Full Disk Encryption (FDE)
Full Disk Encryption Really Quick Quick Start Guide
If you already know you need to have your machine encrypted, please submit a Helpdesk Request. Simply enter “Full Disk Encryption” as the subject and provide us with as many details as you can about the computer you would like encrypted. A CCIT ADS team member will contact you to schedule everything. Remember, CCIT supports two major OS’s through their native FDE solutions: Windows using Bitlocker and macOS using FileVault.
Full Disk Encryption (FDE) Options
This document is going to cover the main Full Disk Encryption options available and approved by CCIT.
Please note that FDE, at this stage, only concerns itself with “mobile” devices, like laptops or tablets. It is not required on regular desktop machines. FDE is required on any institutionally-owned mobile devices, and on personally-owned devices if it is being used to store and work with sensitive institutional data.
To define: sensitive institutional data consists of FERPA, HIPAA, PII, financial, etc. information.
Full Disk Encryption (FDE), sometimes called Whole Disk Encryption (WDE), is a data-confidentiality solution wherein a computer has it’s entire system drive (and maybe other “data” drives) encrypted for the data-at-rest. Upon boot-up, the first thing that loads from the drive is the FDE booter module that accepts some kind of authentication token – most usually a password. Having successfully authenticated, the FDE loader then transparently decrypts the data coming from the drive as the operating system loads and the user begins using whichever applications. Conversely, any data being written to the drive is transparently encrypted before being sent to the storage device. From the users perspective, this layering of low-level encryption and decryption adds negligible overhead to the operation of the system.
What FDE achieves is a managed level of data-protection giving the institution confidence that if a mobile device, e.g. an encrypted laptop, is lost or stolen then the data written on that device will not need to be reported as a possible data-loss incident. The data is protected against third-party access, whether with criminal intent or otherwise, through the enforced use of strong cryptography.
CCIT Recommendations for FDE
The CCIT recommendation for full-disk encryption (FDE) is to use the “native” encryption options of the two supported OS’s: Bitlocker for Microsoft’s Windows and FileVault for Apple’s macOS. These provide the level of data-protection discussed above, along with centralized management capabilities, discussed next, allowing authorized CCIT staff members access to any encrypted system, even when the principal users are either unable or unwilling to provide their password. This is the crux of what an institution-wide initiative like this needs to be able to support: any institutional data stored on mobile computing devices needs to be accessible by the institution with or without the assistance of the user involved.
CCIT employs two ways of being able to centrally manage our FDE targets: through Active Directory integration for the Windows machines and through a 3rd-party solution, JAMF Software’s Casper Suite, for macOS systems. Both these centralized management platforms allow only authorized CCIT individuals access to the FDE machines.
The Windows AD integration is entirely transparent through our campus-wide domain. If you have a Windows system that is not able to be a domain member, for whatever reason, then please mention this in your helpdesk request and the ADS team member will discuss further. In such a case, we store the Bitlocker recovery information in a different secured environment with, again, restricted access granted only to authorized CCIT individuals.
The macOS setup requires installation of the JAMF Casper client on the target system. This is all dealt with by the ADS team member through the FDE installation process.
Installation of FDE
The installation of FDE on a supported system (Windows or macOS) is performed by CCIT. This action typically takes about two-days to complete. As the recommended solution uses the native encryption capabilities provided by the OS manufacturers – Microsoft and Apple – these should be fully supported through any appropriately licensed OS. One point to note: earlier OS revisions, like for example Windows 7, has different licensing options, some of which do not inherently support the FDE solution. If this is the case, then the assigned ADS team member will be able to go through options for mitigating this situation: through either purchasing a more fully featured license or, perhaps, upgrading to the latest OS version, like Windows 10 that supports Bitlocker across all licenses.
Related to enforcing FDE use across all institutionally-owned mobile devices, and for personally-owned mobile devices storing and using sensitive institutional data, the Department of Internal Audit and Compliance is authorized to conduct randomized audits for any individual or department on campus.
How-tos for BitLocker (Windows), FileVault (OS X), iOS, and Android
|Mac OS X||