User Tools

Site Tools


full_disk_encryption

Full Disk Encryption

The university has mandated that all drives connected to university equipment will need to have full disk encryption enabled by August 15, 2024. To that end, we've created this document to answer some of your questions regarding this process and what it will mean to your daily usage of computing equipment.

This document will be updated as the IT office receives more questions and information over time.

FAQs

What is full disk encryption (FDE)?

Full disk encryption (FDE) is a solution intended to safeguard the data on your computer from being accessed by a third party. Normally, if someone were to steal your device or drive then they would have access to your data. With encryption, the data is unreadable unless unlocked by either a hardware key known as a trusted platform module (TPM) or by password. The Windows implementation of this software is known as Bitlocker, and the Apple equivalent is FileVault

What is a trusted platform module (TPM)?

A TPM is a module that essentially gives your computer a “fingerprint” so that it can utilize security systems such as FDE without getting in the user’s way. The fingerprint is created by using your current computer boot settings and installed hardware. This means that the TPM can change if those are altered.

Will I need to do anything?

The whole process should be invisible to desktops based on campus. If you have a laptop, then you will likely need to bring it in in order to have it joined to the domain and encrypted.

Will this encryption allow DIT to intrude on my computer?

This will not allow DIT access to your computer. It’s simply a feature of modern operating systems that we’ll be enabling on a university level.

Will this affect file sharing?

No, file sharing will not be affected.

Will this affect my drive speeds?

Theoretically yes, but recorded benchmarks have shown the difference to be in single digit percentages in some edge cases. You shouldn’t notice any loss of speed.

What if there’s a problem and my drive is locked?

DIT will be storing recovery keys on the UMD internal network. In the case that you need these to unlock your drive (e.g. if your TPM fingerprint has changed due to a hardware change) they will be available through a self-service portal.

Will this affect removable drives, such as USB sticks?

No. While the definition of FDE could be expanded to include removable drives, that won't be the case for our department. Only fixed drives attached to university equipment drives will be encrypted (however, this will include external hard disk enclosures as their semi-permanent attached nature lumps them in the “fixed drive” category).

full_disk_encryption.txt · Last modified: 2023/05/01 18:28 by mcloughlin