Encryption Frequently Asked Questions
Installing SWDE
Previously, PGP Whole Disk Encryption was Stanford's chosen software solution for whole disk encryption, as a centrally auditable way to protect University Restricted and Prohibited data. Now, new versions of the major operating systems come with the capability for encryption built in. Therefore, Stanford now recommends using the native versions of encryption for each operating system, and provides an installer for each encryption tool, to ensure that the computer is properly configured for encryption according to Stanford's guidelines. Users who have been using PGP should transition to using one of the new approved encryption tools. For more information about Stanford Whole Disk Encryption, start here.
FileVault is the built-in whole disk encryption that comes with Mac OS 10.7 and 10.8. To enable FileVault, and download the accompanying Stanford Whole Disk Encryption installer, start here.
BitLocker is the native encryption tool for Windows machines. To enable BitLocker, and download the accompanying Stanford Whole Disk Encryption installer, start here.
Currently, no: Mac OSX and certain Windows operating systems are the only systems cleared for sensitive information and PHI. The Information Security Office does not support Chromebooks or UNIX systems for encryption or PHI use, and there are no efforts to provide support at this time. If there should be large demand in the future, and available resources, this may change.
Troubleshooting Encryption
You may have the Sophos anti-virus scanner set to scan "on-access," as in, every time you log in. It may be attempting to scan the large encrypted file (sparse bundle), which can slow your computer while the scan is running. You can reconfigure the scan settings, by following the directions here. (You may need to log in as "administator" to successfully log in, as the scanner may be stalling log in for an individual user account.)
If you've forgotten or lost your passphrase, or if it's not working, Stanford IT Services can help you access your computer. Call (650) 725-4357 or submit a HelpSU request and an administrator will reset your password. If you've forgotten the passcode to your mobile device—and it's registered with MDM—you can go to mdm.stanford.edu and reset it yourself.
The built-in encryption tool, FileVault, will work as long as all data to be encrypted is stored within the user profile. Be sure to follow the procedures for disabling the Sophos on-access scanner located here.
Encryption and Additional Security
First, you should make sure that your computer is compliant with all the Stanford and School of Medicine security requirements. Check the Data Security Program page for details.
When you need to step away from your computer, even in your office, lock the screen or put the computer to sleep. A strong password will help prevent casual access to decrypted information. You should also keep a portable computer physically secure: a good office habit would be to lock the laptop in a drawer at night, or lock the door to your office. And especially while traveling, you should keep track of the laptop by not letting it out of your sight. Don't even, for example, leave it on the table at the coffee shop while you go for a refill. Additional tips for personal computer security can be found at the Stanford Secure Computing website.
Yes! The data is unencrypted while you're using it; to protect it from unauthorized access you actually need to lock it. The same is true of your smartphone or tablet: the built-in encryption is useless if you never actually activate it by locking your device. Set your screensaver to a password, and get in the habit of locking your screen every time you step away from your machine. What seems like a small inconvenience will quickly become a habit—and a very strong method of protecting your data.
Windows users can lock their computer with either of two methods:
- At any time, you can press Control-Alt-Delete, and select 'Lock Computer' from the menu.
- You can also set the screen to lock after entering the screen saver, or after hibernating: Right-click the desktop and select Personalize (or Properties). In the window that comes up, select the Screen Saver tab. Pick a screen saver from the drop-down menu. In the "Wait:" field, set the length of idle time that triggers the screen saver. Check the box for password protection (it might say "On resume, display logon screen", or "On resume, password protect", or "Password protected"). Click OK.
Regardless of how you lock your computer, to unlock it, press Ctrl-Alt-Del. A window will appear where you can enter the password for the username under which you're logged in.
Mac users can configure Hot Corners:
- Go to the System Preferences menu and click the "Security" icon. In the "General" tab, click the checkbox for: "Require password ______ after sleep or screen saver begins" (use the pop-up menu to select an amount of time). Click "Show All" at the top to return to System Preferences.
- Click "Desktop & Screen Saver". In the "Screen Saver" tab, pick a screen saver and then click "Hot Corners," at the bottom left. Use the pop-up menus to define the corners of your screen.
With Hot Corners defined, dragging the cursor to the assigned corner(s) will turn the screen saver on; you can also put the computer to sleep. When you wake up the computer, you will need to use the logged-in user's password to unlock the screen.
No—you need to encrypt your external drives separately. The best practice would be not to store prohibited or restricted information on removable drives, but if you must, that information is required by law to be encrypted. Encrypted USB drives and external hard drives are available, and Stanford is working to make them widely available. Otherwise, try sending your files around with MedSecureSend instead.
No—once a file leaves your computer, it is no longer encrypted. If you must discuss prohibited, restricted, or confidential information over email, use Stanford Secure Email. It's already built into Stanford's email system; instructions are at http://secureemail.stanford.edu. Sending a message with SECURE: in the subject line encrypts the information in transit, so it cannot be intercepted.
No—once a file leaves your computer, it is no longer encrypted. If you must send large files containing sensitive information, use MedSecureSend (MSS). MSS recipients will receive an email with a link to a secure download of your file; you can use MSS to securely send files up to 20GB in size.
My computer was encrypted, but it's been stolen! What should I do?
If your computer (or mobile computing device) was lost or stolen, you will need to report it immediately, as soon as possible. If the information is encrypted, it may not be a security disaster, but you should err on the side of reporting it, and IRT can determine the next steps. Click here for the official reporting procedure for a lost or stolen device.
If we missed something...
If you have any additional questions that have not been answered here, visit the information on encryption at Stanford Answers, or email IRT Information Security Services at irt-security@lists.stanford.edu.