Full Disk Encryption (FDE)

Full Disk Encryption Really Quick Quick Start Guide

If you already know you need to have your machine encrypted, please submit a Helpdesk Request. Simply enter “Full Disk Encryption” as the subject and provide us with as many details as you can about the computer you would like encrypted. An ITS UXSS team member will contact you to schedule everything. Remember, ITS supports two major OS’s through their native FDE solutions: Windows using Bitlocker and macOS using FileVault.

Full Disk Encryption (FDE) Options

This document is going to cover the main Full Disk Encryption options available and approved by ITS.

Please note that FDE, at this stage, only concerns itself with “mobile” devices, like laptops or tablets. It is not required on regular desktop machines. FDE is required on any institutionally-owned mobile devices, and on personally-owned devices if it is being used to store and work with sensitive institutional data.

To define: sensitive institutional data consists of FERPA, HIPAA, PII, financial, etc. information.

Introduction

Full Disk Encryption (FDE), sometimes called Whole Disk Encryption (WDE), is a data-confidentiality solution wherein a computer has it’s entire system drive (and maybe other “data” drives) encrypted for the data-at-rest. Upon boot-up, the first thing that loads from the drive is the FDE booter module that accepts some kind of authentication token – most usually a password. Having successfully authenticated, the FDE loader then transparently decrypts the data coming from the drive as the operating system loads and the user begins using whichever applications. Conversely, any data being written to the drive is transparently encrypted before being sent to the storage device. From the users perspective, this layering of low-level encryption and decryption adds negligible overhead to the operation of the system.

What FDE achieves is a managed level of data-protection giving the institution confidence that if a mobile device, e.g. an encrypted laptop, is lost or stolen then the data written on that device will not need to be reported as a possible data-loss incident. The data is protected against third-party access, whether with criminal intent or otherwise, through the enforced use of strong cryptography.

CCIT Recommendations for FDE

The ITS recommendation for full-disk encryption (FDE) is to use the “native” encryption options of the two supported OS’s: Bitlocker for Microsoft’s Windows and FileVault for Apple’s macOS. These provide the level of data-protection discussed above, along with centralized management capabilities, discussed next, allowing authorized ITS staff members access to any encrypted system, even when the principal users are either unable or unwilling to provide their password. This is the crux of what an institution-wide initiative like this needs to be able to support: any institutional data stored on mobile computing devices needs to be accessible by the institution with or without the assistance of the user involved.

Centralized Management

ITS employs two ways of being able to centrally manage our FDE targets: through Active Directory integration for the Windows machines and through a 3rd-party solution, JAMF Software’s Casper Suite, for macOS systems. Both these centralized management platforms allow only authorized ITS individuals access to the FDE machines.

The Windows AD integration is entirely transparent through our campus-wide domain. If you have a Windows system that is not able to be a domain member, for whatever reason, then please mention this in your helpdesk request and the UXSS team member will discuss further. In such a case, we store the Bitlocker recovery information in a different secured environment with, again, restricted access granted only to authorized ITS individuals.

The macOS setup requires installation of the JAMF Casper client on the target system. This is all dealt with by the UXSS team member through the FDE installation process.

Installation of FDE

The installation of FDE on a supported system (Windows or macOS) is performed by ITS. This action typically takes about two-days to complete. As the recommended solution uses the native encryption capabilities provided by the OS manufacturers – Microsoft and Apple – these should be fully supported through any appropriately licensed OS. One point to note: earlier OS revisions, like for example Windows 7, has different licensing options, some of which do not inherently support the FDE solution. If this is the case, then the assigned UXSS team member will be able to go through options for mitigating this situation: through either purchasing a more fully featured license or, perhaps, upgrading to the latest OS version, like Windows 10 that supports Bitlocker across all licenses.

Audit Requirements

Related to enforcing FDE use across all institutionally-owned mobile devices, and for personally-owned mobile devices storing and using sensitive institutional data, the Department of Internal Audit and Compliance is authorized to conduct randomized audits for any individual or department on campus.

 

How-tos for BitLocker (Windows), FileVault (OS X), iOS, and Android

OS FDE


How-to Link
Mac OS X

https://support.apple.com/en-us/HT204837
Windows 7

https://technet.microsoft.com/en-us/library/dd835565(v=ws.10).aspx
Windows 8/8.1

https://technet.microsoft.com/en-us/windows/jj737997.aspx
Windows 10

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/bitlocker-overview
iOS

https://www.apple.com/business/docs/iOS_Security_Guide.pdf
Androidhttps://source.android.com/security/encryption/full-disk.html