Studies show that many people who lose or have their computer stolen often have personal and family data at risk, as well as confidential University data. Encryption converts data to a format that is unreadable by anyone except authorized users.

The recommended method for protecting the information on your computer is to use the encryption software which comes bundled with your computer's operating system. 

The Princeton Disk Encryption Service, available for faculty and staff computers, escrows the encryption recovery keys in University servers.

What type of computer should use disk encryption?

• All computers purchased via the FCP program are required to be encrypted including managed dual boot Windows/Linux computers.
• All University desktop and laptop computers purchased after the below dates using University funds are required to be enrolled in Jamf or intune (which will include native encryption management)
  
  • macOS Computer: January 1, 2020
  • Windows Computer: September 26, 2022
• Certain departments have their own internal requirements for encryption. Check with your departmental SCAD/DCS staff member or contact the OIT Service Desk.
• Encrypted computers should be backed up frequently, preferably using the Princeton CrashPlan Service. 

How can I tell if my computer's disk is already encrypted?

• To check your computer’s encryption status, see Article 1109

How do I enable disk encryption on my computer?

University managed Windows and macOS computers

• Disk encryption is automatically enabled on University managed Windows and macOS computers.
• The encryption recovery key can be retrieved by your SCAD/DCS, the OIT Service Desk or, for Intune managed Windows computers, by end users.

Unmanaged computers

• Users with Administrator privileges on unmanaged computers can enable disk encryption by following instructions for Windows or instructions for macOS.
• You will be responsible for storing the recovery key. It will not be available to your SCAD/DCS member or the OIT SOC.

Linux Computers

• The computer should be set up for encryption during installation of the Linux operating system.
• You will be responsible for storing the recovery key. It will not be available to your SCAD/DCS member or the OIT SOC. 

Traveling abroad with encrypted laptops

Before traveling out of the country with encryption software, University members should follow the Encryption & International Travel guidelines published by the OIT Information Security Office.

What types of computers currently do not support disk encryption?

• Dual-boot/multi-boot computers except managed dual boot Windows/Linux
• MacOS computers using a Boot Camp Windows partition
• Windows computers that have a RAID disk array
• Virtual Machines

External storage devices and encryption

Enabling Bitlocker for Windows or FileVault for macOS will not encrypt external storage devices such as USB drives, thumb drives, etc. These devices can be protected using encryption features built into Windows and macOS:

• Windows: Bitlocker To Go can be used to encrypt removable storage
• macOS: Removable storage can be encrypted in the Finder

Information for technical support representatives

Refer to Suspend BitLocker protection for non-Microsoft software updates - Windows Client | Microsoft Learn

For devices using native Windows Bitlocker disk encryption, BitLocker must be suspended before:

• • Before resizing the windows partition and installing Linux or the Windows will ask for the recovery key the next time you boot into Windows. 
  • Performing a BIOS update or the machine will not properly boot up after the BIOS upgrade is completed.