Overview
Disk encryption is a security measure that involves encoding data stored on a hard drive, flash drive, or other storage device. This process helps protect sensitive information from unauthorized access, theft, or data breaches. It ensures that even if the physical storage device is lost or stolen, the data remains secure and inaccessible to anyone without the decryption key. University managed devices perform disk encryption if they are used to access or store data that is considered Medium or High Risk as defined in ITS-09 Media Protection Standard, section 4.3.3 - Media Encryption.
Personal devices that will be used to access or store Medium or High Risk university data are subject to the same standards as university managed devices. High Risk or Research data stored on removable storage devices must also be encrypted.
Windows: BitLocker
Windows BitLocker is a security feature that provides encryption for storage devices, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. To enable BitLocker on a device, it must meet the following system requirements:
- For BitLocker to use the system integrity check provided by a TPM, the device must have TPM version 1.2 or later.
- If a device doesn't have a TPM, saving a Startup Key on a removable drive is mandatory when enabling BitLocker.
- A device with a TPM must also have a Trusted Computing Group (TCG)-compliant Basic Input Output System (BIOS) or Unified Extensible Firmware Interface (UEFI) firmware. This firmware is commonly referred to as SecureBoot.
- The system BIOS or UEFI firmware (for TPM and non-TPM devices) must support the USB Mass Storage Device class, and reading files on a USB drive in the pre-boot environment.
- The hard disk must be partitioned with at least two drives:
- The Operating System drive
- The System (Boot) drive
When installed on a new device, Windows automatically creates the partitions that are required for BitLocker. This allows for easy configuration of BitLocker on any device that can support it.
NOTE: BitLocker encryption is not available on devices that use Windows 10 Home edition.
macOS: FileVault
FileVault 2 is a disk encryption program for Mac computers that helps protect data by encrypting the contents of the disk. This encryption ensures that unauthorized users cannot access the data on the disk without the correct password. FileVault is available on macOS versions 10.7 (Lion) and later. To enable FileVault, a user must be granted Secure Token access.
When a Secure Token user logs in to their Mac, the system will use that login attempt to unlock the encryption key stored in the Secure Enclave. This key is then used to decrypt the disk and allow the user to access their data. A second login prompt appears to start a normal desktop session. When the user logs out or shuts down the computer, the encryption key is locked again, ensuring that the data remains secure when the computer is not in use.
Linux: dm-crypt/LUKS
dm-crypt is a disk encryption subsystem in the Linux kernel that provides transparent encryption of block devices, such as hard drives and USB drives. It uses the Device Mapper framework to map encrypted data to a virtual block device, allowing users to encrypt their data at the block level without having to manually encrypt individual files or directories. dm-crypt utilizes Linux Unified Key Setup (LUKS) as a standard for disk encryption that specifies how encryption keys are stored and managed. dm-crypt and LUKS is typically included in Linux distributions, however LUKS may require additional tools or packages to manage LUKS-encrypted devices.
Recovery Keys
When a storage device is encrypted, it generates a Recovery Key, which is a unique code or series of characters that allows access to a locked account or encrypted data in the event of a forgotten password or security breach. For Windows devices that are connected to the university's Active Directory or Entra environment, the recovery key is commonly stored in the computer object that corresponds with the device under the BitLocker Recovery tab.
macOS devices managed using Jamf Pro will store a personal recovery key and a device recovery key, either of which can be used to decrypt the device. Additionally, technicians can view the users that have been granted Secure Token access.