Encryption

Personal Responsibility

Legally, you are personally and fiscally responsible for any information disclosure from your computer or mobile devices, whether accidental or not. IRT Security is here to help you protect yourself: encryption is a one-time, necessary step you can take now to prevent trouble in the future. Stanford is now requiring all computers on its network to be encrypted. Read on for details, and use the quick links to get started.

 

Device Compliance

The School of Medicine oversees compliance with Stanford policy and federal law, and will be conducting ongoing assessments of the devices and the kinds of data users work with. The SoM requires encryption of all devices used to access Stanford resources—whether they are owned by you personally or by the University.

Desktops and Laptops

To be compliant, they must be encrypted using one of the University-approved methods; see below for details, or visit encrypt.stanford.edu.

Mobile Devices

To register as compliant, they must:

  1. Be enrolled in MDM
  2. Be encrypted
  3. Have a complex password (more than 4 characters)
  4. Perform a check-in within 90 days (via AirWatch). (About device check-ins.)

Check Device Status

To check the compliance status of any of your devices, visit amie.stanford.edu.

If you feel that, due to a specific circumstance, your computer or device cannot be successfully encrypted, read about how to apply for an exemption.

 

Data Classification: What Data Must Be Encrypted?

Stanford's new security initiatives require all devices accessing the Stanford network to be encrypted, so that all information at rest and in transit (via email, mobile device, or portable drive) will automatically be encrypted.

If you work remotely, you should encrypt your home computer as well. If your machine or device cannot be encrypted for technical reasons, then you cannot store High Risk information on it, PERIOD.

Stanford Data can fall under three classifications: High Risk, Moderate Risk, and Low Risk

The definitions of each level of data can be found at the Risk Classifications page.

     

Getting Started With Encryption

There are instructions at encrypt.stanford.edu that will walk you through the steps necessary to fulfill University security requirements for each of your devices. Before you begin, however, being prepared ahead of time for the following steps may help you streamline the encryption process.

 

Preparing for Encryption: Backing Up

In case something goes wrong during the encryption process, you should back up your computer before running the SWDE installer.

The School of Medicine recommends using CrashPlan: it's a secure, monitored, convenient backup system — and it's free for School of Medicine affiliates. Additionally, the SoM can assist you in restoring your information from CrashPlan, in the event of a hard drive crash or lost computer. While it is not currently required, it is strongly recommended.

For instructions and help with installation, visit the School of Medicine's CrashPlan Guide.

 

Preparing for Encryption: Key/Password

For desktop and laptop computers, Stanford Whole Disk Encryption (SWDE) installer makes certain that your computer has all the necessary requirements, and then guides you through the activation of your computer's native encryption software (FileVault for Mac, and BitLocker for Windows).

(For mobile device encryption instructions, select your operating system: Apple/iOS or Android.)

Each time you access your system (on startup, after sleep/hibernation, etc), you use a "key" (password) to unlock your data.  IF YOU CANNOT REMEMBER YOUR KEY, YOU WILL NOT BE ABLE TO ACCESS YOUR ENCRYPTED DATA.

In case of a forgotten key, it is likely that someone at ITS will be able to help you recover your data.  However, we still recommend the following:

  • Before you begin the encryption process, select a strong key or passphrase that you will use for the encryption.  This will be the passphrase you will use every time you "unlock" your computer screen. Here are some hints for creating a strong passphraseDo NOT use the same password as for your SUID.
     
  • Write down the password and place it in a sealed envelope; store the sealed envelope in a secure location (e.g., a locked desk).  THIS IS YOUR BACKUP IN CASE YOU EVER FORGET YOUR PASSWORD.
     
  • When you install SWDE, which uses BitLocker or FileVault, you should do the same with the Recovery Key, a string of letters and numbers generated by the installer, and displayed on the screen, before proceeding with encryption: write it down and store it in a physically secure location. You will not need to use this key on a regular basis; it only serves as your backup, in case of a lost password. BigFix will store a copy with ITS automatically, as well.
     
  • As with all passwords, do not share these with anyone.

 

Once you have selected your login password and backup method, you are ready to move on to the encryption process.

 

Resources