Skip to content Skip to navigation

Getting Started with Stanford Whole Disk Encryption (SWDE)

Encryption can result in irretrievable loss of data if the keys or passphrases are misplaced or destroyed; consult a qualified system administrator if you feel you need assistance.

Getting started

With your manager, determine if it is absolutely necessary that you store Moderate or High Risk Data on your computer and that Stanford Whole Disk Encryption (SWDE) is the best solution for you to protect University data. Please see the Information Security Office's Risk Classifications guide for more information.

The best protection of University data from computer loss or theft is to avoid storing it on a computer.

If you determine that you need to install Stanford Whole Disk Encryption,  contact your local desktop support staff who can help you download and run the SWDE installer. Your computer will need to be part of your local BigFix domain.

With the assistance of the Service Desk or your local desktop support staff, you will download and run the SWDE installer, select an appropriate means to encrypt your system, and begin the encryption process.

On Macintosh systems, native encryption is entirely transparent once enabled.  On Windows systems, the only noticeable difference is the need to enter another password of your choosing upon booting.

What it protects or prevents

Stanford Whole Disk Encryption protects your files if your computer is lost or stolen. If someone tries to break into your system to retrieve files, they will not be able to access the computer as long as they do not have the ability to login. This is most useful for laptop computers and desktop systems with Moderate or High Risk Data.

What it doesn't protect or prevent

Stanford Whole Disk Encryption is limited to protecting the files while they are on your computer. It does not provide encryption to files that are:

  • sent via email;
  • kept on a separate flash drive/thumb drive/USB drive/floppy disk; or
  • moved over the network via shared folders.

When you move an encrypted file off of your computer, it is no longer encrypted,

If you forget your passphrase or your passphrase changes

The PIN created for use with BitLocker should be different from your SUNetID password. They will be not synchronized with your SUNet ID password. If you are unable to login for some reason, you can contact IT Services or your local support provider. Call (650) 725-4357 or submit a HelpSU request. 

What to expect

  • The initial encryption process can be resource intensive on your computer, so plan a time when you can leave your computer plugged into AC power and a time when you can tolerate a slowdown in performance.
  • You must follow the best practice of password protecting your computer at all times, including stand by, sleep, hibernate and via screen savers. This practice is fundamental to the success of the Whole Disk Encryption technology and the accompanying audit.
  • Once installed, encryption takes place in the background all the time; each new file is encrypted automatically.
  • Your computer will become a member of the local BigFix domain.
  • Removal of whole disk encryption is very time consuming process and is not recommended. If necessary it can be enabled by IT Services staff to guarantee the integrity of the audit trail. Plan to remove the encryption when you can tolerate a very slow machine for over 10 hours..

How to get help

If you encounter problems, or have any questions, please submit a HelpSU request.

Last modified October 23, 2015