is the process of changing information to make it unreadable to anyone who doesn't
have some special knowledge (referred to as 'the key') to make the encrypted
information readable again.
You can encrypt information held on the hard-disks
of desktops and laptops and stored on USB sticks (and other portable media such
as an external hard drive or memory card).
What is the University Encryption Standard?
The University has chosen Sophos 'SafeGuard' software as its encryption standard. This software will initially be used to encrypt the hard disk(s) of Windows laptop computers. Longer term it will also allow staff to encrypt portable media (such as USB sticks, external hard drives), store encrypted files on the network shared area (e.g. the N: Drive), and store encrypted files in the 'the cloud' . More information about this will be published soon.
Why do I need to have my laptop encrypted?
You're required by the University Information Protection Policy (www.leeds.ac.uk/informationsecurity) to have your laptop encrypted. This makes sure that if your laptop is lost or stolen then information contained on the laptop can't be accessed by anyone who steals it or finds it.
My laptop already has a password set. Does this mean that my information is safe?
Passwords only provide privacy protection and protection against casual access. People who get possession of a lost or stolen laptop which is unencrypted can bypass password protection to access the data if they know how to do this. A stolen encrypted laptop may still be valuable to a thief but they'll have to replace the hard disk in order for it to work leaving the information on the original hard disk inaccessible.
If my laptop is not encrypted, what could happen if it is lost or stolen?
Apart from the monetary loss and the inconvenience, the person who stole it or found it could get access to information stored on the laptop's hard drive. This could be:
- your personal information, which would put you at risk of identity theft.
- information that would allow unauthorized access to your email, bank account or the University's information systems.
- personal or sensitive information about staff and students, putting them at risk.
- valuable research data, analysis and many years of work which you could lose if your data is not backed up elsewhere.
- classified information, for example details of a research contract or intellectual property, which could be disclosed.
What would be the consequences for the University?
Unauthorised disclosure of person-identifying information is a breach of the Data Protection Act, which could have serious repercussions for the University including large fines up to £500,000. The Information Commissioner recently fined an organization £60,000 for the loss of an unencrypted laptop containing person-identifying information. Staff time and effort will be needed to investigate the issue, liaise with the Information Commissioner's Office, the data subjects and others affected by the disclosure.
Disclosure of classified information could result in the loss of a contract or may compromise the exploitation of valuable intellectual property.
The University's reputation could be seriously damaged, particularly as such incidents are widely publicised in the press and on the web.
I don't have any personal or classified information on my laptop; do I need to have it encrypted?
This is unlikely to be the case. Even if you don't store personal or classified information, your laptop is likely to contain information that could allow unauthorized access to systems you use, such as email, banking or University systems. To cover this possibility, the policy is to encrypt all University owned laptops. This is to protect both you and the University.
My laptop was bought from external research funds. Does it need encrypting?
Yes, the policy states that all University-owned laptops, irrespective of funding source, must be encrypted.
How do I get the encryption software?
The encryption programme is being rolled out on a faculty by faculty basis. When the software is being deployed in your faculty you will be contacted by an IT technician. They will backup your laptop and install the encryption software on it. Once it has been encrypted you will be registered as a SafeGuard user. After that you will need to log on with your University username and your encryption key (password) every time you switch on your laptop.
A user guide is available on the website
How long will it take to encrypt my laptop?
It will vary depending on several factors such as model, age and disk size. Laptops will be returned as soon as possible, but the process will take up to 48 hours in some cases.
My laptop is shared by several people. Will we all still be able to use it after it has been encrypted?
Yes, additional accounts can be added.
I have a desktop machine where I store classified data. Should this be encrypted?
Classified data should not be stored on desktop machines. It should be kept on the University's secure network drives in accordance with the University's Information Protection Policy. At the present time the focus is on encrypting laptops, as they are much more likely to be lost or stolen. Requests to encrypt desktops may be considered on a case by case basis at a later stage.
What happens if I forget the key (password) to my encrypted laptop?
If you enter your encryption key (password) incorrectly, you will see an error and there will be a delay before you can try again. The length of delay will increase after each failed attempt, and after five attempts you will be locked out. You can recover your password using the self-help password recovery (if you've set it up before hand), or by contacting the IT Help Desk. For help with both these methods, see the user guide.
Can I refuse to have my laptop encrypted?
It is University policy that all University owned laptops are encrypted. If the date/time given to you for encryption is not convenient, we can arrange a more convenient date and time.
I use an Apple Macintosh laptop, does it have to be encrypted?
Yes, all University-owned laptops have to be encrypted, regardless of the operating system (OS) that they use. The next release of Sophos SafeGuard (version 6.1) which is due later this year (2013) will let us encrypt Apple Macintosh laptops (Mountain Lion or later OS) with similar console functionality and control as that used for Windows laptops. Once this is available these laptops will be included within the encryption programme.
I use a laptop which runs on Linux does it have to be encrypted?
Yes, all University-owned laptops have to be encrypted, regardless of the operating system (OS) that they use. However, Sophos SafeGuard does not work with the Linux operating system (OS). There are various solutions available through which Linux OS laptops can be encrypted. The Linux Special Interests Group (SIG) has been examining the functionality of these and is due to report to their findings to the Encryption Project Steering Group. Following that a University Standard for Linux encryption will be declared and arrangements will be made to encrypt Linux OS laptops to this Standard.