear and consistent message to your client about the use of the portal. Check and see if some of your people are themselves frustrated about your portal and not talking to clients about its use.
If the client doesn’t want to use your portal, your choices are (1) let them send in paper and scan it, (2) let them bring in a flash drive with the scanned documents, (3) let them fax in the documents, (4) convince them to use your portal,(5) meet them where they are, and work with them using some other method (like using AES Crypt), or (6) don’t work with them and deal with the fallout. You’re an adult; it’s a free country. Pick your choice, and either work with your client or don’t work with them.
3. OK, I’ve installed the application on my PC, and I want to work with their AES Crypt-encrypted file. What is my client going to send to me, and what do I need to do to decrypt this .AES file I received from my client?
You will need the following to decrypt the file encrypted with AES Crypt:
- A personal computer with AES Crypt (which you said you have – if you don’t, see question #1 above on how to get and install AES Crypt).
- The encrypted file which the client sent to you. (This file will have a file extension of *.AES.)
- The password for the encrypted file provided by the client (which was hopefully sent via telephone or some method other than e-mail). This password is case sensitive, so pay careful attention when writing it down/typing it into the AES Crypt application.
Once you have installed the AES Crypt application on your computer, a right-click option is added which uses AES Crypt to decrypt the file. The decryption process works like this:
a. Place the .AES file on your local PC, say on the desktop.
b. Right-click on the AES file and select “AES Decrypt” from the Windows right-click menu.
c. AES Crypt will create a window labeled “AES Crypt Password” which asks you to enter the case-sensitive password your client used to encrypt the file. Enter the password into the dialog box and click on “OK”.
d. AES Crypt will create a new file in the same folder as the .AES file which is the decrypted version of the file without the .AES file extension. In most cases, if the original file was 2016-K1.pdf.aes, the decrypted file will be called 2016-K1.pdf. If not, look for the most recently created file in the folder.
e. Once you have opened the decrypted file and extracted any information you need (and moved it to wherever you will store it), you can then delete the .AES file – you shouldn’t need it anymore. (You may decide to hang onto it until the engagement is complete, but that’s up to you.)
4. OK, I’ve followed the steps in #3 above, and I have a .ZIP file. What do I do now?
If you have a zip file and don’t know what to do, talk to one of your junior staff or your IT consultant on how to unzip a file in Windows/Mac OS. If the file won’t unzip on your PC, the file may be corrupted, or some other problem may have occurred. Either way, that’s something your IT person and most users should be able to handle. (You should also implore your client to just use your portal so you don’t have to deal with this process.)
5. Why would someone send me an encrypted file? Why won’t the client just use my (Sharefile, CCH portal, Thomson Portal, etc.)???
Your client has sent the file to you because they want to send the file to you securely, and they have rightly been told that they should not send tax documents or other confidential information over e-mail or other insecure methods.
As to why your client won’t use your portal, try asking them, and read #2 above on how to get better portal adoption. People shouldn’t smoke, use illegal drugs, or swear around children, yet these vices persist in our society. You also have a choice – are you going to work with this person or not? Decide what you’re going to do here – and price the engagement accordingly. Perhaps you price in a surcharge for the extra time – I don’t know. You and your client need to work out something that works for you both – that’s why you’re the partner and make the big bucks.
If you have further questions/comments, send them to me via Twitter (I’m @BFTCPA). As time permits, I’ll try to get them incorporated into this post in the future.