ITS Systems will perform emergency maintenance on the University Wikis Service after 5:00 p.m. TODAY ( Wednesday, January 28, 2015 ). The service will be unavailable briefly starting at this time.
Skip to end of metadata
Go to start of metadata

The Information Secure Office (ISO) has approved several methods of complying with policy for encrypting sensitive data on laptops and desktops.  The preferred method of accomplishing this is using WinMagic SecureDoc, the enterprise whole disk encryption product available through ITS.

The ISO strongly believes that the following features are important in an encryption product:

  1. Industry-standard, well-tested encryption algorithms.
  2. Encryption key escrow/recovery in case the keys are lost, forgotten, or otherwise unavailable to a department.
  3. Support for multiple platforms, especially Windows and Mac (both of which currently make up the majority of portable devices on campus).
  4. The ability to demonstrate the device was encrypted in the event it is lost or stolen, in order to better comply with the Texas Identity Theft Protection and Enforcement Act and other related laws.

SecureDoc best satisfies all of these requirements.  There may, however, be cases where it is not possible to use SecureDoc.  In such instances, end-users, in consultation with their local IT support staff, can choose from another approved product in Table 1.  For products that do not support their own method of escrow/recovery, the ISO recommends the use of Stache and the use of system management consoles (e.g., Absolute Manage, SCCM) so that verification of encryption is possible.

If you have questions about these products, or satisfying policy, please do not hesitate to contact the ISO at security@utexas.edu.

Table 1: Approved Encryption Methods

Encryption Technology

Escrow Method

Operating System(s) Supported

Whole-Disk Encryption?

Cost

More Information

WinMagic SecureDoc

SecureDoc Enterprise Server

Windows, Linux

Yes

None

http://www.utexas.edu/its/encrypt/

Microsoft Bitlocker 1

Active Directory (in some cases), Stache

Windows 8/7/Vista

Yes

None

Windows 7 BitLocker Executive Overview

BitLocker Encryption Overview

Apple FileVault 2 2

Stache

Mac OS X 10.7+

Partition

None

OS X: About FileVault 2

Apple FileVault 3

Stache

Mac OS X 10.3-10.6

No

None

Mac OS X 10.6: Encrypting your home folder with FileVault

Secure virtual memory must also be enabled.

Linux Unified Key Setup (LUKS) Encryption 4

Stache

Redhat 6+,
Fedora 9+,
Ubuntu 6+ 5,
Ubuntu 12.10+

Partition

None

LUKS Disk Encryption

TrueCrypt v7.1a with pre-boot authentication 6 7

Stache

Windows 8/7/Vista/XP

Windows only

None

No longer approved for new deployments after May 2014. 7

Self-Encrypting Drive (SED) 8 9 10

SecureDoc Enterprise Server, Stache

Windows, Mac OS X, Linux

Yes

Depends on size, storage technology, and vendor.

The SED chosen must be compliant with the OPAL specification.  Check wit

h the vendor to ensure compliance.


1 Bitlocker may be used on devices without a TPM by configuring a USB drive to hold the encryption key. This USB drive would then have to be provided to use the computer, however it is important that the USB drive not be left unattended with the computer. The use of a TPM to store the keys is more secure, therefore on devices that have a TPM, it must be used instead in order to be considered an approved encryption method.

2 FileVault 2 encrypts partitions, not entire drives. It is strongly recommended that that you do not escrow recovery keys with Apple and instead utilize Stache for this purpose.

3 FileVault for OS X 10.3 to 10.6 can only encrypt a user's home directory or selected disk images; it does not encrypt the operating system partition and is therefore not considered whole disk encryption.  Secure virtual memory must also be enabled for FileVault to be considered an acceptable encryption method.  SecureDoc is recommended over FileVault for Macs that are not running 10.7 or higher. 

4 Encrypting partitions of an existing installation with LUKS will most likely require a reinstall of the operating system as this option is only presented to users at install time. You are urged to make certain that you have complete and working backups of all data before beginning this process. 

5 With Ubuntu versions before 12.10, the option to encrypt partitions with LUKS at install time is only presented when using an alternate install CD, such as the text-based install available at http://www.ubuntu.com/download/desktop/alternative-downloads. A standard GUI install CD will only encrypt the user's home directory, not the partition, and thus would not be compliant with policy.

6 TrueCrypt can only perform whole disk encryption (i.e. pre-boot authentication) on Windows systems; the Mac and Linux versions of TrueCrypt do not currently support this feature.

7 As of May 2014, TrueCrypt has been officially abandoned by the developers. Version 7.1a (no longer available from the official site) is the last version capable of encrypting data. Usage of TrueCrypt is approved only for already existing installations, contingent upon the outcome of the ongoing third-party audit of the product. TrueCrypt is not approved for and must not be used with new deployments, starting May 2014.

8 Self-Encrypting Drives provide low-latency, hardware-level encryption and are available from a number of manufacturers.  In order to ensure minimum standards are met, only SEDs that meet the OPAL specification are approved.  Seagate, Hitachi, and Toshiba are a few examples of manufacturers that make OPAL compliant SEDs.  Check with your vendor to ensure compliance.

9 The ISO strongly recommends against relying on ATA password security when implementing SEDs.  The best way to use SEDs is to have SecureDoc or another enterprise product handle authentication.  For more information, see breaking ATA password security.

10 Solid State Drives (SSDs) utilizing software encryption (e.g., SecureDoc, FileVault 2, BitLocker, etc.) are a higher performing option than SEDs and may be preferable over SEDs for cases where high disk performance is critical.


Copyright © 2001-2013 Information Technology Services. All rights reserved.

  • No labels