Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Computer Whole Disk Encryption Guideline 1. Purpose 2. Scope 3

advertisement 
Computer Whole Disk Encryption Guideline
(Approved by the University Chief Information Security Officer)
1. Purpose
This guideline provides information on how to implement whole disk encryption for the protection
of University of Washington (University) institutional information.
Institutional information that often resides on computing systems is a critical asset for the
University. The information is central and integral to the success of the University’s mission of
providing excellence in education, advancements through research, and meaningful public services.
Computer users should be mindful of the protections and use of these critical information assets to
ensure their availability, confidentiality, and integrity.
2. Scope
This guideline applies to:
•
•
University workforce members; and
Institutional information within the possession, custody, or control of the University.
3. What You Should Know Before You Encrypt Your Computer
Encryption helps manage the risk of unauthorized exposure to University institutional information.
However, if encryption is not properly installed and carefully managed, or if the encryption key is
lost, computer users will be unable to access or recover the data on the computer.
4. Encrypting Windows 7
a. Encrypting a New Mobile Computer
If you are purchasing a new mobile computer through eProcurement, you can add BitLocker
encryption during the purchase process. CDWG will encrypt the hard drive for you, but you will
still need to backup your encryption key.
b. Encrypting an Existing Mobile Computer
BitLocker encryption is included in Windows 7 Enterprise/Ultimate. If your computer came with
one of these operating systems, it is likely that you can enable BitLocker.
c. Requirements
• You must be an administrator on your computer, or get an administrator's help, to set up
and turn on BitLocker.
• You must have an enabled Trusted Platform Module (TPM) version 1.2 or later. If the
computer does not have a TPM, you can store the BitLocker key on a USB flash drive.
• You must have a Trusted Computing Group (TCG) compliant BIOS set to start up first from
the hard drive, not the USB or CD drives.
d. Warnings
• Back up your data to an external media before attempting to encrypt the hard drive.
Computer Whole Disk Encryption Guideline
Page 1 of 4
•
•
If you forget your password, change your BIOS, change system files, or have disk errors,
BitLocker will lock the hard drive. The drive can only be unlocked with the recovery key that
you created during the initial encryption process.
Encrypting the drive will take some time. You can use your computer during encryption, but
performance might be slower.
e. Instructions
i. In the Start menu, select Control Panel. Select System and Security, and then select
BitLocker Drive Encryption. You may be prompted for an administrator password.
ii. Click Turn On BitLocker. The BitLocker setup wizard will scan your computer to make sure
that it meets BitLocker requirements. The wizard may need to repartition your hard drive;
this will require a restart. If your TPM is not enabled, the BitLocker setup wizard will instruct
you to restart the computer and turn on the TPM. Depending on your BIOS, you may be
prompted through the process, or you may need to do it manually.
iii. After the TPM is enabled, you will be prompted to print your recovery key or save it on
external media. (e.g. USB drive, CD/DVD, or file server). Ensure that whatever media you use
is secured properly.
iv. Click Next.
v. Confirm that the Run BitLocker system check box is selected, and then click Continue.
vi. Select Restart now. Your computer will restart and the encryption process will begin.
5. Encrypting Mac OS X Lion
Apple computers with Mac OS X Lion (v10.7) come with FileVault 2 encryption. This version of
FileVault encrypts the entire hard drive with XTS-AES 128 bit encryption
f.
Requirements
• You must be an administrator on your computer, or get an administrator's help, to turn on
FileVault.
• If the computer has multiple accounts, you will need the password to each account to
enable them to unlock the computer.
g. Warnings
• Back up your data to an external media before attempting to encrypt the hard drive.
• If you have migrated a disk image from another disk, you may be missing a recovery
partition. FileVault will not encrypt the disk unless you re-install Lion.
• If you have migrated a home directory that was encrypted by an earlier version of FileVault,
you will not be able to turn on FileVault 2. You will need to unencrypt and then re-encrypt.
• If you turn on FileVault and then forget both your login password and you lose the recovery
key, you will not be able to log in to your account, and your files and settings will be lost
forever.
• The process of encrypting your hard drive could take a while, depending on how much data
you have. You will have to reboot, however, you can still use your computer during the
process.
h. Instructions
i. In the Apple menu, select System Preferences.
ii. Select the Security & Privacy preferences pane and then the FileVault tab.
Computer Whole Disk Encryption Guideline
Page 2 of 4
iii. If the preference pane is locked, click the lock icon in the lower left corner and enter the
administrator password to make changes.
iv. Select Turn on FileVault.
v. If there are multiple user accounts, you will be asked to enable each account that will be
allowed to unlock the hard drive (start the computer or recover from sleep or hibernation).
You will need the password for each account.
vi. You will be shown your recovery key. Write the key down or print a copy and store it in a
safe place. If the recovery key is hidden, click the triangle next to Show Recovery Key.
vii. If you want to store your recovery key with Apple, select Store the recovery key with Apple.
You will need to choose three questions from the drop-down menus and provide the
answers. The recovery key will be encrypted using your answers. Otherwise, select Do not
store the recovery key with Apple. Click Continue.
viii. Click Restart to restart your computer and begin the encryption process. After restarting,
the encryption process takes place in the background.
6. Encrypting Other Operating Systems
Windows
Windows Vista Enterprise users will need to create two disk partitions – a 1.5GB system volume (set
as active) and an operating system volume. You will need to manually reload Windows, and then
follow the Windows 7 instructions above.
Windows Vista Ultimate users can download BitLocker and EFS Enhancement from Windows
Ultimate Extras (available via Windows Update). After you have installed this tool, type BitLocker
into the Start menu search box, and then double-click BitLocker Drive Preparation Tool to run the
tool. After the tool runs, you must restart your computer before enabling BitLocker (see Windows 7
instructions above).
Windows XP and other versions of Windows Vista or Windows 7 (e.g. Home and Professional) do not
come with BitLocker encryption. You must upgrade to Windows 7 Enterprise/Ultimate, or Windows
Vista Enterprise/Ultimate. Operating system upgrades are covered under the University Microsoft
Campus Agreement.
Mac OS X 10.3 – 10.6
Apple computers with Mac OS X v10.3 – 10.6 come with the initial version of FileVault encryption.
This version of FileVault does not encrypt the entire hard disk, only the user’s home directory.
If you were using FileVault in Mac OS X v10.6, you can install OS X Lion and continue to use FileVault
in the same way. You can also turn off Legacy FileVault and then enable FileVault 2 by following the
Mac OS X Lion instructions above.
Other
For encryption solutions for other operating systems (e.g. Linux), please contact your department IT
support staff.
Computer Whole Disk Encryption Guideline
Page 3 of 4
7. Relevant Policies, Standards, and Guidelines
a. APS 2.2 Privacy Policy
http://www.washington.edu/admin/rules/policies/APS/02.02.html
b. APS 2.4 Information Security and Privacy Roles, Responsibilities, and Definitions
http://www.washington.edu/admin/rules/policies/APS/02.04.html
c. APS 2.5 Information Security and Privacy Incident Management Policy
http://www.washington.edu/admin/rules/policies/APS/02.05.html
d. APS 2.6 Information Security Controls and Operational Practices
http://www.washington.edu/admin/rules/policies/APS/02.06.html
e. UW Medicine IT Services Security Laptop, Mobile Device and File Encryption Guidance
https://security.uwmedicine.org/guidance/technical/encryption/default.asp
8. Additional Information
Installing the wrong software or mishandling the encryption keys can make your computer and the
data stored on the computer unusable. For additional encryption guidance, consult your
department IT support staff or the following resources:
a. Microsoft Campus Agreement
https://www.washington.edu/uware/microsoft/
b. BitLocker Guidance
http://technet.microsoft.com/en-us/library/cc731549%28WS.10%29.aspx
c. FileVault 1 Guidance
http://images.apple.com/support/security/guides/docs/SnowLeopard_Security_Config_v10.6.p
df
d. FileVault 2 Guidance
http://support.apple.com/kb/HT4790
March 30, 2012
Computer Whole Disk Encryption Guideline
Page 4 of 4
Related documents
Lesson 4: Managing Applications, Services, Folders, and Libraries
Lesson 4: Managing Applications, Services, Folders, and Libraries
Hwk #11
Hwk #11
Description
Description
Chapter 04 - End of Year Review Sheet - RBMA-IT
Chapter 04 - End of Year Review Sheet - RBMA-IT
Generic encryption
Generic encryption
Test 2
Test 2
VideoCase08:_Security
VideoCase08:_Security
Issue 73 Encryption Algorithm
Issue 73 Encryption Algorithm
Download
advertisement