Enabling Full Disk Encryption

Overview

Full disk encryption should be implemented for all portable devices when:

  • Storing or processing Institutional Information classified at P3 or higher

  • External requirements mandate the use of full disk encryption (such as research Data Use Agreements with third-party data providers)

Full disk encryption protects the data on your device in the event it is lost or stolen. When correctly deployed, full disk encryption prevents unauthorized users from accessing your data, as they would need to have both physical access to your device as well as the password and recovery key to decrypt.

However, if both the password and the recovery key are unknown or lost, the device cannot be decrypted and the data will be unrecoverable. 

Recovery keys must be stored in a secure place. A password manager like LastPass is a secure option that stores encrypted passwords in the cloud. LastPass is free for all of campus; you should set up a LastPass account before enabling full disk encryption on your device. Access to LastPass from a second device will be necessary to read the recovery key.  

All devices will have the option to create a recovery key. 

If you have a campus-managed computer:

If you have a campus-managed computer, contact IT Client Services or your departmental IT support for assistance. You will not need to follow the instructions below. ITCS will set up full disk encryption on your device and give you the recovery key. ITCS will not store your recovery key and you are responsible for saving and protecting it. 

NOTE: There is potential for data loss while having full disk encryption enabled remotely. Discuss your options with your ITCS representative prior to enabling full disk encryption remotely. 

If you have a campus-owned, personally managed computer:

If you have a campus-owned, personally managed computer, create a recovery key. Recovery keys for campus-owned, personally managed computers cannot be stored in the cloud. ITCS will not store your recovery key and you are responsible for saving it.

If you have a personally-owned computer:

If you have a personally-owned computer, you can manage the recovery key by yourself or store the key in the cloud with your personal account.

See instructions for enabling full disk encryption on Windows and Mac below.

Enable Full Disk Encryption on Microsoft Windows 

BitLocker

Microsoft includes a full disk encryption feature built into Windows called BitLocker. 

Enabling BitLocker will not affect the user experience. Logging in, navigating folders and saving files will all remain the same. Once BitLocker is enabled, all data stored on the drive will be encrypted. 

BitLocker is available on supported devices running Windows 10 Pro, Enterprise, or Education edition. It is not available on Home edition. Faculty, Staff and Students can upgrade their Windows 10 system to the Education edition. Learn more at https://software.berkeley.edu/microsoft-operating-system.

Find out the operating system edition

Settings > System > About > Listed under Windows Specifications 

About Windows Edition

Enable BitLocker

Enabling BitLocker will require administrator privileges.  If you do not have administrator privileges on your device, contact IT Client Services or your departmental IT support for assistance. [should we instruct users to backup first?]

The disk encryption will take a significant amount of time and you will need to reboot your computer to complete the process. 

Log in with an administrator account > Start > Windows System > Control Panel > View By Category > System and Security > Manage BitLocker > Turn on BitLocker 

  1. Go to Start > Windows System > Control Panel

Windows System Control Panel

  1. Select View By Category 

Control Panel Category

  1. Go to System and Security

Control Panel System and Security

  1. Select BitLocker Drive Encryption

BitLocker Control Panel

  1. Select Turn on BitLocker

Turn on BitLocker

If BitLocker reports your device does not meet requirements

If the computer does not meet requirements for BitLocker, an error message will be displayed that says “This device can’t use a Trusted Platform Module. Your administrator must set the “Allow BitLocker without a compatible TPM” option in the “Require additional authentication at startup” policy for OS volumes.” 

BitLocker Error

The Trusted Platform Module is a chip installed on the motherboard of some computers. If the chip is not present on your computer, you can use a USB as a substitute. 

Log in with an administrator account > Start > Windows System > Run > gpedit.msc > navigate to Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives > Require additional authentication at startup (right click/edit or double click) > Enable > Check Allow BitLocker without a compatible TPM > Apply 

  1. Go to Start > Windows System > Run 

Windows System Run

  1. Run gpedit.msc

Windows run gpedit

  1. Navigate to Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives > Require additional authentication at startup (right click/edit or double click)

Group Policy TPM

  1. Enable > Check Allow BitLocker without a compatible TPM > Apply

Group Policy TPM Edit

Once these steps are complete, try again to turn on BitLocker by following the earlier steps:  

Log into with an administrator account > Start > Windows System > Control Panel > View By Category > System and Security > Manage BitLocker > Turn on BitLocker 

Choose from a) Enter a pin or b) Insert a USB flash drive. 

Unlock TPM

If you select the option to enter a password, you will enter the password and confirm it. Make sure you use a long, secure passphrase. This password will be required every time the device boots. 

If you choose the option to insert a removable USB flash drive, it will save the startup key on the USB flash drive. The USB flash drive will need to be inserted into the computer every time the device boots. 

Unlike the recovery key, the startup key is not a text file. It has the file extension .BEK. Backup the startup key file to a secure location, such as a second computer so that if the USB gets lost, you can copy the startup key file to a new USB. 

ISO recommends creating a LastPass entry for the startup password. Access to LastPass from a second source will be necessary to read the startup password. The startup key .BEK file cannot be attached to a LastPass entry and should be backed up to a second computer. 

NOTE: If you use a password to unlock your BitLocker-protected operating system drive, you won’t be able to remotely access the computer using remote desktop protocol (RDP) if it is rebooted for some reason, e.g. restarted after power outage. 

Your computer now meets requirements. 

If BitLocker reports your device meets requirements 

BitLocker generates recovery keys that are needed to access the data on the computer in several cases:  

  1. Losing the USB startup key (if used) 

  2. Upgrading the operating system Moving the encrypted drive to a new computer

  3. Installing a new motherboard

  4. Changing boot configuration settings  

  5. Updating computer BIOS 

It is very important to save the recovery key to a secure location. Every computer owner is responsible for the recovery key to their own device, including owners of campus managed devices. ITCS does not store recovery keys. 

If you do not have your recovery key, you will not be able to log in or access your data. The computer will need to be reset with a recovery option, all local data will need to be erased and your computer will need to be reinstalled with Windows 10. Read more about Windows 10 recovery options.

For planned updates, hardware changes, or configuration changes, there is an option in the BitLocker menu to suspend BitLocker. This will disable BitLocker until the computer is restarted. Turning off BitLocker is not recommended for temporary situations, as it will decrypt the drive and require the entire process to be repeated to be turned back on. 

Once the recovery key is generated, you will be given several options for saving the key.  

Recommended options: 

  1. LastPass 

    1. Save to file > view > create a LastPass entry with the device ID and recovery key 

    2. Access to LastPass from a separate device will be necessary to read the recovery key. 

  2. Print 

    1. Store the printout in a secure location, such as a locked drawer or cabinet. 

  3. USB 

    1. Label the USB and store it in a secure location, such as a locked drawer or cabinet. 

    2. Access to another computer will be necessary to read the USB. 

  4. Microsoft Account (personally-owned devices only)

    1. You will need to be able to log into your Microsoft Account on another computer to retrieve the key. 

You can access your recovery key options at any time through the BitLocker main menu. 

If you ever regenerate the recovery key, make sure you update all of your backups.

Enable Full Disk Encryption on Apple macOS

FileVault 

FileVault provides data and operating system protection for your Mac in the event the computer is stolen or lost. FileVault is available on all Mac computers. 

Enabling FileVault will not affect the user experience. Logging in, navigating folders and saving files will all remain the same. Once FileVault is enabled, all data stored on the drive will be encrypted.

Enable FileVault

Enabling FileVault will require administrator privileges.  If you do not have administrator privileges on your device, contact IT Client Services or your departmental IT support for assistance. 

Enabling FileVault will require a power source for a significant amount of time while the disk is being encrypted. 

System Preferences > Security & Privacy > FileVault > click the padlock in the lower left corner to unlock with an administrator account > Turn on FileVault 

  1. Go to System Preferences > Security & Privacy

System Preferences Security and Privacy

  1. Select FileVault > click the padlock in the lower left corner to unlock with an administrator account > Turn on FileVault 

Turn on FileVault

If other users have accounts on your Mac, you might see a message that each user must type in their password before they will be able to unlock the disk. For each user, click the Enable User button and enter the user's password. 

FileVault will encrypt the files for all users of the computer; each user will be prompted to enter their password during setup. If a user is not enabled in FileVault, they will not be able to log in or access their data. User accounts that you add after turning on FileVault are automatically enabled. 

It is very important to save the recovery key to a secure location. Every computer owner is responsible for the recovery key to their own device, including owners of campus managed devices. ITCS does not store recovery keys. 

You will be given two options for saving the key.  

Recommended options: 

  1. LastPass

    1. Create a LastPass entry for the recovery key

    2. Access to LastPass from a separate device will be necessary to read the recovery key. 

    3. Store the printout in a secure location, such as a locked drawer or cabinet. 

  2. iCloud (personally-owned devices only)

    1. You can choose to use your iCloud account to unlock your disk and reset your password. 

    2. If you store your recovery key in your iCloud account, there's no guarantee that Apple will be able to give you the key if you lose or forget it. Not all languages and regions are serviced by AppleCare or iCloud, and not all AppleCare-serviced regions offer support in every language.

If you lose both your account password and your recovery key, you won't be able to log in or access your data. All local data will need to be erased and the computer will need to be reinstalled with macOS. Read more about reinstalling macOS.

If you want to change the recovery key used to encrypt your startup disk, turn off FileVault in Security & Privacy preferences. You can then turn it on again to generate a new key and disable all older keys. Make sure you update all your recovery key backups.

On This Page