In April 2022, McAfee products began transitioning to a new Trellix name and branding. Knowledge articles may continue to reflect the older McAfee brand until the transition to Trellix is complete.

The recommended method for protecting the information on your computer is to use the encryption software which comes bundled with your computer's operating system. Encryption converts data to a format that is unreadable by anyone except authorized users. This University-wide disk encryption service is available to all eligible faculty and staff computers. Studies show that many people who lose or have their computer stolen often have personal and family data at risk, as well as confidential University data.

What type of computer should use disk encryption?

• All computers purchased via the FCP program are required to be encrypted including managed dual boot Windows/Linux computers.
• All University desktop and laptop computers purchased after the below dates using University funds are required to be enrolled in Jamf or intune (which will includes native encryption management) unless an exemption is requested and approve by the Princeton Information Security Office.
  
  • macOS Computer: January 1, 2020
  • Windows Computer: September 26, 2022
• Certain departments have their own internal requirements for encryption. Check with your departmental SCAD/DCS staff member or contact the OIT Support and Operations Center.
• Encrypted computers should be backed up frequently, preferably using the Princeton CrashPlan Service. 

How can I tell if my computer's disk is already encrypted?

• To check your computer’s encryption status, see Article 1109

How do I enable disk encryption on my computer?

• Recommended
  Disk encryption is automatically enabled on managed Windows and macOS computers. The stored encryption recovery key can be retrieved by your SCAD/DCS, the OIT SOC or, for Intune managed Windows computers, by end users.
• Users with Administrator privileges on unmanaged computers
  Encryption can be manually enabled by following instructions for Windows or instructions for macOS. The recovery key will not be available to your SCAD/DCS member or the OIT SOC. You will be reponsible for storing the recovery key.
• Linux Users
  The computer should be set up for encryption during the installation of the Linux.

Traveling abroad with encrypted laptops

Before traveling out of the country with encryption software, University members should follow the Encryption & International Travel guidelines published by the OIT Information Security Office.

What types of computers currently do not support disk encryption?

• Dual-boot/multi-boot computers except managed dual boot Windows/Linux
• MacOS computers using a Boot Camp Windows partition
• Windows computers that have a RAID disk array
• Virtual Machines

External storage devices and encryption

Enabling Bitlocker for Windows or FileVault for macOS will not encrypt external storage devices such as USB drives, thumb drives, etc. These devices can be protected using encryption features built into Windows and macOS:

• Windows: Bitlocker To Go can be used to encrypt removable storage
• macOS: Removable storage can be encrypted in the Finder

Information for technical support representatives

• For devices using native Windows Bitlocker disk encryption, Bitlocker must be suspended before:
  
  • Before resizing the windows partition and installing Linux or the Windows will ask for the recovery key the next time you boot into Windows. Refer to Suspend BitLocker protection for non-Microsoft software updates - Windows Client | Microsoft Learn
  • Performing a BIOS update or the machine will not properly boot up after the BIOS upgrade is completed.  Refer to KB0010639 - Temporarily Suspend BitLocker Encryption Managed by McAfee MNE