Stanford Whole Disk Encryption (SWDE)
On this page:
Due to the recent loss of University data, Stanford is in the process of revisiting the level of protection for campus desktops/laptops and associated data.
Across campus there is no single s olution to protect the University's data. IT Services is focused on providing alternatives for campus users to increase the protection of their data while providing alternatives that are secure and not overly burdensome, increasing the likelihood they will be used.
The alternative service provided by this project is Stanford Whole Disk Encryption (SWDE). It is recommended for Faculty and Staff who must store Restricted Data and/or Confidential Data on their workstation. Please check the Information Security Office Data Classification Guidelines to determine if you might have Restricted Data or Confidential Data on your workstation.
Whole Disk Encryption with PGP for Workstations
This project will create another option for the protection of University data. Please see Windows Desktop File Encryption with EFS for an IT Services solution that provides protection at the file or folder level for Windows systems.
The solution described in this web site is the Stanford whole disk encryption (SWDE) service for both Windows and Macintosh desktop and laptop computers. This service will secure data via encryption of the entire hard disk on the workstation. Once installed, each new file is automatically encrypted. The data is protected at rest, and as long as the workstation is password protected.
This solution does support encryption of USB drives.
In the event of a lost or stolen workstation, there will be an audit trail of the encryption status of the workstation. The workstations that use this SWDE solution are set up to check in with a logging and administrative server on a regular basis. The audit trail assists Stanford in determining if a lost or stolen computer is a "reportable" event; possibly requiring notification of persons whose data may have been lost or stolen.
In the event the user may lose or forget their encryption "key," an enterprise service is in place to assist with the recovery of the encrypted data. This Whole Disk Recovery Token (WDRT) service requires the assistance of IT Services Service Desk personnel or CRC representative.
If necessary, the whole disk can be unencrypted (again with the assistance of IT Services to guarantee the integrity of the audit trail).
Early Proof of Concept
At the end of October, 2008, IT Services completed a Proof of Concept with the PGP Windows client, Macintosh client, and Universal Server to deliver an enterprise, whole disk encryption solution for campus. The Proof of Concept confirmed the basic operations described above, as well as confirmed the interoperability of the solution with common workstation software. See the Proof of Concept Completion Checklist [PDF] for more information.
PGP Whole Disk Encryption software is intended for people who store Restricted Data or Sensitive Data on their laptop or desktop computer. Only you are authorized to access the data, which protects the data if your computer is lost or stolen. In the event you lose or forget your password, the IT Services Help Desk will assist you to recover your data.
If you are a faculty member and are interested in participating in the PGP Whole Disk Encryption pilot, please contact Shirley Hodges.