Skip to content Skip to navigation

Getting Started with Stanford Whole Disk Encryption (SWDE)

Encryption can result in irretrievable loss of data if the keys or passphrases are misplaced or destroyed; consult a qualified system administrator if you feel you need assistance.

Getting started

With your manager, determine if it is absolutely necessary that you store Restricted Data or Confidential Data on your computer and that Stanford Whole Disk Encryption (SWDE) is the best solution for you to protect University data. Please see the Information Security Office's Classification of Data guidelines for more information.

The best protection of University data from computer loss or theft is to avoid storing it on a computer.

If you determine that you need to install Stanford Whole Disk Encryption,  contact your local desktop support staff who can help you download and run the SWDE installer. Your computer will need to be part of your local BigFix domain.

With the assistance of the Service Desk or your local desktop support staff, you will download and run the SWDE installer, select an appropriate means to encrdypt your system, and begin the encryption process.

After installation, the way you login to your computer will change.  See the documentation specific to the encyption option you've selected for more information.

What it protects or prevents

Stanford Whole Disk Encryption protects your files if your computer is lost or stolen. If someone tries to break into your system to retrieve files, they will not be able to access the computer as long as they do not have the ability to login. This is most useful for laptop computers and desktop systems with Restricted Data or Confidential Data.

What it doesn't protect or prevent

Stanford Whole Disk Encryption is limited to protecting the files while they are on your computer. It does not provide encryption to files that are:

  • sent via email;
  • kept on a separate flash drive/thumb drive/USB drive/floppy disk; or
  • moved over the network via shared folders.

When you move an encrypted file off of your computer, it is no longer encrypted,

If you forget your passphrase or your passphrase changes

The PIN created for use with BitLocker and the password created for McAfee Endpoint Encrption should be different from your SUNetID password. They will be not synchronized with your SUNet ID password. If you are unable to login for some reason, you can contact IT Services or your local support provider. Call (650) 725-4357 or submit a HelpSU request. 

What to expect

  • The initial encryption process can be resource intensive on your computer, so plan a time when you can leave your computer plugged into AC power and a time when you can tolerate a slowdown in performance.

  • You must follow the best practice of password protecting your computer at all times, including stand by, sleep, hibernate and via screen savers. This practice is fundamental to the success of the Whole Disk Encryption technology and the accompanying audit.

  • Once installed, encryption takes place in the background all the time; each new file is encrypted automatically.
  • Your computer will become a member of the local BigFix domain.

  • Removal of whole disk encryption is very time consuming process and is not recommended. If necessary it can be enabled by IT Services staff to guarantee the integrity of the audit trail. Plan to remove the encryption when you can tolerate a very slow machine for over 10 hours..

How to get help

If you encounter problems, or have any questions, please submit a HelpSU request.

Last modified October 5, 2012