- The purpose of the Stanford Whole Disk Encryption (SWDE) service is to protect Restricted Data and Confidential Data that must be stored on faculty and staff computers. See the Classification of Data page at /security/dataclass for Stanford's data classification guidelines.
- The SWDE service provides the University with an audit of the last-known encryption state of the participating computers. This audit is a key benefit for the University to determine what actions, if any, to take if computers with Restricted Data or Confidential Data are lost or stolen.
How Whole Disk Encryption Works
- Data is encrypted when the computer is turned off; the data is protected if the computer is lost or stolen.
- Sleep, hibernation, screen lock, screen saver and all similar computer states require a computer password to return to normal operation. If an encrypted computer is left unattended while the user is logged in, the files are accessible and the data is not protected.
Required Software and Automatic Check-ins
- BigFix must be installed on computers participating in the SWDE service for monitoring, automatic updates, and auditing purposes.
- BigFix will perform regular security health checks and enforce configuration settings on computers participating in the SWDE service.
- Sophos or Stanford Anti-Malware must be installed on all computers participating in the SWDE service.
- SWDE-participating computers automatically check-in with the SWDE administrative server periodically.
- A computer that does not check in with the SWDE administrative server on a regular basis may indicate theft or some other security threat. The SWDE service administrators will contact computer owners if a computer does not show up in the audit log.
Software License Considerations
- SWDE is a security tool that is available to Stanford faculty and staff and is provided free of charge. It should be used in combination with other best security practices as shown on the Secure Computing web site.
Passphrase Security and Token Recovery
- The PIN set with BitLocker should be different from the user's SUNetID password. Faculty and staff should use best practices for strong passphrases.
- Password reset and Recover Key options vary according to the choice of encryption being used. Please see documentation specific to BitLocker and FileVault 2 for information specific to the option you are using.
- Obtaining assistance with encryption passwords is accomplished by IT Services. For assistance, call (650) 725-4357 or submit a HelpSU request at http://helpsu.stanford.edu/?pcat=WholeDiskEncryption.
- Removal of whole disk encryption is a service that is available upon request and requires contacting IT Services or your local support organization at the desired time for removal. Removal of whole disk encryption is rarely necessary and is not recommended as a general practice.
Prohibitions and Incompatibility
- Participating computers are discouraged from running web servers or providing un-authenticated access or logins.