Disk Encryption
Many groups at Emory handle sensitive information as part of their daily business. To help protect sensitive information that has been entrusted to Emory, the institution makes disk encryption tools available to Emory schools and business units free of charge, and also requires encryption for all Emory owned portable computers as well as for desktop computers in certain circumstances. Please see Emory's Disk Encryption Policy for more information.
If you have questions related to full disk encryption, please contact your local support, or OIT Enterprise Security via a support ticket, email security[@]emory[.]edu, or by calling 404-727-6666.
Approved Full Disk Encryption Offerings
Windows - BitLocker with the MBAM (Microsoft BitLocker Administration and Monitoring) client installed and configured to enterprise standards. BitLocker encryption without the MBAM client is not sufficient to comply with the disk encryption policy.
Mac OS - FileVault 2 with Emory's centralized Jamf instance (preferred) or Emory's FileVault Management Tool. Running FileVault without either program is not sufficient to comply with the disk encryption policy.
Linux - LUKS and dm-crypt, which are set up automatically by most popular distributions that support full-disk encryption - see below for instructions. You should use an AES cipher with key size of 512 bits or higher. You should also add a recovery key to your volume.
Other disk encryption solutions are not approved to meet the requirements of the disk encryption policy.
| Operating System | FileVault 2 w/ Jamf | BitLocker/MBAM | LUKS/dm-crypt |
|---|---|---|---|
| Windows 7 and above* | X | ||
| Mac OS 10.7 and above | X | ||
| Linux | X |
*- Enterprise and Ultimate Editions only
Documentation
- Emory Disk Encryption Policy
- Disk Encryption Implementation FAQs
- MBAM/BitLocker Getting Started Guide for IT Support
- MBAM/BitLocker Troubleshooting Guide for IT Support
- Emory FileVault Management Tool - Only for Mac OS X 10.7 (Lion) and above
- Linux distribution full disk encryption guides. Some of these are not official documentation from the vendor, and are therefore for convenience only - use at your own risk. Also note that by default these distributions may not all our minimum standards of use an AES 512 bit cipher! It is your responsibility to ensure that the solution you use is configured correctly. You should also add a recovery key to your volume.
Encryption of USB Thumbdrives
Some USB thumbdrives are specifically designed to address the concerns of storing sensitive information by using built-in hardware encryption. These drives are more expensive, but much cheaper than dealing with the repercussions of losing sensitive information. For situations where it is necessary to store sensitive information on a thumbdrive, Emory's Office of Information Technology has approved Kingston IronKey S1000 (and previously, Kingston DataTraveler Vault - Privacy Edition) thumbdrives for this purpose. These drives use hardware-based encryption, ensuring that all data stored on the drive is encrypted. This removes doubts of whether encryption software was installed and configured correctly, and if a particular drive was encrypted when it was lost. No other thumbdrives are approved for storing sensitive Emory data.
These drives can be purchased through CDWG for institutional purchases.