While most cyber crooks commit crimes via keyboard, laptop thieves do it old school -- grab and run. And once the laptops are in their possession, it's easy to bypass the passwords. The thieves simply start the laptops with bootable USB drives (no passwords needed) or pull out the hard drives and put them into other laptops. Either way, with a few minutes of effort, they can see everything on the stolen laptops.
Wouldn't it be nice if "everything" the bad guys saw was gibberish instead of private information? It's not only nice, but possible. That's the idea behind laptop encryption. And that's why ISU information technology staff have encrypted 1,000 university laptops and are at work on the rest.
If you've got an unencrypted university laptop, you'll likely hear from your IT support person sooner or later. In the meantime, here's useful intelligence about laptop encryption at Iowa State, provided by IT Director Mike Lohrbach and information security officer Andy Weisskopf.
Encryption basics
Encryption encodes data into gibberish. Only those with proper logins and passwords can turn that gibberish back into something intelligible. For university-owned laptops, you'll use your Net-ID and password to decode your encrypted data.
Let IT do it
Central and departmental staff will do the encrypting on university laptops. If you've purchased a new laptop in the past few months, it probably was encrypted during the initial setup. IT staff are working their way through the older laptops on campus now.
To encrypt the laptops, IT staff turn on the encryption software already installed on the machines. For Windows laptops, that's BitLocker. Macs are encrypted with FileVault.
At the time of encryption, IT staff also copy and save the recovery keys, a series of numbers and letters assigned during each encryption. If laptop users forget their passwords or can't access their laptop information due to malfunctions, IT staff will need the recovery keys to retrieve data that otherwise would be lost.
Tips for using encrypted laptops
Encrypted laptops should operate just like unencrypted ones, with the same speed and responsiveness.
Departmental laptops shared by several people will work just the way they do now. Users sign in with their own Net-IDs and passwords to gain access and unencrypt the data.
Laptops left on and unattended are unencrypted sitting ducks for snoopers. Take your laptop with you, or at least turn it off, if it will be out of your sight for a few moments. And set the device to go into screen-saving mode after a few minutes of inactivity. Most screen savers require a password to reactivate the laptop.
Is encryption mandatory?
Mandatory encryption on university laptops with moderate to highly restricted university data is part of a proposed data classification policy currently under consideration by the ISU administration.
What encryption does and doesn't do
Encryption protects your data if your laptop is lost or stolen.
It doesn't:
- Keep your laptop from being stolen or help you recover it
- Prevent viruses and malware
- Protect files that are moved off the laptop itself. If you mail a file from your encrypted laptop or download it onto a USB drive, the file is unencrypted
Should I encrypt my home laptop?
If you're keeping personal information on the laptop, it's a good idea, if -- and this is a big IF -- you have a good way to store your recovery key. If you lose your password and your recovery key, there's no way to get your data back. That's the point of encryption.