Will my computer act differently after it has been encrypted?
Devices encrypted with BitLocker Drive Encryption and FileVault 2 will not require any additional steps to access your data. Both encryption solutions are native to Windows and OS X, respectively, and require no additional logins. Legacy devices encrypted with PGP will require an additional password when first powering on your device. This separate password ensures only you can access your encrypted data. You can assign a separate password for this purpose but it can be the same as the CWID password you normally use to log into your computer.
How long does it take to encrypt my hard drive?
It takes about 15 minutes to install the encryption software, and then between 4 and 10 hours to finish the encryption, during which time you can use your computer normally. After the initial encryption is complete, the encryption should not disturb you while you work.
Do BitLocker, FileVault 2, and PGP encrypt my entire hard drive?
Yes! Many types of encryption software do not encrypt the entire drive, but the ITS-managed encryption solutions utilize whole disk encryption, which means every sector of your hard drive will be encrypted.
I have a desktop computer that stores confidential data as defined in the data classification policy. Can I have it encrypted?
The latest revision to the ITS Device Encryption policy (11.06) now requires that all tagged desktops are encrypted with the ITS-managed encryption solution.
What can I do if my device does not meet hardware requirements?
ITS recommends Macintosh users upgrade to OS X 10.7 Lion or higher. Encryption solutions for previous versions of OS X, such as the original version of FileVault, do not provide whole disk encryption and are not compliant with the Device Encryption policy. We also recommend that Windows users upgrade to Windows 7 or higher.
What type of encryption software does ITS use?
ITS uses Microsoft's BitLocker Drive Encryption for devices running Windows 7 or above and Apple's FileVault 2 for devices running Macintosh OS X 10.7 Lion or above. Both of these encryption solutions are native to the respective operating system and offer significant improvement in system performance. Symantec's Pretty Good Privacy (PGP) is being phased out and may only be used to support legacy devices requiring encryption. Mobile devices, such as tablets and smartphones, are encrypted using native device encryption that is enforced by our mobile device management solution.
How much does it cost to encrypt my laptop?
For any ITS-tagged laptop, encryption is provided at no additional charge. We are available to assist and provide "best effort" support to encrypt untagged devices that meet our hardware requirements. Users are strongly encouraged to make an encrypted backup of the device data and verify it for accuracy and completeness.
Do I have to encrypt my device?
All devices tagged by ITS and used for WCMC purposes must be encrypted using an ITS-managed encryption solution unless otherwise exempted as defined in the ITS Device Encryption policy (11.06). This is to help protect you if you store, send, or receive any of the following types of confidential data, such as:
Many people receive and store this information on their devices, even if they do not realize it, which is why we are mandating encryption on all tagged devices across the institution. The full definition of confidential data can be found in the ITS Data Classification Policy (11.03) and the ITS Device Encryption policy (11.06).
Can I opt out of encrypting my laptop?
Encryption is a relatively easy way to safely secure the data on your laptop from theft, misuse and loss. In the event that an exception to encryption is proposed, you must complete the Request for Device Encryption Exemption form and have the request approved by your Department Administrator, the Department Chair, or an equivalent senior manager. All exemption requests will be reviewed by ITS Security. Any exemption denials may be appealed by the requestor and will be brought to and reviewed by the Information Security and Privacy Advisory Committee (ISPAC). Exemptions are granted temporarily and will need to be recertified annually and/or if the purpose of the device or the job responsibilities of the requestor change. If an exempted device is misplaced, lost, or stolen, all associated costs for forensic investigation and legal and regulatory reporting will be charged to your department. Please contact Tom Horton, Chief Information Security Officer, at thh4011@med.cornell.edu with questions on this process.
What is device encryption, and what does it do?
Encryption is a technology that protects the contents of your device from unauthorized access by converting it into unreadable code that cannot be deciphered easily. It is a much stronger level of protection than typical security features, such as logging into an operating system with your CWID and password or protecting individual files with passwords. Whole disk encryption is used to protect the entire contents of your device.
