Skip to content Skip to site navigation Skip to service navigation

Stanford Whole Disk Encryption Policy Agreement

  1. The purpose of the Stanford Whole Disk Encryption (SWDE) service is to protect Moderate and High Risk Data that must be stored on faculty and staff computers. See the Risk Classifications page for more information.
  2. The SWDE service provides the University with an audit of the last-known encryption state of the participating computers. This audit is a key benefit for the University to determine what actions, if any, to take if computers with Moderate or High Risk Data are lost or stolen.

    How Whole Disk Encryption Works

  3. Data is encrypted when the computer is turned off; the data is protected if the computer is lost or stolen.
  4. Sleep, hibernation, screen lock, screen saver and all similar computer states require a computer password to return to normal operation. If an encrypted computer is left unattended while the user is logged in, the files are accessible and the data is not protected.

    Required Software and Automatic Check-ins

  5. BigFix must be installed on computers participating in the SWDE service for monitoring, automatic updates, and auditing purposes.
  6. BigFix will perform regular security health checks and enforce configuration settings on computers participating in the SWDE service.
  7. Stanford Anti-Malware must be installed on all computers participating in the SWDE service.
  8. SWDE-participating computers automatically check-in with the SWDE administrative server periodically.
  9. A computer that does not check in with the SWDE administrative server on a regular basis may indicate theft or some other security threat. The SWDE service administrators will contact computer owners if a computer does not show up in the audit log.

    Software License Considerations

  10. SWDE is a security tool that is available to Stanford faculty and staff and is provided free of charge. It should be used in combination with other best security practices as shown on the Information Security website.

    Passphrase Security and Token Recovery

  11. The PIN set with BitLocker should be different from the user's SUNetID password.  Faculty and staff should use best practices for strong passphrases.
  12. Password reset and Recover Key options vary according to the choice of encryption being used.  Please see documentation specific to BitLocker and FileVault 2 for information specific to the option you are using.  
  13. Users can self-recover escrowed recovery keys through the MyDevices portal. Additionally, they can receive assistance with encryption key recovery from University IT. For assistance, call (650) 725-4357 or submit a Help ticket
  14. Removal of whole disk encryption is a service that is available upon request and requires contacting University IT or your local support organization at the desired time for removal. Removal of whole disk encryption is rarely necessary and is not recommended as a general practice.

    Prohibitions and Incompatibility

  15. Participating computers are discouraged from running web servers or providing un-authenticated access or logins.
Last modified April 10, 2017