The State of Encryption
Unintentional disclosure of sensitive and personal data on lost, stolen or breached computers can lead to personal damage, financial loss and significant inconvenience for the individuals involved, as well as legal penalties, public embarrassment, financial consequences, and increased regulation for the university. Therefore, JMU IT strongly promotes the use of encryption technology on computer storage media. Encryption is required whenever personal data is being collected or stored outside the university’s central databases.
Our push in this area began in summer 2008, utilizing Microsoft’s Encrypting File System (EFS) software-based encryption technology on laptops in Athletics and University Advancement. EFS has shortcomings; it only encrypts the “user data” portions of the file system on a “per user” basis, leaving cache and paging files potentially exposed. Also, as it is software encryption, EFS does impose an impact on system performance. EFS unlocks its encryption using the credentials of the user as they log in to the computer.
In late 2008, Dell began offering a self-encrypting drive (SED) option on their Latitude laptops, and we included this drive as the option in our standard configuration. This is a superior option to EFS as it employs hardware encryption (fast) and provides full disk encryption (everything on the disk is encrypted). The encryption is enabled when the system is initially setup. In the event the computer is lost or stolen, none of the data on the hard drive will be accessible to whoever comes into possession of the device. Self-encrypting hard drives offer increased protection as the system is not bootable without supplying the encryption password. The only aspect of SEDs that can be considered onerous is that it requires the user to enter an additional password at boot-up to unlock the hard drive.
In 2011, Dell began offering an SED on its OptiPlex desktop computers, and we updated our standard bundle configuration to include this option. Although the likelihood of theft/loss of a desktop is much lower than that of a laptop, it does occur, and, the price premium for the SED was about $100 per computer (today it is down to $7.50).
Unfortunately, there is no SED option for Macintosh computers. In instances that require encryption, we are using Apple’s FileVault technology to provide software-based encryption technology. The original FileVault (present in Snow Leopard and earlier versions of OS X) has the same shortcomings as EFS mentioned above: it only encrypts the “user data” portions of the file system on a “per user” basis, leaving cache and paging files potentially exposed, and has some impact on system performance. A newer encryption technology, FileVault2, is available in Lion and Mountain Lion and provides full disk encryption. It is much like the SED drives except you don't get the performance from using hardware encryption.
External drives, Thumb drives, iPads, Smartphones, etc.
External drives and thumb drives are encrypted on request. We are using TrueCrypt to create an encrypted container on the device that is basically the size of the device (with a little space left to house the TrueCrypt executable). The users put all the data into that container. The main issue is the complexity involved in having to mount the container manually. Some departments are buying various hardware encrypted USB drives, but IT is not currently supporting these. Our recommendation is to use the TrueCrypt containers.
iPads and iPhones are much like the SED drives. They are hardware encrypted so they are always encrypting, even before we set them up. To protect the device, you need to have a PIN or password (password recommended) that will prevent anyone from reading the encryption key. Otherwise, even though the data is encrypted, anyone can read the key so the encryption isn’t gaining you anything. This is exactly the way the SED drives work. They're encrypting before we set them up, but anyone can read the drive if there is no password protecting the key.
IT maintains a list of the departmental passwords for all computers we setup. Therefore, if someone forgets their encryption password, the data is recoverable. We are working to share this information with technology coordinators in departments who support faculty and staff with encrypted drives and need access to this information.
We are only sharing departmental passwords. Security Engineering and Desktop Services are the only ones that know the master password and encryption keys, to prevent departments from undoing the encryption and to protect the password that could unlock the entire campus. EFS keys are really not necessary to share because we have so few of those setups left and when we've had to do recovery, it has been fairly complicated. When a user needs their departmental password, they should contact their technology coordinator or the JMU IT Help Desk, who escalates the issue to Security Engineering and/or Desktop Services.
Any other questions regarding encryption can be directed to the IT Help Desk (firstname.lastname@example.org) to ensure they are logged and addressed by the appropriate staff.