This article addresses the full disk encryption requirements and guidelines on University computers that protect sensitive information.
Why Are We Deploying Full Disk Encryption?
Full disk encryption is a part of St. Lawrence University’s response to recommendations by the University auditors to help protect the institution against unauthorized access to sensitive/protected/institutional information. The primary goal is to reduce the risk to the University in the event of theft, loss, or unauthorized physical access to a device.
Who is Getting Encrypted?
Our initial focus is on laptops as well as desktop computers that are used to access sensitive information. Over time most University owned computers, including desktops, laptops and capable tablets could be encrypted.
What is Being Encrypted?
The entire hard disk will be encrypted, so every file currently on the drive and any new files will be encrypted automatically. Files that are transferred to another device away from the encrypted computer (i.e. USB drives, CD/DVDs, network drives, an unencrypted computer, etc.) will not stay encrypted.
The technologies being used include Microsoft BitLocker for Microsoft Windows devices and File Vault 2 for the Apple Mac OS.
BitLocker is the native encryption program included on some versions of Windows, though it is not turned on by default. To meet encryption compliance at St. Lawrence University, systems using BitLocker must be running Windows 7 SP1 with Enterprise or Ultimate Edition, or Windows 8.1 Enterprise Edition, and have a TPM 1.2 or higher hardware.
Similarly, FileVault 2 will be implemented to help prevent access to documents and other data stored on your Mac’s hard disk. To use this feature, you’ll need OS X Mountain Lion (10.8) or later, and a working OS X Recovery volume on your startup disk.
Tips for Best Practice
St. Lawrence IT recommends that prior to ‘at risk activities’, such as traveling with the computer, or leaving the computer unattended for an extended periods of time that users shut down or lock the device (rather than using suspend or hibernate); this helps to insure sensitive data is cleared from the system memory. St. Lawrence IT also recommends that screen auto lock settings be set. This helps to ensure encrypted data is kept secure.