The Information Security Office (ISO) has approved several methods of complying with policy for encrypting sensitive data.  The preferred method is to use the operating system's native encryption (e.g. Filevault, Bitlocker, LUKS, etc.) combined with a centralized systems management suite (e.g. Ivanti, SCCM) to monitor encryption status.

The ISO strongly believes that the following features are important in an encryption solution: 

  1. Industry-standard, well-tested encryption algorithms.
  2. Encryption key escrow/recovery in case the keys are lost, forgotten, or otherwise unavailable to a department.
  3. Timely support for new operating system versions and to address security issues.
  4. The ability to demonstrate the device was encrypted in the event it is lost or stolen, in order to better comply with the Texas Identity Theft Protection and Enforcement Act and other related laws.

End-users, in consultation with their local IT support staff, should choose from one of the approved methods.  The ISO recommends the use of Stache for key escrow when possible.

If you have questions about these products or satisfying policy, please do not hesitate to contact the ISO at security@utexas.edu.

Approved Encryption Methods
Encryption Method
Escrow Method
Operating System(s) Supported
Encryption Type
Cost?
More Information
Microsoft Bitlocker 1
Active Directory (in some cases), Stache
Windows Vista and newer
Partition
None
Veracrypt 2
Stache
Windows Vista and newer
Partition
None
Apple FileVault 2
Stache
macOS 10.7+
Partition
None
Linux Unified Key Setup (LUKS) Encryption 3
Stache
Redhat 6+, 
Fedora 9+, 
Ubuntu 12.10+,
Debian 7+
Partition
None
Self-Encrypting Drive (SED) 4 5 6
Stache
Windows, macOS, Linux
Whole-disk
Yes. Cost depends on size, storage technology, and vendor.
The SED chosen must be compliant with the OPAL specification.  Check with the vendor to ensure compliance.
 

1 Bitlocker may be used on devices without a TPM. Windows 10 and newer allow users to set a passphrase for authenticating at boot up. With older versions of Windows, users can store the Bitlocker encryption key on a USB flash drive. This USB drive would then have to be provided to use the computer, however it is important that the USB drive not be left unattended with the computer. The use of a TPM to store the keys is more secure, therefore on devices that have a TPM, it must be used instead in order to be considered an approved encryption method.


2 Veracrypt only supports encryption of system partitions and system drives (i.e. a partition or drive where an operating system is installed and from which it boots) with Windows. This is called pre-boot authentication in Veracrypt. 


3 Encrypting partitions of an existing installation with LUKS will most likely require a reinstall of the operating system as this option is only presented to users at install time. You are urged to make certain that you have complete and working backups of all data before beginning this process. 


4 Self-Encrypting Drives provide low-latency, hardware-level encryption and are available from a number of manufacturers.  In order to ensure minimum standards are met, only SEDs that meet the OPAL specification are approved.  Seagate, Hitachi, and Toshiba are a few examples of manufacturers that make OPAL compliant SEDs.  Check with your vendor to ensure compliance and note that firmware updates may be required for compliance.


5 The ISO strongly recommends against relying on ATA password security when implementing SEDs.  The best way to use SEDs is to have an enterprise product handle authentication.  For more information, see breaking ATA password security.


6 Solid State Drives (SSDs) utilizing software encryption (e.g., FileVault 2, BitLocker, etc.) are preferrable over SEDs, using hardware encryption.  Windows BitLocker will default to relying on the SSD vendors hardware encryption capabilities. Windows systems can be forced to leverage native OS software encryption instead (adviseable) can be disabled via GPO at "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives" called "Configure use of hardware-based encryption for operating system drives".