Previously, PGP Whole Disk Encryption was Stanford's chosen software solution for whole disk encryption, as a centrally auditable way to protect University High Risk Data. Now, new versions of the major operating systems come with the capability for encryption built in. Therefore, Stanford now recommends using the native versions of encryption for each operating system, and provides an installer for each encryption tool, to ensure that the computer is properly configured for encryption according to Stanford's guidelines. Users who have been using PGP should transition to using one of the new approved encryption tools. For more information about Stanford Whole Disk Encryption, start here.
Currently, no: Mac OSX and certain Windows operating systems are the only systems cleared for sensitive information and PHI. The Information Security Office does not support Chromebooks or UNIX systems for encryption or PHI use, and there are no efforts to provide support at this time. If there should be large demand in the future, and available resources, this may change.
You may have the Sophos anti-virus scanner set to scan "on-access," as in, every time you log in. It may be attempting to scan the large encrypted file (sparse bundle), which can slow your computer while the scan is running. You can reconfigure the scan settings, by following the directions here. (You may need to log in as "administrator" to successfully log in, as the scanner may be stalling log in for an individual user account.)
If you've forgotten or lost your passphrase, or if it's not working, Stanford IT Services can help you access your computer. Call (650) 725-4357 or submit a HelpSU request and an administrator will reset your password. If you've forgotten the passcode to your mobile device—and it's registered with MDM—you can go to mdm.stanford.edu and reset it yourself.
The built-in encryption tool, FileVault, will work as long as all data to be encrypted is stored within the user profile. Be sure to follow the procedures for disabling the Sophos on-access scanner located here.
First, you should make sure that your computer is compliant with all the Stanford and School of Medicine security requirements. Check the Data Security Program page for details.
When you need to step away from your computer, even in your office, lock the screen or put the computer to sleep. A strong password will help prevent casual access to decrypted information. You should also keep a portable computer physically secure: a good office habit would be to lock the laptop in a drawer at night, or lock the door to your office. And especially while traveling, you should keep track of the laptop by not letting it out of your sight. Don't even, for example, leave it on the table at the coffee shop while you go for a refill. Additional tips for personal computer security can be found at the Stanford Secure Computing website.
Yes! The data is unencrypted while you're using it; to protect it from unauthorized access you actually need to lock it. The same is true of your smartphone or tablet: the built-in encryption is useless if you never actually activate it by locking your device. Set your screensaver to a password, and get in the habit of locking your screen every time you step away from your machine. What seems like a small inconvenience will quickly become a habit—and a very strong method of protecting your data.
Windows users can lock their computer with either of two methods:
At any time, you can press Control-Alt-Delete, and select 'Lock Computer' from the menu.
You can also set the screen to lock after entering the screen saver, or after hibernating: Right-click the desktop and select Personalize (or Properties). In the window that comes up, select the Screen Saver tab. Pick a screen saver from the drop-down menu. In the "Wait:" field, set the length of idle time that triggers the screen saver. Check the box for password protection (it might say "On resume, display logon screen", or "On resume, password protect", or "Password protected"). Click OK.
Regardless of how you lock your computer, to unlock it, press Ctrl-Alt-Del. A window will appear where you can enter the password for the username under which you're logged in.
Mac users can configure Hot Corners:
Go to the System Preferences menu and click the "Security" icon. In the "General" tab, click the checkbox for: "Require password ______ after sleep or screen saver begins" (use the pop-up menu to select an amount of time). Click "Show All" at the top to return to System Preferences.
Click "Desktop & Screen Saver". In the "Screen Saver" tab, pick a screen saver and then click "Hot Corners," at the bottom left. Use the pop-up menus to define the corners of your screen.
With Hot Corners defined, dragging the cursor to the assigned corner(s) will turn the screen saver on; you can also put the computer to sleep. When you wake up the computer, you will need to use the logged-in user's password to unlock the screen.
No—you need to encrypt your external drives separately. The best practice would be not to store High Risk information on removable drives, but if you must, that information is required by law to be encrypted. Encrypted USB drives and external hard drives are available, and Stanford is working to make them widely available. Otherwise, try sending your files around with MedSecureSend instead.
No—once a file leaves your computer, it is no longer encrypted. If you must discuss prohibited, restricted, or confidential information over email, use Stanford Secure Email. It's already built into Stanford's email system; instructions are at http://secureemail.stanford.edu. Sending a message with SECURE: in the subject line encrypts the information in transit, so it cannot be intercepted.
No—once a file leaves your computer, it is no longer encrypted. If you must send large files containing sensitive information, use MedSecureSend (MSS). MSS recipients will receive an email with a link to a secure download of your file; you can use MSS to securely send files up to 20GB in size.
My computer was encrypted, but it's been stolen! What should I do?
If you have any additional questions that have not been answered here, visit the information on encryption at Stanford Answers. Please don’t hesitate to contact IRT at irthelp.stanford.edu or 650-725-8000 (M-F, 7a-6p). You can also visit us at the Stanford Medicine Tech Bar on the ground floor of Lane Library (M-F 8a-6p).