The Information Security Office (ISO) has approved several methods of complying with policy for encrypting sensitive data. The preferred method is to use the operating system's native encryption (e.g. Filevault, Bitlocker, LUKS, etc.) combined with a centralized systems management suite (e.g. Ivanti, SCCM) to monitor encryption status.
The ISO strongly believes that the following features are important in an encryption solution:
- Industry-standard, well-tested encryption algorithms.
- Encryption key escrow/recovery in case the keys are lost, forgotten, or otherwise unavailable to a department.
- Timely support for new operating system versions and to address security issues.
- The ability to demonstrate the device was encrypted in the event it is lost or stolen, in order to better comply with the Texas Identity Theft Protection and Enforcement Act and other related laws.
End-users, in consultation with their local IT support staff, should choose from one of the approved methods. The ISO recommends the use of Stache for key escrow when possible.
If you have questions about these products, or satisfying policy, please do not hesitate to contact the ISO at security@utexas.edu.
| Encryption Method | Escrow Method | Operating System(s) Supported | Whole-Disk Encryption? | Cost? | More Information |
|---|---|---|---|---|---|
| Microsoft Bitlocker To Go 1 | Active Directory (in some cases), Stache | Windows 7 and newer | Yes | None | https://technet.microsoft.com/en-us/library/ff404223.aspx |
| Veracrypt | Stache | Windows, macOS 10.7+, Linux | Yes | None | Veracrypt |
| Apple FileVault 2 | Stache | macOS 10.7+ | Yes | None | http://support.apple.com/kb/HT4790 |
| Apple Encrypted Disk Images | Stache | macOS | No | None | http://support.apple.com/kb/TA21118?viewlocale=en_US |
| FIPS 140-2 Level 3 certified hardware-encrypted USB drives 2 | Stache | Varies | Varies | TBD | Examples of FIPS 140-2 Level 3 certified devices: Imation IronKey S250/D250 Kingston DataTraveler 6000 Aegis Secure Key |
1 BitLocker To Go is only available with Windows 7 and Windows 2008 R2, however Windows XP SP3 and above can be used with BitLocker To Go encrypted removable media in read-only mode when the BitLocker To Go Reader application is installed. The BitLocker To Go Reader is packaged on BitLocker To Go protected removable media automatically.
2 FIPS 140-2 Level 2 compliance only requires that devices use a known good encryption algorithm and be resistant to tampering. It does not address how the encryption is implemented, keys are managed, or users are authenticated. Ultimately, this means that the standard covers very little of what actually makes a device secure (or not). FIPS Level 2 compliant devices from SanDisk and Kingston have been compromised in the past due to improper key handling and poor user authentication mechanisms. FIPS 140-2 Level 3 is far more rigorous and comprehensive.