Whole Disk Encryption FAQ

Overview:

  1. What is encryption?
  2. Why am I required to encrypt my computer?
  3. Will Whole Disk Encryption make my computer slow?
  4. Will I have a pre-boot passphrase?
  5. I have a large drive, can I be excluded?
  6. I forgot my pre-boot passphrase, is my information lost?
  7. Does changing my Net ID password change the pre-boot passphrase?
  8. Do I need to encrypt my smartphone as well?
  9. If I already encrypt my devices, will I need to also encrypt with Sophos?
  10. Can I turn off BitLocker?
  11. Can I temporarily suspend Bitlocker?
  12. Why do I get asked for my password twice?

Request encryption assistance

What is encryption?

Whole Disk Encryption means all files on a computer are encoded so that the information cannot be accessed by someone who does not have permission. If an encrypted laptop is stolen, the thief cannot recover the sensitive information contained within the computer unless the thief has the password (or key) with which the information was encrypted. Furthermore, once the laptop was reported stolen, the Security Office could determine there is a substantially lower risk that the information is compromised because the laptop was encrypted.

Why am I required to encrypt my computer?

You are required to have your computer drives encrypted to help ensure if your computer is lost or stolen, no data is lost or compromised. This is a best practice that has been in place for UI users handling high risk data for many years, and is now the default on all new machines. This also helps the university comply with regulatory and contractual compliance, including work for the federal government, Idaho National Lab, and several other research contracts.

Will Whole Disk Encryption make my computer slow?

WDE should not reduce the overall performance of your computer. However, during the encryption process you may experience some latency in normal tasks. Once the computer has completed the encryption process there will be a slight delay during the boot up process. Once the Operating System (Windows, Mac OS X) has loaded, there should be no detectable change in performance. If you suspect performance is being affected, please contact Technical Support Services or your System Administrator to determine the cause.

Will I have a pre-boot passphrase?

Systems handling high risk data on behalf of UI, should be set with a pre-boot passphrase or PIN. The default encryption for new Windows machines and for general use does NOT require a pre-boot passphrase unless it is known that high risk data could reside on that machine. Encryption for most users will be completely invisible for daily operations.

I have a large drive, can I be excluded?

OIT is excluding computers with larger than 1 TB drives from automatic encryption at this time. While we still recommend encryption, this will be made available optionally or with assistance of your TSP or Support person. Other exclusions, if necessary, can be requested through OIT.

I forgot my pre-boot passphrase, is my information lost?

No need to worry. Rest assured your information is not lost. OIT can assist you in booting your computer and resetting the pre-boot passphrase. Contact your TSP or SysAd to initiate the recovery process.

Does changing my Net ID password change the pre-boot passphrase?

Changing your NetID password is a separate process from changing your pre-boot passphrase. Setting the pre-boot passphrase the same as your Net ID password is not advised. It is a good idea, however, to update your pre-boot passphrase periodically.

Do I need to encrypt my smartphone as well?

At this time, our encryption platform does not support mobile devices and the Security Office is not requiring smartphones to be encrypted. If you receive your university email on your smartphone with Outlook, it requires encryption within all Android or Apple smartphones. Most Apple devices are encrypted by default, but depend on a strong passcode to provide full protection. Keep in mind that ITS cannot recover your smartphone's passcode if you forget it.

Can I turn off BitLocker?

No, the device will be automatically re-encrypted by Intune policy. If you wish to remove encryption, please contact your TSP or SysAd and give a reason why that machine should not be encrypted. For Low Risk systems, your TSP may assist with removal. For Moderate or High risk data, the OIT Security Office may recommend a policy exception for removal of encryption if appropriate.

Can I temporarily suspend Bitlocker?

If you have administrator access on the local device, you can temporarily suspend Bitlocker for one reboot. This can be used to avoid the startup PIN, which can be helpful if working remotely on an encrypted machine that requires reboot. Open an administrative Powershell prompt and enter the following command:

Suspend-Bitlocker -MountPoint C:

The next time the device is powered on after a reboot or shutdown, you will not be prompted to enter your Bitlocker password. Bitlocker automatically resumes after power on. If you reboot again, you will be prompted for your Bitlocker password.

Encryption protection no longer applies when Bitlocker is suspended. You should suspend Bitlocker only when necessary.

Print Article

Related Articles (4)

How do I setup disk encryption on a Mac?
Instructions for user setup of Filevault encryption on macOS.
What is WDE (Whole Disk Encryption)?
This article contains information about Whole Disk Encryption at U of I.
Why is it important to secure my account and computer?
This article explains the why and how for implementing different security measures for your account and computer.