Data Encryption

Mobile Device Encryption Project

Under the auspices of the General Data Protection Regulations the University requires approved encryption solutions be used to preserve the confidentiality, and control access to University data when it is processed, stored or transmitted - i.e. any mobile or portable device (laptop, tablet, smartphone) you use to access confidential University or personal information has to be encrypted.

The encryption project must be completed by 25th May 2018.  Information Services are responsible for managing the project.  To assist with this the instructions detailed enable you as the end-user to encrypt your own devices.  

If you have a university owned mobile device, or you are using your own device for work purposes, you are responsible for the security of the device and the data processed on it.

Using Encryption

Encryption is simple to implement and easy to use, with little or no inconvenience to the end-user. The instructions below will take you through the general encryption process; you must read the instructions carefully and complete all the steps in order to ensure that data is not put at risk.

Encrypting a computer protects it if it is stolen, and gives peace of mind if it is lost.

Apple Laptops

Encryption Prerequisites

  • Save and close all files and programs.
  • It is advisable to undertake the encryption process when you have finished work for the day, so the process has sufficient time to complete
  • Should you require assistance at any stage open a New Call in SiteHelpDesk.  In the Summary Field enter FileVault, in the Description field enter the Make, Model and Inventory Number of the device you are having difficulties with and include a description of the issue.  Also include your Faculty/Directorate, Division and Department.

Back Up and Transfer Files

It is highly recommended that you have a backup of your files, prior to enabling FileVault.

Backup what files are required to an external hard drive, USB pen drive or Onedrive.

Once encryption has been successful, delete all copied data from the backup.

Encryption Process

Encryption is simple to implement and easy to use, with little or no inconvenience to the end-user. The instructions below will take you through the general encryption process; you must read the instructions carefully and complete all the steps in order to ensure that data is not put at risk.

Encrypting a computer protects it if it is stolen, and gives peace of mind if it is lost.

  • FileVault sets your login password as the encryption pass phrase. Only enabled users are able to start or unlock the encrypted drive. FileVault is enabled via System Preferences -> Security & Privacy -> FileVault -> Lock -> Turn on FileVault
  • It is recommend that computers be powered off rather than left in "sleep" or “hibernation” mode when you don't have it with you.

Notes

  • FileVault will encrypt your hard-disk drive in approximately one to three hours, depending on its size, but may take up to 24 hours.
  • If you so wish you can continue to use your computer during the encryption process.
  • Once encryption has completed create a New Call in SiteHelpDesk.  In the Summary Field enter FileVault, in the Description field enter the Make, Model and Inventory Number of the device you have encrypted.  Also include your Faculty/Directorate, Division and Department.
  • Separately email a copy of the FileVault Recovery Key to b.mckinney@qub.ac.uk quoting the SiteHelpDesk call reference number

Windows Laptops

Encryption Prerequisites

  • Save and close all files and programs.
  • Ensure you have a USB Pen/Flash Drive available before you start the encryption process, as this will be required to store the computers recovery key.
  • It is advisable to undertake the encryption process when you have finished work for the day, so the process has sufficient time to complete.
  • Not all screenshots/images will match exactly what you see on your computer due to the different versions of Windows Operating Systems used in Queen’s, do not be alarmed by this. 
  • Should you require assistance at any stage open a New Call in SiteHelpDesk.  In the Summary Field enter BDE, in the Description field enter the Make, Model and Inventory Number of the device you are having difficulties with and include a description of the issue.  Also include your Faculty/Directorate, Division and Department.
  • Please read this document through in it’s entirely so you understand what is required.

Back Up and Transfer Files

It is highly recommended that you have a backup of your files, prior to enabling BitLocker Drive Encryption (BDE).

Backup what files are required to an external hard drive, USB pen drive or Onedrive.

Once encryption has been successful, delete all copied data from the backup.

Encryption Process

Encryption is simple to implement and easy to use, with little or no inconvenience to the end-user. The Windows Encryption instructions will take you through the general encryption process; you must read the instructions carefully and complete all the steps in order to ensure that data is not put at risk.

Encrypting a computer protects it if it is stolen, and gives peace of mind if it is lost.

Notes

  • BitLocker will encrypt your hard-disk drive in approximately one to three hours, depending on its size, but may take up to 24 hours.
  • If you so wish you can continue to use your computer during the encryption process.
  • Once encryption has completed create a New Call in SiteHelpDesk.  In the Summary Field enter BDE, in the Description field enter the Make, Model and Inventory Number of the device you have encrypted.  Also include your Faculty/Directorate, Division and Department.
  • Separately email a copy of the Recovery Key to b.mckinney@qub.ac.uk quoting the SiteHelpDesk call reference number.

Apple iPhone and iPad

Setting a passcode/phrase or biometric verification will automatically enable FileVault device encryption on iOS devices (iPhone, iPad). 

Android Smartphones and Tablets

Encrypting Android® devices

Android versions 4.0 and above allow encryption of the device through the security option in system settings. Always set a passcode on your device and ensure that any removable memory e.g. Micro SD card is encrypted. Consult your device handbook for further advice.

Is my device encrypted?

To check a Microsoft Windows® Laptop - Hit Start, type Manage BitLocker, then select Manage BitLocker – if Bitlocker is enabled the only option available will be turn BitLocker off -so your laptop is encrypted.

Should your device already be encrypted create a New Call in SiteHelpDesk.  In the Summary Field enter BDE, in the Description field enter the Make, Model and Inventory Number of the device you have encrypted.  Also include your Faculty/Directorate, Division and Department.

To check an Apple® device- On an Apple iOS device (iPhone, iPad), if it has a passcode, it's encrypted. On an Apple MacBook, you either look at System Preferences, Get Info on Finder, or else reboot it – if it asks for a login you are encrypted.

Should your device already be encrypted create a New Call in SiteHelpDesk.  In the Summary Field enter FileVault (MacBook) or IOS (iPhone/iPad), in the Description field enter the MakeModel and Inventory Number of the device you have encrypted.  Also include your Faculty/DirectorateDivision and Department.

For all other devices check manufacturer’s instructions or refer to the Contacts section on this page.

Note: all of the encryption methods listed above require a password or other memorable data. Be sure that you remember this, or document it securely away from the encrypted device. If you forget/lose the password your data may not be recoverable.

Further information/Contacts

Your School IT Officer

IT Service Desk | (028) 9097 3760 | advisory@qub.ac.uk |

Data Security | infosec@qub.ac.uk |

Last Updated: December 2017

Encrypting Email attachments and USB Drives

USB Storage Devices

Microsoft Devices - BitlockerToGo is the recommended USB storage encryption – you do not need to turn on Bitlocker on your computer for this to work.

  1. Insert the USB storage device and right click on the assigned drive letter
  2. Select “turn on Bitlocker”
  3. Enter a password which conforms to the QUB password policy and confirm
  4. Save the recovery key to a safe place on your desktop or laptop
  5. Encrypt the drive

You will need to enter the password each time you mount the drive in a computer. If you forget the password you will need to use the recovery key to restore the data. DO NOT LOSE BOTH.

Apple Devices - Use the Disk Utility application to format the USB storage with AES-256 encryption or for storage already in use simply right click on the drive and select 'encrypt'.

USB Hardware based encrypted storage - In some cases it may be easier to use USB storage which has built-in full disk encryption. Use a device which has 256 bit hardware based AES encryption – these can be purchased from the Internet at relatively low cost e.g. Kingston, Integral, and SanDisk.

Encrypting Email Attachments

Encrypting email attachments Never put sensitive information in the body of an email message.

To encrypt Microsoft Office® and Adobe® attachments e.g. Word, Excel, pdf use the password protect option in the document. Use a minimum of 12 characters in the password to ensure adequate protection. Do not send the password in the email – where possible send the password by another method e.g. SMS Text. Business areas emailing sensitive data on a regular basis should consider using commercial zip/encrypt applications like WinZip®, 7Zip®.