Skip to content Skip to navigation

Encryption — Whole Disk (SWDE)

Updated Whole Disk Encryption Guidance

At the University, all University-owned laptops, desktops, smartphones and tablets ("devices"), personally-owned devices used on the Stanford network, and personally-owned devices that could be used to access Protected Health Information (PHI) or other Restricted and Prohibited Data must be encrypted using native encryption.  Other personally-owned devices used at home or on the wireless Stanford Guest network are encouraged to follow this mandate, but are not required to at this time.   Whole disk encryption provides a strong layer of privacy protection for stored data, and recent versions of Mac OS X as well as select versions of Windows now provide this capability natively using FileVault2 for OS X and BitLocker for Windows.  

All laptops and desktops that store or can access PHI in any manner must install SWDE no later than February 28, 2014.  All remaining laptops and desktops will be required to install SWDE by a date based on the number of personally identifiable information (PII) records found by Identify Finder (IDF) scans.  Systems with more than 500 PII records must install SWDE by July 31, 2014; systems with more than 10 PII records must install SWDE by November 30, 2014; and all remaining systems must install SWDE by May 31, 2015.  For more information on IDF and PII, see the Identity Finder page.

The purpose of the Stanford Whole Disk Encryption (SWDE) service is to protect Restricted and Confidential Data that must be stored on faculty and staff computers.

The Stanford Whole Disk Encryption service is for both Windows and Macintosh desktop and laptop computers. This service secures data using standard NIST-approved encryption of the computer hard disk. Once installed, all files are automatically encrypted. The data is protected while the computer is in standby or hibernation mode as long as the hard disk is password protected.

While there is no single solution to protect the university's data, Stanford Whole Disk Encryption protects all data on a hard disk from unauthorized access in the event the computer is lost or stolen. Additional data protection may be needed to reduce risks in other scenarios, such as transferring data from one computer to another.

  • Only those with password access to the system are authorized to access the data, which protects the data if your computer is lost or stolen.
  • Every computer using SWDE automatically checks in with a logging and administrative server on a regular basis. In the event of loss or theft of a computer with Restricted Data, Stanford policy; requires notification of the Information Security Office (ISO). ISO in turn will use the log to determine if a lost or stolen computer is a "reportable" event, possibly requiring notification of persons whose data may have been lost or stolen.
  • In the event you lose or forget your password, the IT Service Desk will assist you in accessing your computer.
  • If necessary, the whole disk can be unencrypted (with the assistance of IT Services to guarantee the integrity of the audit trail).

Getting started

Unlike the previous iteration of this service, no special sign up is required before making use of this service.

See Getting Started with Stanford Whole Disk Encryption for more information.

Learn more


For IT professionals

Last modified April 25, 2014