Security, Full Disk Encryption
Security information from Technology Services Privacy and Information Security team.
Full disk encryption (FDE) helps prevent unauthorized access to data stored on a device if that device is lost or stolen. As of January 1, 2013 all University owned laptops must be encrypted with FDE, per the laptop standard.
Additional products can be used for full disk encryption; however, Tech Services does not currently offer support for these products. Other FDE offering include but are not limited to Truecrypt, BitLocker, and FileVault.
A secure FDE product should provide the following features and functionality:
- Key Management:
- Encryption keys managed by a central server curtail many of the risks associated with manual management via the client disk. For example, a user who manually stores a key on a thumb drive could misplace it, potentially allowing unauthorized access to sensitive data
- Your FDE solution should provide a reporting framework that allows you to prove a disk was encrypted at the time of physical compromise.
- You should also be able to reconcile the number of encrypted disks in your environment with how many computers actually are in use.
- Pre-boot authentication:
- Any viable disk encryption product should require a user to authenticate before booting the computer, thus allowing encryption of the boot disk.
- Custom authentication:
- Enables custom authentication mechanisms to be implemented with third-party applications, such as the University's Active Directory.
- Two-factor authentication:
- The product provides support for optional security tokens, such as smart cards?
- Single Sign On:
- A good encryption system allows users to sign in one time, providing a greater level of security transparency.
- Platform(s) supported:
- Ideally, the product should offer support for more than one operating system (i.e. Mac OS and Windows) or file system type (NTFS, XTS, etc) and allow management by a central server?
- Encryption Cipher(s) used:
- A viable FDE option should make use of a strong encryption cipher, such as the Advanced Encryption Standard (AES) 128 bit and 256 bit. AES is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST).