Disk Encryption

Many groups at Emory handle sensitive information as part of their daily business. To help protect sensitive information that has been entrusted to Emory, the institution makes disk encryption tools available to Emory schools and business units free of charge, and also requires encryption for all Emory owned portable computers as well as for desktop computers in certain circumstances. Please see Emory's Disk Encryption Policy for more information. 

If you have questions related to full disk encryption, please contact your local support, or OIT Enterprise Security via a support ticket, email security[@]emory[.]edu, or by calling 404-727-6666.

Approved Full Disk Encryption Offerings

Windows - BitLocker with the MBAM (Microsoft BitLocker Administration and Monitoring) client installed and configured to enterprise standards. BitLocker encryption without the MBAM client is not sufficient to comply with the disk encryption policy.

Mac OS - FileVault 2 with Emory's centralized Jamf instance (preferred) or Emory's FileVault Management Tool. Running FileVault without either program is not sufficient to comply with the disk encryption policy.

Linux - LUKS and dm-crypt, which are set up automatically by most popular distributions that support full-disk encryption - see below for instructions. You should use an AES cipher with key size of 512 bits or higher. You should also add a recovery key to your volume.

Other disk encryption solutions are not approved to meet the requirements of the disk encryption policy.

Operating SystemFileVault 2 w/ JamfBitLocker/MBAMLUKS/dm-crypt
Windows 7 and above*X
Mac OS 10.7 and aboveX

*- Enterprise and Ultimate Editions only


Encryption of USB Thumbdrives

Some USB thumbdrives are specifically designed to address the concerns of storing sensitive information by using built-in hardware encryption.  These drives are more expensive, but much cheaper than dealing with the repercussions of losing sensitive information.  For situations where it is necessary to store sensitive information on a thumbdrive, Emory's Office of Information Technology has approved Kingston IronKey S1000 (and previously, Kingston DataTraveler Vault - Privacy Edition) thumbdrives for this purpose.  These drives use hardware-based encryption, ensuring that all data stored on the drive is encrypted.  This removes doubts of whether encryption software was installed and configured correctly, and if a particular drive was encrypted when it was lost.  No other thumbdrives are approved for storing sensitive Emory data.

These drives can be purchased through CDWG for institutional purchases.