Computer Encryption Policy

Background

In 2016 UW System Administrative Policy 1031 was issued. The policy specifies security controls for all data that belongs to the university. Procedure 1031.B specifies that for all medium- and high-risk data, “if data are stored on an individual workstation or mobile device, encryption is required.” Letters & Science IT is responsible for ensuring compliance with this policy.

Full Disk Encryption

As a standard practice, Letters & Science IT will encrypt all laptops that are purchased by the college using full disk encryption. Both Windows and MacOS support full disk encryption “out of the box.” More details on Windows- and Mac-specific considerations can be found below.

Full disk encryption ensures that files saved to your computer are safe “at rest.” This means no one can access files on your computer unless the device is booted and an authorized user has signed in. This type of encryption is particularly effective for safeguarding against data loss when computers are stolen are lost. Having disk encryption enabled greatly reduces the possible legal liability of the University when devices go missing.

Effects of Full Disk Encryption

In most cases, encryption will not be noticeable to the user of the computer. If you have bought a laptop computer any time after 2017, it is probably encrypted already.

In cases where hardware changes need to be made to a computer (such as replacing computer components or updating the firmware), a device that is using full disk encryption will require an encryption password to boot after a change is made. Fortunately, these cases are rare, and the L&S IT Office will assist in these cases.

Full disk encryption has a negligible performance impact on computers. The college buys computers that include special hardware that handles the encryption/decryption process so that there is no noticeable impact on performance

Windows – Bitlocker

Bitlocker Drive Encryption is the full-disk encryption solution that is native to Windows. It was introduced in Windows 7, and remains in support for Windows 8 and 10.

If you have a Windows 7 device, and the L&S IT Office contacts you about enabling Bitlocker Drive Encryption, there are a few considerations specific to your situation:

  1. Windows 7 is being retired by Microsoft in January of 2020. Consider having the IT Office upgrade your laptop to Windows 10.
  2. When enabling Bitlocker on your Windows 7 laptop, an IT Office technician must be present to enter the BIOS password. After turning on encryption, it will take at least a few hours for the disk to fully encrypt. During the interim period, you can still use your laptop normally, however you will only have about 5 gigabytes of free disk space. When the device finishes encrypting, all your free disk space will be made available again.
    • The amount of time it takes to encrypt in Windows 7 is roughly proportional to the total size of the disk being encrypted. Very large disks may take an entire day to encrypt.
    • Windows 10 laptops will have their full disk available during the encryption process.

 

MacOS – FileVault

FileVault is the full-disk encryption solution that is native to MacOS. It was introduced in version 10.3 and has remained in service ever since.

If the IT Office contacts you about encrypting a MacOS device with FileVault, the process will require a technician appointment. FileVault requires that each user be added to a list of pre-authorized logins in order to be able to use the device after each power cycle. The technician will ensure that all users who are authorized to use the computer are granted the appropriate access when enabling FileVault.

Laptops that are running very old versions of MacOS may need to be re-imaged before they can be encrypted. If this applies to your laptop, L&S IT will notify you of this requirement when you are contacted about enabling FileVault.

Most MacOS devices purchased in 2016 or later are already encrypted with FileVault.