Full Disk Encryption with Microsoft BitLocker and Apple FileVault

In this article

Overview of Full Disk Encryption

Full disk encryption must be used when storing confidential or sensitive data on a system. This requirement, as outlined in the USM IT Security Standards, includes traditional information systems, such as servers and computers, as well as all portable devices and media. Full disk encryption provides protection to the system as a whole as opposed to requiring the user to protect individual files or folders. This greatly improves the ease of use for the user and minimizes the chances of a confidential or sensitive file going unprotected.

Full disk encryption does not protect files in transit (i.e. email attachments), only files at rest when stored on the protected system.

The USM IT Security Standards outline additional encryption requirements within the Encryption Standard section that must be adhered to in order to ensure compliance. Further requirements beyond these may also exist based on the types of data being stored. Please be aware that systems storing Educational Records, Protected Health Information, Credit Card information, and Social Security Numbers, as well as other forms of confidential information, are subject to a variety of Federal regulations. Compliance with these regulations is mandatory in order to avoid fines and/or other legal actions.

Not all encryption methods are created equal. Do your research before selecting an encryption method to ensure that it meets any legal/compliance obligations that may be related to the data being encrypted. Also, be sure that the option being selected is still considered secure. This will vary depending on factors such as the encryption key length as well as whether the algorithm has been broken and can now be decrypted easily.

Encryption Options

In addition to a variety of third-party offerings, both Microsoft and Apple offer full disk encryption options built into their operating systems. Below is a high-level overview of both of these encryption options:

Microsoft BitLocker

Microsoft BitLocker provides full disk encryption to systems running Microsoft operating systems ranging from Windows Vista to Windows 10 or Server 2008 to Server 2012. The use of full disk encryption helps provide enhanced protection from data theft or exposure in the event a protected device is ever lost or stolen by preventing any information contained within the device from being readable without the decryption key.

The following links will provide guidance on how to properly install Windows BitLocker onto various Windows systems. Additional guidance can be found within the Microsoft TechNet Library or by visiting Microsoft Support.

Windows System   Deployment Guide
 Windows 10  https://technet.microsoft.com/en-us/library/mt404669(v=vs.85).aspx
 Server 2008, 2008 R2  https://technet.microsoft.com/en-us/library/cc732725.aspx
 Server 2012, 2012 R2  https://technet.microsoft.com/en-us/library/jj612864.aspx

Apple FileVault

Apple FileVault is the default encryption method that comes standard on all current Mac computers. It provides full disk encryption when enabled, which is beneficial to the user because rather than having to individually encrypt files and folders it automatically encrypts all data contained within the drive being encrypted. Disk encryption is required on all systems that will be storing confidential and sensitive information. By encrypting the hard drive, any data contained within the drive will be unreadable if access is attempted without the decryption key or the user’s password. This will protect the data in the event the device is ever lost or stolen.

Learn how to complete the initial setup of FileVault, or contact Apple Support for assistance. 

Regardless of the encryption option that is selected, users will be required to configure a strong password (see USM IT Security Standards for guidance on creating a strong password) that will be used to login and access the encrypted drive. Once a strong password has been set a recovery key will be automatically generated. This recovery key should be securely stored in a way that will prevent it from being lost or forgotten, such as by writing it down on a piece of paper and sealing it in an envelope to be stored in a secure location (i.e. a safe, with a manager, or HR). Without the recovery key, encrypted data would be lost forever if the user forgets the password they set for accessing the drive.