Encryption Tools
Supported Encryption Technologies: Stanford Whole Disk Encryption
As part of its Whole Disk Encryption service (SWDE), Stanford encourages the use of native encryption tools: the software built into your operating system. Stanford Whole Disk Encryption provides an installer, which checks your computer for certain requirements before proceeding with encryption using those native encryption tools:
Mac:
- OSX Lion (10.7) and later come with FileVault 2, which provides whole-disk encryption. We recommend upgrading Macs to 10.8, which includes an option to automate the storage of recovery information.)
- OS 10.5 or 10.6 can only run McAfee Endpoint Encryption, which is no longer one of the recommended encryption methods; if your computer will run 10.8, we recommend upgrading.
- Make sure you've backed up first, then:
Download the Macintosh encryption installer and see whole-disk encryption instructions for FileVault or MacAfee.
Windows:
- Windows 7 (Ultimate or Enterprise) or Windows 8 (Professional or Enterprise) can use BitLocker to encrypt the hard disk using Windows built-in encryption technology. To run BitLocker, your computer must also have the Trusted Platform Module (TPM) version 1.2 or higher installed, enabled, and activated. If you need help with this, contact your local IT support. Learn how to Enable BitLocker.
- Note: If your Windows machine does NOT have a TPM, the Information Security Office has approved using BitLocker with the password option—provided the settings require password complexity for the OS, fixed data drives, and removable data drives. Without a TPM, there's no specific protection against brute-force password attacks, so we encourage you to create a long and strong password (more than 12 characters) which, of course, should not be stored with the device (e.g., on a post-it note).
- Windows Vista and some versions of 7 & 8 should use McAfee Endpoint Encryption, if they cannot be upgraded to a version that supports BitLocker.
- WindowsXP is no longer supported by Microsoft; running an unprotected WindowsXP system therefore now violates Stanford security requirements. You must either upgrade your software, replace your computer, or request a security exception in the case of vital systems that cannot be upgraded.
- Make sure you've backed up first, then:
Download the Windows encryption installer and see whole-disk encryption instructions for BitLocker or MacAfee.
VLRE:
If you do not ever encounter High Risk data in your Stanford work, you may, if you wish, encrypt your computer with the VLRE whole-disk encryption installer, instead. It is a more "lightweight" installer; it includes the attestation questionnaire and makes use of the computer's native encryption software, but it doesn't require the use of BigFix. While it can report your correct encryption status to the AMIE database, the absence of BigFix means that making updates such as adding security patches is entirely your responsibility.
PGP:
Stanford University IT Services used to support and encourage the use of PGP, a public-key signing and encryption software. Now Stanford supports native encryption technologies (as opposed to third-party software), and therefore strongly encourages anyone who is still running PGP to transition to SWDE instead.
Mobile Devices
Many smartphones and tablets—but not all—also come with their own native encryption, and Stanford has software to help centrally manage your device: MDM (Mobile Device Management). If your phone, iPad, or other device is used to access Stanford information (even if it belongs to you personally), it must be registered with MDM or a comparable Stanford service. Not all phones are approved to handle Stanford information; see our page for critera, and instructions for enrolling.
For help encrypting your computer, phone, or tablet, submit a HelpSU request to IT Service.