Disk Encryption

Many groups at Emory handle sensitive information as part of their daily business.To help protect sensitive information that has been entrusted to Emory, the institution has created a disk encryption policy, and makes disk encryption tools available to Emory schools and business units free of charge. Emory's disk encryption policy requires that all Emory owned portable computers be encrypted. Encryption is also required for desktop computers in certain circumstances. Please see http://policies.emory.edu/5.12 for more information. 

If you have questions related to full disk encryption, please contact your local support, or LITS Enterprise Security via a support ticket, email security@emory.edu, or by calling 404-727-6666.

Approved Full Disk Encryption Offerings

Windows - BitLocker with the MBAM (Microsoft BitLocker Administration and Monitoring) client installed and configured to enterprise standards. BitLocker encryption without the MBAM client is not sufficient to comply with the disk encryption policy.

Mac OS - FileVault 2 with Emory's FileVault Management Tool installed. Running FileVault without the management tool is not sufficient to comply with the disk encryption policy.

Linux - LUKS and dm-crypt, which are set up automatically by most popular distributions that support full-disk encryption - see below for instructions. You should use an AES cipher with key size of 512 bits or higher. You should also add a recovery key to your volume.

Other disk encryption solutions are not approved to meet the requirements of the disk encryption policy.

Operating System PGP FileVault 2 w/ Management Tool BitLocker/MBAM LUKS/dm-crypt
Windows XP X**
Windows Vista X**
Windows 7 * X
Windows 8 / 8.1 * X
Mac OS 10.5 (Leopard) X**
Mac OS 10.6 (Snow Leopard) X**
Mac OS 10.7 (Lion) X
Mac OS 10.8 (Mountain Lion) X
Mac OS 10.9 (Mavericks) X
Linux X

*- Enterprise and Ultimate Editions only

**- Indicates that these OS' should be upgraded to versions that support MBAM/BitLocker or FileVault 2. 

Retired Whole Disk Encryption Offerings

PGP While Disk Encryption was previously the supported whole disk encryption solution for Emory. It is now only supported on systems that it was installed on prior to April 30th, 2014. No new installations of PGP should occur after April 30th, 2014. Any system that is currently encrypted with PGP should be converted to FileVault 2 or BitLocker/MBAM. See the chart below for more details. If you have a version of an operating system that is now supported by FileVault 2 or BitLocker/MBAM, then you must upgrade your system.

Documentation

Disk Encryption Listserv

Those deploying and managing BitLocker or FileVault are invited to subscribe to the PGP-USERS-L listserv to get updates and participate in deployment discussions.

Encryption of USB Thumbdrives

Some USB thumbdrives are specifically designed to address the concerns of storing sensitive information by using built-in hardware encryption.  These drives are more expensive, but much cheaper than dealing with the repercussions of losing sensitive information.  For situations where it is necessary to store sensitive information on a thumbdrive, Emory's Office of Information Technology has approved both IronKey Personal USB thumbdrives and Kingston Data Traveler Vault - Privacy Edition thumbdrives for this purpose.  These drives use hardware-based encryption, ensuring that all data stored on the drive is encrypted.  This removes doubts of whether encryption software was installed and configured correctly, and if a particular drive was encrypted when it was lost.  No other thumbdrives are approved for storing sensitive Emory data.

See the table below for direct links to specific products through CDWG for institutional purchases.