Full-Disk Encryption Guidance
The Information Security Policy requires most laptops to utilize encryption when personally-identifiable information or protected health information is stored on these devices due to the risk of loss or theft that could expose this sensitive data to an unauthorized person. Full-disk or whole disk encryption (WDE) ensures that no one can read the data stored on the device except for the owner or users of the device. Documentation, reporting, and secure practices are additional processes that are needed to ensure the requirement is fully met.
Microsoft BitLocker and Apple FileVault are acceptable technologies that can be used to encrypt laptops that store University-owned sensitive information.
It is important to document that encryption has taken place as this information is needed if a device is later reported lost or stolen.
Encryption can fail, never fully complete, or be removed at a later date. For these reasons, it is important to be able to report on the status of encryption periodically. Enterprise solutions such as Microsoft SCCM for Active Directory (ad.unc.edu hosts) provides this reporting. JAMF (Casper) is an enterprise management solution for Apple devices and has similar reporting capabilities. It is recommended that one of these reporting solutions be utilized.
The practices below will help ensure that the encryption adequately protects the data stored on a computer. Periodically, vulnerabilities or bugs related to the encryption technologies are reported. Another important component to protect the data is to follow processes that support the security of the system and its data. A few of the most important are detailed below.
- Use a supported operating system
- Install operating system patches regularly
- Choose a complex PIN and/or password
- Backup important documents to a secure location
- Backup the recovery key to a secure location
- Use a screensaver and require a password to unlock