Encrypted Workstation FAQ
Frequently Asked Questions
Can I use alternative encryption technologies to meet the encryption requirement for restricted information storage?
While many products provide valid encryption, many are not very usable in an enterprise setting. Our current standard for desktop encryption provides these important usability features: 1) centrally managed, logged and audited ability to unlock a machine when a passphrase is forgotten or when it is lost due to employee separation, 2) central reporting of what machines are encrypted, and 3) central logging of errors and login failures.
The University's information classification and protection policy mandates that approved encryption technology be used to control restricted data stored on computers. Schedule C referenced in that policy provides a list of currently approved encryption technologies.
I don't think there's encrypted information stored on my (or my staff) computers. Should I encrypt just to be safe?
Are you sure there is no restricted data? You may want to run SENF and check for SSN, CCN on the drive(s). If you're sure you have no restricted information stored temporarily, occasionally or regularly on the system then, generally speaking, you should not encrypt. Why? Encryption comes at a cost. Aside from the cost of the software and backup drive, there is technician time in setup and extra maintenance when you transfer the machine or when people come and go from your department (e.g. if a person is an alternate user on several machines and is separated, you have to remove their login from the disks in order to preserve our protection).
Often it is, but encryption users cannot expect to be leading adopters of new hardware and operating systems. In order to make an encrypted workstation transparent to use, the encryption is tightly integrated to the hardware and operating system. Big changes in operating systems and hardware may change the way that integration works, and the encryption vendors have to catch up. This means that encrypted workstation users should not expect to be early adopters of the latest hardware and operating systems; expect to be 6 months behind the cutting edge.
Can I update my encrypted computer?
Normal software updates and patches are still an encouraged part of best practices and standard usage of any computer system. Upgrades must wait until WDE supports the upgrade - otherwise you may destroy your data.
What is an Upgrade
An upgrade means a major, standalone version of a software product. Such products
are often something you purchase. MacOS upgrades are sometimes also called "reference
For example, MacOS 10.15 (Catalina) is an upgrade from MacOS 10.14 (Mojave) that will be available from the Mac App Store. Windows 10 is an upgrade for Windows 7.
A "software update" updates a major version of software, but does not upgrade it to the next major version (if one exists). Software updates are made available via download from the software vendor, often through included system update utilities. Mac and Windows systems both have processes that download and apply software updates to the base system.
Updates to the installed software that manages device encryption often need to be applied when new operating system upgrades are released. Beginning with MacOS 10.14 (Mojave), additional security controls have been added by Apple which alert users of important changes to software or permissions when it is installed or updated. Encrypted Mac computers may display the following pop-up windows during installs and upgrades. You must accept the changes by clicking OK, or encryption may malfunction.
Click OK. This is a temporary version mismatch that is resolved by the completion of the update in progress. No additional actions are required.
Click OK. Failure to provide SafeGuard access to Finder may cause your encryption to malfunction.