Windows Bitlocker Encryption

Summary: 

To improve the security of potentially sensitive information that may be stored on laptops and tablets, UNW will be implementing full disk encryption on those devices. In the event that a laptop or tablet is stolen, the information stored on that device should be protected. Microsoft BitLocker drive encryption will be used to facilitate the encryption as it provides the best balance of user experience and security with encryption.

Key points to know about HD encryption used at UNW:

  • Drives are encrypted with the AES 256-bit with Diffuser method
  • Unique Recovery Keys are generated for each computer and stored with the Computer object in Active Directory
  • The encryption key is paired with the TPM chip with the BIOS, removing the hard drive from the laptop will lock the drive until the recovery is entered
  • Users are not prompted for a startup password, they are authenticated to their encrypted drive when they login with their username/password
  • During the encryption process, a password enabled to access and change BIOS settings
  • Encryption only prevents data theft when the thief only has access to the physical hardware; data theft is still possible if the username/password is compromised

Encryption Process

  1. The IT Department will work to schedule the most convenient time/date with each Northwestern employee who uses a Windows based laptop or tablet.
  2. At the scheduled time and date the employee will drop off their computer to the Service Desk and get a loaner laptop if needed for the rest of the day.
  3. IT Department will create a back up of all files, folders, and programs of the computer and start the encryption process.
  4. The process should take overnight and the computer should be able to be picked up in the morning of the following day


Accessing Recovery Key

  1. If there is a significant hardware change (usually when a hard drive is swapped to a different laptop) the user will be prompted to enter the recovery key before Windows will boot; after the recovery key is entered, Windows will boot normally.Users may also be prompted for this key if they remove the hard drive from the device and try to access via USB adapter.

  2. These hardware changes have been tested and do not require a user to enter the recovery key:

    1. Memory changes

    2. Adding or removing removable devices (CD/DVD/USB Drive) before/during/after reboot

    3. Dock/undock before/during/after reboot

  3. If you are locked out of  your computer and prompted for a recovery key please call the Service Desk at 651-631-5699. They will confirm your identity and give you the access key for your computer. 



Questions?

If you have any further questions or concerns, please contact the IT Department at userservices@unwsp.edu.