Whole Disk Encryption FAQ

Overview:

  1. What is encryption?
  2. Why am I required to encrypt my computer?
  3. Will Whole Disk Encryption make my computer slow?
  4. I forgot my pre-boot passphrase, is my information lost?
  5. Does changing my Net ID password change the pre-boot passphrase?
  6. Do I need to encrypt my smartphone as well?
  7. If I already encrypt my devices, will I need to also encrypt with Sophos?
  8. Can I turn off BitLocker?
  9. Can I temporarily suspend Bitlocker?
  10. Why do I get asked for my password twice?

Request encryption assistance

What is encryption?

According to The American Heritage New Dictionary of Cultural Literacy, Third Edition, Encryption is "The process of encoding a message so that it can be read only by the sender and the intended recipient."

Whole Disk Encryption means all files on a computer are encrypted so that the information cannot be accessed by someone who does not have permission to access it. If an encrypted laptop is stolen, the thief cannot recover the sensitive information contained within the computer unless the thief has the password (or key) with which the information was encrypted. Furthermore, once the laptop was reported stolen, the Security Office could determine there is a substantially lower risk that the information is compromised because the laptop was encrypted.

Why am I required to encrypt my computer?

You are required to have your computer encrypted because the Security Office has determined that you have access to, and routinely work with, sensitive information such as Personally Identifiable Information (PII) including social security numbers, Payment Card Industry (PCI) information including credit cards and account numbers, information protected under the Health Insurance Portability and Accountability Act (HIPAA) such as insurance policies and medical records, or other similar regulations which apply to the university and its functions.

Will Whole Disk Encryption make my computer slow?

WDE should not reduce the overall performance of your computer. However, during the encryption process you may experience some latency in normal tasks. Once the computer has completed the encryption process there will be a slight delay during the boot up process. Once the Operating System (Windows, Mac OS X) has loaded, there should be no change in performance. If you suspect performance is being affected, please contact Technical Support Services or your System Administrator to determine the cause.

I forgot my pre-boot passphrase, is my information lost?

No need to worry. Rest assured your information is not lost. ITS can assist you in booting your computer and resetting the pre-boot passphrase. Contact your TSP or SysAd to initiate the recovery process.

Does changing my Net ID password change the pre-boot passphrase?

Changing your NetID password is a separate process from changing your pre-boot passphrase. Setting the pre-boot passphrase the same as your Net ID password is not advised. It is a good idea, however, to update your pre-boot passphrase periodically.

When you change your password from a different computer and attempt to log in to a computer encrypted with SafeGuard, you will be prompted to update your password before you log in. You will need your old password as well as your new password. Providing this information will update the encryption platform to ensure that you have access to your encrypted files.

Do I need to encrypt my smartphone as well?

At this time, our encryption platform does not support mobile devices and the Security Office is not requiring smartphones to be encrypted. If you receive your university email on your smartphone, you should consider encrypting your phone using the native encryption available from within all Android or Apple smartphones. Most Apple devices are encrypted by default, but depend on a strong passcode to provide full protection. Keep in mind that ITS cannot recover your smartphone's passcode if you forget it.

If I already encrypt my devices, will I need to also encrypt with Sophos?

Those required to encrypt their devices will need to decrypt, then re-encrypt using Sophos SafeGuard Encryption. This will enable ITS to fully support the encryption technology and ensure that Encryption is implemented in compliance with University Policy APM 30.11.

Can I turn off BitLocker?

No, the device will be re-encrypted by Sophos SafeGuard in order to comply with APM 30.11. If you wish to remove encryption, please contact your TSP or SysAd and give a reason why that machine should not be encrypted. The ITS Security Office will need to decide whether an exception can be made and will assist in the removal of SafeGuard if approved.

Can I temporarily suspend Bitlocker?

If you have administrator access on the local device, you can temporarily suspend Bitlocker for one reboot. This can be used to avoid the startup PIN, which can be helpful if working remotely on an encrypted machine that requires reboot. Open an administrative Powershell prompt and enter the following command:

Suspend-Bitlocker -MountPoint C:

The next time the device is powered on after a reboot or shutdown, you will not be prompted to enter your Bitlocker password. Bitlocker automatically resumes after power on. If you reboot again, you will be prompted for your Bitlocker password.

Encryption protection no longer applies when Bitlocker is suspended. You should suspend Bitlocker only as necessary.

Why do I get asked for my password twice?

After you enter your pre-boot passphrase you will need to log in to Windows. You should see that there are two "account" icons with your username associated with them; one has your normal account picture, and the other has a circular "target" like image. If you use the account icon with the "target" image, which indicates that it is the account associated with Whole Disk Encryption, you should not receive an additional prompt for your password.

The prompt is only necessary when you do not log in using the WDE account, however, once you have provided the password in the additional prompt, there is no difference in functionality. It is simply more convenient to use the WDE account.

Details

Article ID: 195
Created
Tue 12/12/17 3:08 PM
Modified
Fri 3/27/20 10:59 AM