Encryption Tools

Stanford Whole Disk Encryption (SWDE)

As part of its Whole Disk Encryption service, Stanford encourages the use of native encryption tools: the software built into your operating system. Stanford Whole Disk Encryption (SWDE) provides an installer, which checks your computer for certain requirements before proceeding with encryption using those native encryption tools. Individuals working with High Risk information must use SWDE to encrypt.

SWDE for Mac
SWDE for Windows

OSX Lion (10.7) and later come with FileVault 2, which provides whole-disk encryption. We recommend upgrading Macs to 10.8, which includes an option to automate the storage of recovery information.)
OS 10.5 or 10.6 can only run McAfee Endpoint Encryption, which is no longer one of the recommended encryption methods. If your computer will run 10.8, we recommend upgrading your software; if not, we recommend upgrading your hardware, to meet minimum campus security standards.
Make sure you've backed up first, then:

Download the Macintosh encryption installer and see whole-disk encryption instructions for FileVault.

Windows 7 (Ultimate or Enterprise) or Windows 8/8.1/10 (Professional or Enterprise) can use BitLocker to encrypt the hard disk using Windows built-in encryption technology. To run BitLocker, your computer must also have the Trusted Platform Module (TPM) version 1.2 or higher installed, enabled, and activated. If you need help with this, contact your local IT support. Learn how to Enable BitLocker via SWDE.
Note: If your Windows machine does NOT have a TPM chip, the Information Security Office has approved using BitLocker with the password option—provided the settings require password complexity for the OS, fixed data drives, and removable data drives. Without a TPM, there's no specific protection against brute-force password attacks, so we encourage you to create a long and strong password (more than 12 characters) which, of course, should not be stored with the device (e.g., on a post-it note).
Windows Vista and some versions of 7 & 8 cannot run BitLocker; users should upgrade software and/or hardware.
WindowsXP is no longer supported by Microsoft; running an unprotected WindowsXP system therefore now violates Stanford security requirements. You must either upgrade your software, replace your computer, or request a security exception in the case of vital systems that cannot be upgraded.
Make sure you've backed up first, then:

Download the Windows encryption installer and see whole-disk encryption instructions for BitLocker.

VLRE:

If you do not ever encounter High Risk data in your Stanford work, you may, if you wish, encrypt your computer with the VLRE whole-disk encryption installer, instead. It is a more "lightweight" installer; it includes the attestation questionnaire and makes use of the computer's native encryption software, but it doesn't require the use of BigFix. While it can report your correct encryption status to the AMIE database, the absence of BigFix means that making updates such as adding security patches is entirely your responsibility.

Information and Installation Tutorials for VLRE

PGP:

Stanford University IT Services used to support and encourage the use of PGP, a public-key signing and encryption software. Now Stanford supports native encryption technologies (as opposed to third-party software), and therefore strongly encourages anyone who is still running PGP to transition to SWDE instead.

For help uninstalling PGP, file a Help Ticket with IRT Security

Mobile Devices

Many smartphones and tablets—but not all—also come with their own native encryption, and Stanford has software to help centrally manage your device: MDM (Mobile Device Management). If your phone, iPad, or other device is used to access Stanford information (even if it belongs to you personally), it must be registered with MDM or a comparable Stanford service. Not all phones are approved to handle Stanford information; see our page for criteria, and instructions for enrolling.

Securely manage your mobile device with MDM

External Drives

If you are working with High Risk or Moderate Risk information, it must always remain encrypted: while in transit (through email), and at rest (on your computer or another disk drive). There are ways to send such information securely that avoids using external drives altogether (Stanford secure email or MedSecureSend)—but if you must store or send such information on an external drive, such as a USB stick or other hard drive, it needs to be encrypted as well. You can either obtain a specifically encrypted drive, or use your native encryption software to encrypt a drive of your own.

How to encrypt external drives (on the "Sending Securely" page)

For help encrypting your computer, phone, or tablet, submit a HelpSU request to IT Service.