Security & Full Disk Encryption

Currently, full disk encryption is only available for Windows-based, RIT-owned computers.

What is full disk encryption? (And why would I need it?)

Wikipedia has the more technical explanation but in a nutshell, encryption is essentially a 'lock down' of the data storage area of your computer and an encoding of that data. Information cannot be accessed without proper authentication, specifically your login/password sequence then it is decoded for use.

Laptop encryption is one of several new network security policies.

To review the end-user document (in PDF), click here.

Frequently Asked Questions

How do I get encryption for my computer?
Currently, laptop encryption is only available for Windows-based, RIT-owned computers. If you are interested in getting laptop encryption software installed on your computer, you can contact the ITS Service Desk at x5-4357 to request a technician to install it. Mac laptops, and other desktop machines will be addressed in future phases of the laptop encryption project.

What about laptop encryption for Macs?
Laptop encryption for Mac computers will be addressed in a future phase.

Is there anything special I need to do to ensure my data is protected?
Yes. This software is most effective whenever your laptop is actually powered off. Your laptop is powered off whenever it is in the 'shutdown' or 'hibernated' states. Sleep or standby is not enough. If you hibernate instead of shutdown, you will be required to login to the encryption software login screen.

Will this slow down my system?
Many users experience no noticeable effect on system performance, however results may vary depending upon system speed and available memory.

Can I restart and shutdown my laptop as usual during the initial encryption phase?
Yes. The encryption software automatically continues wherever it last left off.

Can I upgrade the operating system from Windows XP to Vista with the encryption software installed?
No. If you have Windows XP and the encryption software installed AND you plan to upgrade to Vista, Pointsec MUST be uninstalled before the upgrade can take place.

Please note that removing Pointsec will decrypt the hard drive. This process will take about as long as encrypting the drive originally took (about 10 Gigabytes per hour), and will require a reboot when it completes.

Is there anything special I need to do to ensure my data is protected when using Pointsec?
Yes. This software is most effective whenever your laptop is actually powered off. Your laptop is powered off whenever it is in the 'shutdown' or 'hibernated' states. Sleep or standby is not enough. If you hibernate instead of shutdown, you will be required to login to the encryption software login screen.

If your machine hibernates, you may be presented with the pre-boot authentication screen when you resume working. This may require you to log into Windows again as well.

Using the computer’s “sleep” function can render the computer vulnerable to unauthorized access. Sleep state may require a hard boot to be able to log into the laptop.

Will my file stay encrypted if I move it off my laptop or send it to someone?
No. The hard disk is encrypted, not the file, so if you move it off the encrypted hard drive it will no longer be protected.

Will anything be different after encryption software has been installed?
The main difference is the pre-boot authentication screen. Other than that, it is transparent.

Do I have to login twice?
You may be required to login twice during the initial encryption process. Once encrypted, the encryption software features a Single Sign-On (SSO) mechanism that will enable you to login only once, and be automatically logged into your laptop.

What happens when I change my RIT computer account password?
Whenever your password changes, SSO will temporarily be disrupted. To synchronize the passwords, you will need to follow these steps:

  1. Change password on ITS Start page
  2. Reboot laptop
  3. At the PointSec login screen, type old password
  4. SSO enabled screen appears, click OK
  5. At the Windows login, type new password
  6. PointSec password sync window will appear, type old password.
When you change your password, PointSec is affected in the following ways:
  • The password that you use to log into Windows will not change until the first time you log in AND you are connected to the network. If you have not connected to the network since your last password change AND you are not now connected to the network, use your old password to log into PointSec. It will pass through to Windows via the Single Sign-on capability, and you will be logged into your machine.
  • The next time you connect to the network, you will need to use your old PointSec Password. This will get you past the Pointsec Pre-Boot Environment (PBE) screen, but will fail when it is passed through to Windows. When it fails, log into windows with your new password, and Single Sign-on will resynchronize the two. Thereafter, you can log into PointSec with your new password.
  • If you are logged into your laptop when the password change is made, the PointSec device agent may pick up this change if the next polling interval occurs before you log off. If that happens, you may be prompted to “lock and then unlock” your laptop to change and synchronize the new passwords. Do that. (You may be prompted for your new password 1 extra time to aid the synchronization process.)

SUMMARY:

PointSec picks up a password change when the Device Agent tells it a change has occurred, or when the pointsec password you typed doesn’t match the Windows password that’s currently in effect.

Windows picks up a password change the next time you try to log in and you have a good network connection. This may or may not cause PointSec to synchronize its password with the new password immediately.

If you can’t log in to PointSec with your new password next time, try using your old one. If the passwords are out of synch, this action should fix them.

If you fail to change your password often enough and it gets randomized by CLAWS, this could randomize your PointSec password as well. If a customer gets into that situation, you may have to extricate him/her with a remote help session or remote password change.

If my laptop is encrypted, do I still need to use VPN?
Yes. VPN is still required for access to some systems off campus.

What about personally owned laptops?
RIT's software licensing covers only RIT-owned computers. There are commercially available versions for home se for those of you seeking to add encryption to your computer.

Can you have the laptop encryption software installed on your laptop without being joined to MAIN?
Please contact the RIT Information Security Office at Infosec@rit.edu for information about encrypting laptops that are not part of MAIN.

Known issues:

  • Bluetooth/wireless - You will not be able to use a Bluetooth/wireless keyboard and mouse at the PointSec login screen. You must use a keyboard that is directly connected to the laptop or dock. Once authenticated, the bluetooth/wireless devices will work.