Encrypting Your Computer’s Hard Drive

Some departments / employees at the University of Oklahoma are required to maintain a higher standard of security for their workstations and laptops.  Any employee that maintains access to student information which may be protected under FERPA, HIPAA, or GLBA is required to protect access to that data by ensuring that there is no personally identifiable information (PII) stored on the machine, and that access from that machine to any protected data is secured.  This includes ensuring strong passwords are set, and that logins are enforced, and may also include the employee to encrypt the hard drive of that workstation or laptop for further security.  Legal actions and fines may result from violations of applicable regulations and standards, including but not limited to, HIPAA, FERPA, and PCI.  Instructions for encrypting your machine can be found below.

Users can report their compliance with encryption policies by emailing security@ou.edu with their machine type and OS version.  Upon receipt of this communication, OU Information Technology will provide an encryption enrollment client which will report back to OU Compliance that this machine remains encrypted.  This would also allow your encryption key to be stored and backed-up in case you lost or forgot your key and were unable to access your machine.

WARNING:  Please follow these steps completely.   Losing your encryption key can render your machine unusable, and prevent retrieval of any data from the drive. 

BitLocker for Windows 10

Picture of BitLocker Drive Encryption Folder in Windows Control Panel

On the BitLocker Drive Encryption page, click Turn On BitLocker next to the primary disk volume (C:\).  NOTE: An administrator or administrator account will be required to complete this step.

Turn on BitLocker option in Program Options

 

  1. If the TPM module is not initialized, you will need to initialize the TPM and restart your computer.
    1. Press the WinKey+R to display the Open dialog.
    2. Type gpedit.msc in the Open: box and click OK.
    3. In the Group Policy Editor, navigate to  Computer Configuration/Administrative
    4. Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives.
    5. Right Click the Require additional authentication at startup policy and select Edit.
    6. Click the Enabled option.
    7. In the Options section, place a check mark in the Allow BitLocker without a compatible TPM option.
    8. Click Apply/OK and exit the Group Policy Editor.
  2. On the Choose how to unlock your drive at startup page, you will see the following options:
    1. Insert a USB flash drive.
    2. Enter a password.
  3. Use one or more of these options to preserve the recovery password and then hit Next

BitLocker Login Prompt

 

  1. You will now be asked How do you want to back up your recovery key?. Select an option and then click Next.
  2. Now select how much of your drive you wish to encrypt and then click Next.
  3. Next select which encryption mode to use.

BitLocker Encryption Type Prompt

 

Finally verify if you want to run a system check, then click Continue to begin encryption.

BitLocker Are you Ready Prompt

  1. Drive encryption will take time to complete (several hours to a day or more).  You should be able to restart your computer as needed.  It will pick up encrypting again automatically until complete.
  2. That’s it!  Ensure you record / remember your passphrase or key.  You will need it to boot your machine.
  3. Email security@ou.edu with your machine type and OS version to receive instructions for enrolling your machine and backing up your encryption key.

 

FileVault for OSX devices

  1. Open System Preferences.
  2. Click the Security & Privacy icon in the System Preferences window.
  3. Click the FileVault tab.
  4. Click the lock icon and enter an administrator name and password.
  5. Click the “Turn on FileVault” button.

MacOS FileVault Start Screen

If other users have accounts on your Mac, you might see a message that each user must type in their password before they will be able to unlock the disk. For each user, click the Enable User button and enter the user’s password. User accounts that you add after turning on FileVault are automatically enabled.

Security and Privacy login prompt

  1. Choose how you want to be able to unlock your disk and reset your password, in case you ever forget your password:
    1. In OS X Yosemite and later, you can store your key in iCloud.  You can use your iCloud account name and password to unlock your startup drive or reset your password.
    2. In OS X Mavericks, you can share your FileVault key with Apple by answering a set of security questions.  You can then contact Apple Support if you forget your login password and need to decrypt your startup drive.
    3. If you don’t want to use iCloud FileVault recovery, you can create a local recovery key. Keep the letters and numbers of the key somewhere safe—other than on your encrypted startup disk.
  2. Please note if you lose both your account password and your FileVault recovery key, you won’t be able to log in to your Mac or access the data on your startup disk.
  3. Restart your Mac.  When FileVault is enabled, you can’t log in automatically.  A password is always required when you start up your Mac.
  4. Encryption of the hard disk will take time (several hours to over a day).  You can continue to use the Mac as normal.  You should be able to restart your computer as needed.  It will pick up encrypting again automatically until complete.
  5. That’s it!  Ensure you remember your passphrase or key.  You will need it to boot your machine.
  6. Email security@ou.edu with your machine type and OS version to receive instructions for enrolling your machine and backing up your encryption key.

 

Service Alerts

Check Alerts Subscribe

Can't find what you're looking for?

Contact Us

Details

Article ID: 45
Created
Thu 9/3/20 9:12 AM
Modified
Wed 6/23/21 9:31 AM