Encryption

The version of BitLocker that is being deployed onto NSU machines is not the same version that Microsoft makes available to private individuals. NSU machines use what is called an Enterprise edition of Windows and all the software on our systems is for devices running versions of Windows Enterprise.

BitLocker is a free Microsoft product, but there are many things you should consider (including your Windows version) before trying to use it on your personal system.

Although NSU will not be able to support personal computers, if you wish to learn more about protecting your personal machine, visit Microsoft's article on how to Set Up Your Hard Disk For BitLocker Drive Encryption.

Encryption protects all disk data including accounting records, clinical profiles, student information, University mailing lists, and everything else contained on a protected drive. Encryption protects you, your department, and the University from information harvesters and any other malicious invader, especially if a machine is lost or stolen. This better assures the privacy of NSU projects, faculty, staff, and students as well as decreasing legal liabilities for all concerned.

BitLocker is one part of NSU's protection strategy to prevent unauthorized individuals from gaining access to the data that is stored on your disk.

BitLocker Drive Encryption primarily protects against anyone that might try to bypass normal Windows procedures, making it much harder for thieves or hackers to discover your password or harvest information by removing a drive and trying to access it on a new computer.

For more information on how BitLocker works, visit Microsoft's BitLocker Windows 7 page.

Your new data is automatically protected. BitLocker is a whole disk encryption solution which simply means that it encrypts everything on the drive (as opposed to other systems that encrypt individual files). When you add new files to a BitLocker encrypted drive, BitLocker encrypts them automatically.

You can continue to share files the same way you normally would. Files remain encrypted only while they are stored on your drive. Files copied to another drive or computer are automatically decrypted. If you share files with other users over a network, files stored on your encrypted drive remain protected, but can be accessed normally by authorized users.

It may take several hours to encrypt the drive(s) on your laptop or desktop. During this time you may use your computer normally, but there are some things to keep in mind.

• You will see the BitLocker icon in your taskbar  indicating encryption is not yet complete. Clicking on the icon will show the encryption progress. You will not cause any disruption by checking the status of your machine's progress in this manner.

• During the encryption process, your disk may appear almost full, with only 6g or so of available space. This is normal; your disk usage will drop back down to its previous level once the encryption process is complete.

• Older machines may be sluggish during the encryption process; newer machines should operate with little noticeable difference.

There should be no difference in your machine’s performance once encryption is complete, and you will log into your machine as normal. You will see a lock on your encrypted drive icon:

Please submit a ticket in NSU ServiceNow if you are experiencing issues with bitlocker encryption.

If there is a hiccup in the encryption process you may see a message from BitLocker. Some of the most common are:

• BitLocker encryption cannot be started
• Encryption Paused BitLocker Encryption is paused at X% on target Drive
• An error has occurred (the disk has one more more errors)
• BitLocker Recovery Key prompt.

If you see any of these (or any other unusual BitLocker messages) and they do not resolve/resume within a few minutes, please submit a ticket in NSU ServiceNow.

We are exploring encryption solutions for our Mac users, but at this time Apple machines will not be part of the current encryption deployment.  The Mac operating system does contain a built-in encryption solution called FileVault.  This feature is increasingly enabled by default on more recent Mac devices.  Further information from Apple on FileVault, including how to enable and manage it on a personal Mac device, is available here: https://support.apple.com/en-us/HT204837 

You can! BitLocker also has a BitLocker To Go feature for just this purpose.

Before choosing to encrypt a removable drive, you should know that some drives come already encrypted from the manufacturer. If your drive has been encrypted by another application, trying to encrypt the same drive again with BitLocker will cause the drive to become unusable.

Some common brands that offer preencrypted drives are: Apricorn, CMS, Imationi, Kanguru, Kingston, and SanDisk. If you’re unsure whether or not your USB flash drive or other plugin storage is encrypted, you should wait and be sure before trying to use BitLocker.

• Windows 10 can unlock a flash drive encrypted on Windows 7 and vice versa.
• USB flash drives encrypted with BitLocker CANNOT be opened with macOS.

BitLocker encryption on the USB flash drive will automatically launch once the flashdrive is plugged into the Nova Computer. The screen below will display:

By selecting the first option the next step will prompt for establishing a password.

Enter the password following the complexity requirements outlined above. Click Next button.

Do not remove the USB flash drive until the encryption process is complete.  How long the encryption takes depends on the size of the drive. USB drive encryption take approximately 6 to 10 minutes per gigabyte to complete.

Once the encryption process completes you will be notified by a window.

The encryption process does the following:
1. Adds an Autorun.inf file, the BitLocker To Go reader, and a Read Me.txt file to the USB flash drive.
2. Creates a virtual volume with the full contents of the drive in the remaining drive space.
3. Encrypts the virtual volume to protect it.USB flash drive encryption takes approximately 6 to 10 minutes per gigabyte to complete. The encryption process can be paused and resumed provided that you don’t remove the drive.