Full Disk Encryption at Miami
In Fall 2017, 黑料社区 IT Services rolled out full disk encryption (FDE). Almost everyone who works at Miami has some confidential information, as defined in MUPIM 3.22, on their computers. By installing FDE, we are ensuring that none of that confidential data can be accessed if an employee’s Miami-issued laptop is lost or stolen. Here are several frequently asked questions about this requirement:
Full Disk Encryption FAQs
I have a personal computer. How does this encryption rollout affect my personal computer?
This project is only for Miami-owned laptops. Your personal computer will not be affected by this. The encryption programs that we are using, BitLocker (Windows) and FileVault (Mac), are both built into their respective operating systems. If you would like to install either on your personal computer, you can do so by following guides available on the Internet. Be aware that Miami will not be able to assist you in recovering data if you encounter an issue, as your personal computer will not be linked to the centralized software programs we are using to manage the encrypted Miami laptops.
Related: Will there be a way to get this encryption on personal computers that are used for University purposes, such as those used by contractors and part-time faculty members?
If the computer is a Miami-owned laptop then it will be encrypted regardless of the user. If the computer is personally owned by a contractor or part-time faculty member, it will not be encrypted as part of this project.
How does this affect files that I move from my encrypted computer to another location (Google Drive, USB drive, etc)?
We are using what is known as Full Disk Encryption (FDE). It works by encrypting all of the data on a selected hard drive. If a laptop with an encrypted hard drive is stolen, all the files are safe. If you copy a file to another location, it is no longer being stored on the encrypted hard drive so it will be stored in an unencrypted fashion unless the target location is also running Full Disk Encryption. Your files are only as safe as the drive they are stored on.
What about USB drives?
We are not requiring encryption for USB drives attached to Miami laptops. The goal of this program is to remove the risk of confidential data being accessed from a stolen laptop. However, if you store confidential data on your USB drives, we recommend that you either delete the confidential data from your USB drive and instead store it on Google Drive or a network share drive, or that you encrypt your USB drive. If you would like assistance in encrypting a USB drive, please contact the IT Services Support Desk at 513 529-7900. Be aware that if you lose the password and recovery key associated with your USB drive, you will not be able to recover your data.
What about Parallels?
Parallels is virtualization software used by many Mac users to also run a Windows system so they can access Windows-only programs. Once your Mac is encrypted, the files that make up your Windows system inside of Parallels will also be encrypted. You do not need to take any additional steps to encrypt your Windows system inside of Parallels.
What about Linux laptops?
IT Services does not provide support for Linux laptops. As such, we are not providing a centralized encryption package for Linux laptops. We are working with users in our community who use Linux on their laptops to identify an appropriate encryption package that they should use, and a mechanism to store the associated encryption key so it can be recovered if the user forgets it. We are currently evaluating LUKS. If you have another alternative that you would like us to consider or if you would like to hear what encryption package is recommended for Linux desktops, please email John.Virden@MiamiOH.edu.
What if I’m off campus?
When you connect to Miami's Virtual Private Network (VPN), your Miami laptop should check in with our centralized management servers. Those servers should tell your laptop to begin the encryption process. If that doesn't happen, the next time that you connect your laptop to the Miami network, the encryption process should begin.
Why are we doing this? How does this benefit Miami?
We already take a number of steps to protect confidential information when it is “data in motion”, such as only allowing access to your email web interface via “https”. Protection for “data in motion” protects Miami data from someone who is able to eavesdrop on your network communication, and is especially important when you are outside of the Miami network, such as when you’re uptown at Kofenya or Starbucks.
This encryption software will protect confidential information when it is “data at rest”. Without encryption on your hard drive, a thief who steals your laptop will be able to access all of the data on your laptop whether or not they have your password. They can simply remove the hard drive, connect it to another computer that they control, and then access all of the data on your hard drive. By adding encryption to protect your “data at rest”, when the thief attempts to access the data on your hard drive they will only see encrypted data while all authorized users of the laptop will be able to access the data normally.
I have a Mac and have installed Windows Boot Camp - how will this work for me?
We strongly encourage you to use Parallels instead of Boot Camp if you need to be able to access Windows from your Mac. The Mac partition of your hard drive will be automatically encrypted, but your Boot Camp partition cannot be encrypted. Because of this, you should not store any confidential data on the Boot Camp partition. If you are able to move to using Parallels instead then your entire Mac hard drive will be encrypted, including the files that make up your Windows system inside of Parallels.
NOTE: Boot Camp is only available on laptops manufactured prior to 2020.
What if I’ve already encrypted?
You will need to decrypt your hard drive and then let the encryption process run. This is so we can ensure that the encryption key, which can be used to recover the data on the encrypted hard drive if you’ve forgotten your password, is stored centrally and can be recovered by your local technical support staff. For Windows users, this will also allow you to be able to recover your BitLocker key if you need to by going to . After you decrypt your hard drive, the encryption process should automatically start - you do not need to take any further action.
Do I need to do anything physically myself, or will it install automatically?
When your Miami laptop is connected to the Miami network, it will automatically communicate with the centralized servers that manage your laptop. This will instruct your laptop to begin the encryption process. There is nothing that you need to do yourself.