ICTO - FAQ » Information Security » BitLocker » Information Security Measures: Microsoft BitLocker Encryption

Information Security Measures: Microsoft BitLocker Encryption

Print
In today’s rapidly developing information technology era, protecting sensitive information and data has become increasingly important. ICTO is committed to improving information security and will further optimize user permissions and protection for removable devices to enhance security defenses and reduce the impact of information security incidents on the University.

Device Encryption – Microsoft BitLocker

Laptops

Laptops are more vulnerable to theft and loss due to their portability, which increases the risk of sensitive data falling into unauthorized users. If the data drive is removed from a laptop, the data can be easily read and accessed. “Full Disk Encryption” prevents unauthorized access, as the data is encrypted and requires a password or recovery key to decrypt the data on ICTO-managed laptops. This significantly reduces the risk of compromised sensitive data in case of loss or theft of a laptop.

Desktops

The administrative staff handles a large amount of sensitive data on a daily basis, including staff and student data, financial reports, and confidential documents. To effectively prevent sensitive data leakage, ICTO will enable “Removable Drive Encryption” to protect removable devices. Administrative Staff should encrypt removable devices to obtain write permissions. Otherwise, you are unable to save any new data to it until it has been encrypted. Administrative staff can consider using UMDrive for data storage and for file sharing.

 

BitLocker User Guide

BitLocker Encryption Q&As

+-Do all laptops and desktops require encryption?

All ICTO-provided laptops will gradually enable “Full Disk Encryption” to reduce the risk of sensitive data being compromised in the event of a lost or stolen laptop.

All the desktops used by administrative staff have “Removable Drive Encryption” enabled to reduce the risk of sensitive data being compromised in the event of a lost or stolen removable device.

+-When will ICTO start to do BitLocker Encryption?

Laptops: “Full Disk Encryption” will be enabled on laptops upon replacement.

Desktops: “Removable Drive Encryption” will be enabled on desktops by phase.

+-How can I use BitLocker to protect a USB drive?

When attaching a USB drive to ICTO-managed Desktops with “Removable Drive Encryption” enabled, you will be automatically prompted to encrypt the drive. When you choose to encrypt, you will be asked to create a password that will be required to access the drive when attached to another computer. Please note that if you choose not to encrypt the USB drive when prompted, you will be able to read data but unable to save any new data to it until it has been encrypted.

+-What if I have already encrypted my removable device before this encryption rollout?

If you have already encrypted your removable device prior to this encryption rollout, you do not need to encrypt it again. Your encrypted removable device will continue to function as before and will not be affected by this encryption rollout. However, please ensure that you have properly stored your password or recovery key, as your BitLocker Recovery Key is not stored on our server. If you want to store it on ICTO’s server, you need to decrypt (Turn off BitLocker) your removable device and then encrypt it again. Please make sure that you are using ICTO managed computer and using UM campus network to do the encryption. This is so we can ensure that the BitLocker Recovery key is saved to ICTO’s server. If you forget the password and lost the recovery key, please go to https://itservice.um.edu.mo to fill out and submit the “Request BitLocker Recovery Key” request form.

+-I have a personal computer. How does this encryption rollout affect my personal computer?

This measure only applies to laptops and desktops provided by ICTO and will not affect your personal computer. We are implementing new security measures to enhance the protection of ICTO-provided laptops by enabling full disk encryption. In addition, we will enable removable device encryption for the administrative desktops provided by ICTO. If you would like to secure data on your personal computer, you can enable BitLocker yourself. However, please note that the BitLocker Recovery Key for your personal computer will not be backed up to ICTO’s server. Please refer to FAQ for instructions on how to back up your BitLocker Recovery Key.

+-What do I do if I lose my BitLocker password?

If you forgot the BitLocker password, you can go to https://itservice.um.edu.mo to fill out and submit the “Request BitLocker Recovery Key” request form.

+-Can I copy files from my encrypted computer to another location (N drive, UMDrive, etc.)?

Yes, you can copy files to another location, but the files won’t be encrypted unless they are stored on a drive that has BitLocker enabled. Your files are only secure if they are stored on the drive with BitLocker enabled.

+-Can I encrypt my USB off Campus?

Yes, you can encrypt your USB off campus. Please make sure that you are using an ICTO-managed computer and connecting to the UM campus network (or using SSL VPN if off-campus) to perform the encryption. This is to ensure that the BitLocker Recovery Key is saved to ICTO’s server.

+-Do I need to do anything, or will BitLocker be enabled automatically?

Full Disk Encryption” is already enabled by default on new laptops, so there is no action required. For existing laptops, you can contact ICTO Help Desk to determine if it is possible to enable “Full Disk Encryption.

Removable Drive Encryption” will be enabled on desktops by phase. Users are responsible for encrypting their own removable drives. Please refer to the FAQ section about “How to use BitLocker on removable drives?