Virtual Private Network (VPN)

How to Implement Whole-Disk Encryption

• Backup Options:
  
  • Time Machine or Windows Backup to an external drive can be an easy solution for backups; however, the external drive should also be encrypted and protected.
  • CrashPlan, a cloud-enhanced desktop backup service, is available for purchase through ITS. CrashPlan is not for use with Highly Sensitive Data (HSD) or other restricted data types.
  • For backing up individual files, we recommend using OneDrive.

Please note that individual computers should not have Highly Sensitive Data (HSD), and you should never keep your backups stored locally on your computer.

Information about additional storage options can be found on ITS' Storage Homepage.

• Windows: Follow these "Using the Chkdsk Utility" instructions.

• Macs: Follow Apple's "How to repair a Mac disk with Disk Utility" instructions.

Recovery keys should be securely stored; they are sensitive information and must be protected. The recovery keys should not be stored on the same computer that is encrypted.

• Options for recovery key storage include:
  
  • Ask if your department already has a process for recovery keys. If so, use that process.
  • Print out the recovery key and store it in a secure location.
  • Use Secure Notes in LastPass (available at no additional cost to most UVA Academic, UVA Foundation, and UVA alumni users) to store your recovery key.
  • Windows: See Find my BitLocker recovery key for more information.
  • Macs: See Encrypt Mac data with FileVault for more information.

Protect this key. There is no other copy nor way to unencrypt your drive if it is lost. Like the keys to your office or password to your UVA-owned computer, this key should be turned over to your supervisor when you leave the University. See IT Checklist for Leaving UVA and UVA HR's Onboarding and Offboarding Procedures.

Recovery keys should be securely stored; they are sensitive information and must be protected. The recovery keys should not be stored on the same computer that is encrypted.

• Options for recovery key storage include:
  
  • Print out the recovery key and store it in a secure location.
  • KACE
  • Jamf Cloud / On-Prem
  • Active Directory (AD) Storage: If you are already using this method to store recovery keys, please continue to do so; if not, please use a different option.

Protect this key. There is no other copy nor way to unencrypt your drive if it is lost. Like the keys to your office or password to your UVA-owned computer, this key should be turned over to your supervisor when you leave the University. See IT Checklist for Leaving UVA and UVA HR's Onboarding and Offboarding Procedures.

Windows: See BitLocker Drive Encryption.

Macs: See FileVault instructions.

Disk encryption converts all the data on the computer into code that is unreadable without the computer password or the recovery key. It does not protect against ransomware, viruses, or other malware. If the computer is lost or stolen, encryption prevents the computer data from being viewed by others.

It varies widely by the kind of computer and the type and size of the drive(s) being encrypted. This process can continue in the background while you work.

Not significantly. Once your computer is encrypted, there should be no impact to your computer’s speed.

• Enable a screensaver/auto-lock and require a password/pin to unlock (as required by UVA policy).
• Manually lock your screen if you’re going to be away from your computer.
• Power "off" your computer completely (do not just suspend it) when you transport it between locations.
• Always maintain physical control of your mobile computer, especially when travelling (even between work and home).

The UVA Help Desk cannot recover lost recovery keys. It is very important that you back up your recovery key.

• Refer to these links about how to find your recovery key:
  
  • Windows: Finding your BitLocker recovery key in Windows
  • Macs: If your forgot your Mac login passsord

• You will need your recovery key for:
  
  • Bios or hardware updates
  • Certain software that BitLocker (Windows) cannot distinguish from a possible attack (See Finding your BitLocker recovery key in Windows for more information)
  • A problem with your hard drive
  • A major OS update (in some cases)

We recommend using an Enterprise or Education-level OS. Whole-disk encryption will not work on Windows Home OS machines. If using a personally owned computer, talk to your manager about getting an organizational machine.

If your computer is University-owned and can be updated to an Enterprise/Education OS, please do so. If it cannot be updated, talk to your department about providing a new machine that can run Windows Education/Enterprise OS. If you need help, contact the UVA Help Desk.

See Windows on the Service Center for software downloads.

Full Disk Encryption for Bitlocker is more secure and strongly recommended.

All internal drives must be encrypted. It is recommended that external drives being used for backups (e.g., Time Machine) also be encrypted. You should not store your backup with your computer.

Yes, VMs need to be encrypted using BitLocker regardless of the encryption state of the host machine.

No. UVA Policy strictly limits the circumstances under which HSD may be stored on electronic devices and media. See Highly Sensitive Data Protection Standard for Individual-Use Electronic Devices or Media for more information.

Yes. If you need access to the High Security VPN (HSVPN), then whole-disk encryption is a requirement.