- The purpose of the Stanford Whole Disk Encryption
(SWDE) service is to protect Restricted Data and Confidential Data that
must be stored on faculty and staff computers. See the Classification
of Data page at
for Stanford's data classification guidelines.
SWDE service provides the University with an audit of the last-known
encryption state of the participating computers. This audit is a key
benefit for the University to determine what actions, if any, to take
if computers with Restricted Data or Confidential Data are lost or
- Data is encrypted when the computer is turned off; the data is protected if the computer is lost or stolen.
hibernation, screen lock, screen saver and all similar computer states
require a computer password to return to normal operation. If an
encrypted computer is left unattended while the user is logged in, the
files are accessible and the data is not protected.
must be installed on computers participating in the SWDE service for
monitoring, automatic updates, and auditing purposes.
will perform regular security health checks and enforce configuration
settings on computers participating in the SWDE service.
the Stanford University site-licensed virus protection software, must
be installed on all computers participating in the SWDE service.
- SWDE-participating computers automatically check-in with the SWDE administrative server periodically.
computer that does not check in with the SWDE administrative server on
a regular basis may indicate theft or some other security threat. The
SWDE service administrators will contact computer owners if a computer
does not show up in the audit log.
- SWDE is a licensed security tool that is available to Stanford faculty and staff and is provided free of charge. It should be used in combination with other best security practices (as shown on the Secure Computing web site at http://www.stanford.edu/group/security/securecomputing/).
- The PIN set with BitLocker and the password set with McAfee Endpoint Encryption should be different from the user's SUNetID password. Faculty and staff should use best practices for
- Password reset and Recover Key options vary according to the choice of encryption being used. Please see documentation specific to BitLocker, FileVault 2 and McAfee Endpoint Encryption for information specific to the option you are using.
- Obtaining assistance with encryption passwords is accomplished by IT Services. For assistance, call (650)
725-4357 or submit a HelpSU request at
of whole disk encryption is a service that is available upon request
and requires contacting IT Services or your local support organization at the desired time for removal.
Removal of whole disk encryption is rarely necessary and is not
recommended as a general practice.
- Participating computers are discouraged from running web servers or providing un-authenticated access or logins.
How Whole Disk Encryption Works
Required Software and Automatic Check-ins
Software License Considerations
Passphrase Security and Token Recovery
Prohibitions and Incompatibility