The Information Security Office (ISO) has approved several methods of complying with policy for encrypting sensitive data.  The preferred method is to use the operating system's native encryption (e.g. Filevault, Bitlocker, LUKS, etc.) combined with a centralized systems management suite (e.g. Ivanti, SCCM) to monitor encryption status.

The ISO strongly believes that the following features are important in an encryption solution: 

  1. Industry-standard, well-tested encryption algorithms.
  2. Encryption key escrow/recovery in case the keys are lost, forgotten, or otherwise unavailable to a department.
  3. Timely support for new operating system versions and to address security issues.
  4. The ability to demonstrate the device was encrypted in the event it is lost or stolen, in order to better comply with the Texas Identity Theft Protection and Enforcement Act and other related laws.

End-users, in consultation with their local IT support staff, should choose from one of the approved methods.  The ISO recommends the use of Stache for key escrow when possible.

If you have questions about these products, or satisfying policy, please do not hesitate to contact the ISO at security@utexas.edu.

Approved Encryption Methods
Encryption Method
Escrow Method
Operating System(s) Supported
Whole-Disk Encryption?
Cost?
More Information
Microsoft Bitlocker To Go 1
Active Directory (in some cases), Stache
Windows 7 and newer
Yes
None
https://technet.microsoft.com/en-us/library/ff404223.aspx
Veracrypt
Stache
Windows, macOS 10.7+, Linux
Yes
None
Veracrypt
Apple FileVault 2
Stache
macOS 10.7+
Yes
None
http://support.apple.com/kb/HT4790
Apple Encrypted Disk Images
Stache
macOS
No
None
http://support.apple.com/kb/TA21118?viewlocale=en_US
FIPS 140-2 Level 3 certified hardware-encrypted USB drives 2
Stache
Varies
Varies
TBD
Examples of FIPS 140-2 Level 3 certified devices: 
Imation IronKey S250/D250 
Kingston DataTraveler 6000 
Aegis Secure Key
 

1 BitLocker To Go is only available with Windows 7 and Windows 2008 R2, however Windows XP SP3 and above can be used with BitLocker To Go encrypted removable media in read-only mode when the BitLocker To Go Reader application is installed. The BitLocker To Go Reader is packaged on BitLocker To Go protected removable media automatically.


2 FIPS 140-2 Level 2 compliance only requires that devices use a known good encryption algorithm and be resistant to tampering.  It does not address how the encryption is implemented, keys are managed, or users are authenticated.  Ultimately, this means that the standard covers very little of what actually makes a device secure (or not).  FIPS Level 2 compliant devices from SanDisk and Kingston have been compromised in the past due to improper key handling and poor user authentication mechanisms.  FIPS 140-2 Level 3 is far more rigorous and comprehensive.