Service is not (yet) supported by Cornell. Here are ChemIT's thoughts on encryption (as of April 2015).
Disk-level and file-level encryption is not supported at Cornell (including in ChemIT)
- No documentation.
- No recommendations
- No central key-escrow.
- No support for either technical staff nor end-users.
ChemIT's current capabilities
- Consultation regarding encryption
- Risk management, whether encryption or its alternatives, is as much an issue of ones behaviors and attitudes as it is about technology.
- Note: We personally have very limited experience with encryption.
- Benefits of encryption.
- Use-cases when it's helpful. And when it's not helpful.
- Encryption can represent unnecessary bother and risks in meeting some needs.
- Alternatives to encryption.
- If the data is not on your laptop (for example), there is no need to have encrypted data on the laptop.
- Identifying benefits and risks of various alternatives.
- Risks if using encryption. Currently, must self-escrow keys.
- You may lose your data because of the encryption, through technical failures or losing keys.
- Your backups may not be set up correctly relative to your encryption choices.
- There is no university support for failed situations, including from ChemIT staff.
- Very limited training via some show-and-tell related to encryption or alternatives.
- We cannot provide on-going support for anyone choosing to use encryption.
Future direction
If and when Cornell provides central support for file-level or disk-level encryption, ChemIT can naturally expand its services as appropriate.
- Coming as part of CU's MS Configuration Management service?
Continue to gauge demand within CCB. Requests for the service are almost non-existant so far. We recognize that although CCB use-cases seem low, but perhaps some risks are well hidden. (Faculty do travel. What data do they take with them?)
- Would those same, well-hidden use-cases avail themselves of an encryption service?
Possible, if deemed sufficiently valuable to CCB:
- Advocate for a central encryption service.
- Set up a service.
- R&D, then testing promising solutions. Vetting can take a lot of time to uncover all the undocumented "gotchas". Develop recommendations, along with recommended alternatives.
- Invest in, and bear the risks, associated with provisioning a local key escrow.
- Invest in documentation and maintaining that documentation.
- Provide in-person support for when things are going well. And for when things do not go well, when a higher technical competence is expected, often specialized.