Cornell Policy 5.10 requires, for Cornell owned Desktops and Laptops, that whole Disk Encryption must protect all local, persistent storage (eg hard disk) when the system is powered off. Furthermore, the recovery keys for the encrypted hard drives must be centrally escrowed. While encryption of external hard drives and usb disks/keys is not required, the encryption of these devices is highly recommended.
The policy leaves the encryption software choice up to the administrator of the individual system. However, Cornell and CNF offer some central services and also recommend and provide guidance for the use of particular encryption choices.
If your computer includes a TPM chip, it is recommended that you use the TPM chip as part of the Whole Disk Encryption setup for your computer. You will generally need to enable two options in the computer BIOS:
Bitlocker is the Cornell recommended encryption for the Windows operating system. The "Professional" editions of Windows 7 and 8.x do NOT support BitLocker – you will need to first update to the Enterprise or Ultimate versions.
Bitlocker will use the TPM chip in your computer to store encryption keys. If your computer does not have a TPM chip or you choose not to turn on the TPM chip, you will instead have to store the encryption keys on a USB stick and insert the USB stick into your computer at boot time.
To set up BitLocker, see the CIT Set-up BitLocker web page.
Please note the following when setting up BitLocker:
FileVault is the recommended disk encryption method for a Macintosh computer. FileVault is built into the Macintosh operating system.
FileVault works on a per user basis. FileVault is set up by a first user. At boot time, a list of users set up in File Vault is presented on a screen similar to the normal Mac login screen. One choice is a Guest user who cannot access data on the hard drive and only has access to the Safari web browser and the network itself. Additional users of the computer must be added to FileVault.
If the computer has multiple disk partitions for multiple versions of OS X, FileVault should be set up in each version of the OS for that OS's disk partition.
CNF Computing provides a central CNF Casper managed service. When your computer is enrolled in CNF Casper, the following will be set on your computer:
Please see the following web links:
LUKS is the CIT recommended disk encryption method for a Linux computer.
Please see the following web links:
Please note the following:
Cornell owned computers where the disk is not encrypted must be documented as exceptions. The CNF maintained exceptions list is stored in Cornell BOX.