Disk Encryption

Overview

Cornell Policy 5.10 requires, for Cornell owned Desktops and Laptops, that whole Disk Encryption must protect all local, persistent storage (eg hard disk) when the system is powered off. Furthermore, the recovery keys for the encrypted hard drives must be centrally escrowed. While encryption of external hard drives and usb disks/keys is not required, the encryption of these devices is highly recommended.

The policy leaves the encryption software choice up to the administrator of the individual system. However, Cornell and CNF offer some central services and also recommend and provide guidance for the use of particular encryption choices.

TPM

If your computer includes a TPM chip, it is recommended that you use the TPM chip as part of the Whole Disk Encryption setup for your computer. You will generally need to enable two options in the computer BIOS:

1. Turn on the TPM chip
2. Activate the TPM chip

Windows

Bitlocker is the Cornell recommended encryption for the Windows operating system. The "Professional" editions of Windows 7 and 8.x do NOT support BitLocker – you will need to first update to the Enterprise or Ultimate versions.

Bitlocker will use the TPM chip in your computer to store encryption keys. If your computer does not have a TPM chip or you choose not to turn on the TPM chip, you will instead have to store the encryption keys on a USB stick and insert the USB stick into your computer at boot time.

To set up BitLocker, see the CIT Set-up BitLocker web page.

Please note the following when setting up BitLocker:

1. CNF and CIT recommend use of the TPM chip in your computer (see above).
2. If prompted, do not choose TPM chip + PIN. Just choose TPM chip.
3. When prompted, choose to encrypt the whole hard drive, not just the in-use portion of the hard drive.
4. Encrypt all hard drives in your computer, not just your C: drive
5. If your computer is dual boot, encrypt the other hard drive with that OSes encryption
6. We recommend multiple copies of the recovery key. One copy must be given to CNF Computing staff to ecrow centrally. You should keep a second copy (file or printout) in a safe location.

Macintosh

FileVault is the recommended disk encryption method for a Macintosh computer. FileVault is built into the Macintosh operating system.

FileVault works on a per user basis. FileVault is set up by a first user. At boot time, a list of users set up in File Vault is presented on a screen similar to the normal Mac login screen. One choice is a Guest user who cannot access data on the hard drive and only has access to the Safari web browser and the network itself. Additional users of the computer must be added to FileVault.

If the computer has multiple disk partitions for multiple versions of OS X, FileVault should be set up in each version of the OS for that OS's disk partition.

CNF Computing provides a central CNF Casper managed service. When your computer is enrolled in CNF Casper, the following will be set on your computer:

1. FileVault will be enabled
2. The next user to login after FileVault is enabled will be prompted to enter their password to start the encryption process. This will be the intial user in FileVault. Your computer will reboot.
3. A new user will be added to your computer and enabled for FileVault so that CNF Computing may boot your computer – this user is not an administrative user.
4. The FileVault recovery key will automatically be centrally escrowed in the CNF Casper service.
5. If installed, Symantec A/V will be removed.
6. Microsoft System Center Endpoint Protection (SCEP) A/V will be installed.
   

Please see the following web links:

• Howto Set up FileVault (if not making use of the CNF Casper service) - remember to give a copy of your recovery key to CNF Computing for central escrow
• Howto add additional users to FileVault
• Howto disable FileVault

Linux

LUKS is the CIT recommended disk encryption method for a Linux computer.

Please see the following web links:

• https://guardianproject.info/code/luks/
  
• https://gitlab.com/cryptsetup/cryptsetup
• http://www.cyberciti.biz/hardware/howto-linux-hard-disk-encryption-with-luks-cryptsetup-command/

Please note the following:

1. LUKS encryption, when set up, will wipe all existing data on the hard drive. 
2. Add a second decryption password and give that password to CNF Computing for central escrow.
3. The LUKS header should also be backed up and centrally escrowed - see section 6 Backup and Data Recovery of https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions for instructions on backing up the LUKS Header.

Exceptions

Cornell owned computers where the disk is not encrypted must be documented as exceptions. The CNF maintained exceptions list is stored in Cornell BOX.