Whole Disk Encryption - FAQs

Disk Encryption - Frequently Asked Questions

Why Encrypt?

Devices such as laptops and mobile devices can be easily lost or stolen. This could be disastrous to the college if a lost device contains any sensitive or personally identifiable data or any proprietary information. By enabling whole-disk encryption, you can have peace of mind knowing that if your computer is lost or stolen, that your data and the College's data are safe from anyone hoping to gain access to it.

What is Whole Disk Encryption?

Whole disk encryption, also known as full disk encryption, is when the computer hard drive or any external drive, like a USB thumb drive, is encrypted. Encryption is like a hard, impenetrable layer of wax on your car. The contents underneath the wax are protected, no matter what is happens to the surface. In the case of whole disk encryption, all files, folders and the operating system are protected from being accessed by anyone who does not have permission to access it.

Whole disk encryption protects all of the data that resides on a laptop or desktop from any type of computer loss or theft. Even if the hard drive is removed, the data on the computer is not able to be accessed.

What is TPM?

TPM stands for “Trusted Platform Module”. It is a chip on a traditional Windows computer’s motherboard that helps enable tamper-resistant whole disk encryption without requiring extremely long   passphrases.  The TPM is a chip that’s part of your computer’s motherboard — if you bought an off-the-shelf PC, it’s soldered onto the motherboard. So, if you’re using BitLocker encryption on a computer with the TPM chip, part of the key that unlocks the encryption is stored in the TPM chip, rather than just on the disk. This means an attacker can’t just remove the drive from the computer and attempt to access its files elsewhere. 

This chip provides hardware-based authentication and tamper detection, so an attacker can’t attempt to remove the chip and place it on another motherboard, or tamper with the motherboard itself to attempt to bypass the encryption. It also stores authenticity information that helps verify that the operating system installed is an authentic Windows operating system and not a potential fraudulent version of Windows.

What is a T2 Chip?

Most Apple computers introduced since 2018 include a hardware chip Apple calls a T2 chip. The T2 chip enables a new level of security by including a secure enclave coprocessor, a sort of secure, secondary computer chip. that secures Touch ID data and provides the foundation for new encrypted storage and secure boot capabilities. The T2 chip also performs a similar functionality as a TPM chip in traditional PCs in that it verifies that the operating system being booted is not fraudulent.

What is BitLocker?

BitLocker is Microsoft's encryption software that is used to encrypt the drive(s) on Windows 10 computers. BitLocker protects your hard drive, by encryption, from offline attacks which are when a malicious user will take the hard drive from your mobile machine and connect it to another machine so they can copy your data.  BitLocker also protects your data if a malicious user boots from an alternate operating system.  With either attack method, a BitLocker encrypted drive will require a 48 character passcode in order for it to be unlocked. If the key is not presented, the drive remains unreadable.

BitLocker also protects against other changes that, although done on purpose, could be used by malicious people to obtain access to a hard drive. This includes some BIOS software updates, BIOS changes such as boot order and some hardware changes. If presented with a passcode lock screen, please contact the Service Desk for assistance.

What does BitLocker not do?

BitLocker does not protect the computers contents while Windows is running.  Once the operating system is up and running, Windows 10 will protect your data from unauthorized access using the Firewall and Antivirus software installed.

What is FileVault?

FileVault is Apple's encryption software for Mac OS computers. FileVault full-disk encryption (FileVault 2) uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk. When FileVault is turned on, your Mac always requires that you log in with your account password and no account is permitted to log in automatically.  This means that if the computer is off, and the person trying to log in doesn’t know your password or have access to the recovery key, then the data on the hard drive is safe. If the hard drive was removed from the computer, the data would be permanently unreadable. 

What do I need to do?

Information Technology staff will be working with each department to locate and enable encryption on all computers assigned to an individual, or shared computers used in a department with access to sensitive information. This may eventually include student workstations or other shared computers. Encryption is now a standard practice on all computers provided to employees without exception. Enabling drive encryption will ensure that Bowdoin data is secure in the event of a laptop or desktop being lost or stolen.

Do I have to encrypt my drive?

Yes. Drive encryption is the primary method for safeguarding Bowdoin and personal data when a computer is lost or stolen. Encryption is also one part of our Managed Computer / Endpoint Configuration standard for all computers and devices. 

What happens if I forget my password?

If you forget your password in Windows or MacOS, IT staff will be able to assist resetting it and then, if connected to the Bowdoin network, you would be able to log back in. If for some reason you can not log back in to a computer, the data may be recoverable but the computer will need to be erased and reset.

What happens if my hard drive fails?

If there is a hard drive failure of an encrypted drive or if there is a motherboard failure on either a Windows-based computer or an Apple computer, it is highly likely that the the data on the drive will not be recoverable. IT staff would replace the drive but then a new installation of Windows or MacOS would be added to the drive.