Encrypted Workstation FAQ
Frequently Asked Questions
Can I use alternative encryption technologies to meet the encryption requirement for restricted information storage?
While many products provide valid encryption, many are not very usable in an enterprise setting. Our current standard for desktop encryption provides these important usability features: 1) centrally managed, logged and audited ability to unlock a machine when a passphrase is forgotten or when it is lost due to employee separation, 2) central reporting of what machines are encrypted, 3) a single product for both Macs and PCs, and 4) central logging of errors and login failures.
The University's information classification and protection policy mandates that approved encryption technology be used to control restricted data stored on computers. Schedule C referenced in that policy provides a list of currently approved encryption technologies.
I don't think there's encrypted information stored on my (or my staff) computers. Should I encrypt just to be safe?
Are you sure there is no restricted data? You may want to run SENF and check for SSN, CCN on the drive(s). If you're sure you have no restricted information stored temporarily, occasionally or regularly on the system then, generally speaking, you should not encrypt. Why? Encryption comes at a cost. Aside from the cost of the software and backup drive, there is technician time in setup and extra maintenance when you transfer the machine or when people come and go from your department (e.g. if a person is an alternate user on several machines and is separated, you have to remove their login from the disks in order to preserve our protection).
Often it is, but encryption users cannot expect to be leading adopters of new hardware and operating systems. In order to make an encrypted workstation transparent to use, the encryption is tightly integrated to the hardware and operating system. Big changes in operating systems and hardware may change the way that integration works, and the encryption vendors have to catch up. This means that encrypted workstation users should not expect to be early adopters of the latest hardware and operating systems; expect to be 6 months behind the cutting edge.
Can I update my encrypted computer?
Normal software updates and patches are still an encouraged part of best practices and standard usage of any computer system. Upgrades must wait until WDE supports the upgrade - otherwise you may destroy your data.
What is an Upgrade
An upgrade means a major, standalone version of a software product. Such products
are often something you purchase. OS X upgrades are sometimes also called "reference
For example, OS X Yosemite is an upgrade that will be available from the Mac App Store. Windows 8 is an upgrade for Windows 7. Symantec has a page detailing support by version of Mac OS X
A "software update" updates a major version of software, but does not upgrade it to the next major version (if one exists). Software updates are made available via download from the software vendor, often through included system update utilities. Mac and Windows systems both have processes that download and apply software updates to the base system.