Encryption is a means of protecting data stored on your computer so that it is inaccessible to unauthorized users. It protects information by converting it to an unreadable format that cannot be easily deciphered by unauthorized users. Full disk encryption (FDE) protects all files and data saved to disk, including the operating system, executable files and documents.
FDE offers the highest level of security and privacy and is therefore highly recommended for all users. In case your computer is stolen or left unguarded, no one will be able to access your encrypted files without entering the password (usually referred to as an encryption key).
The installation of FDE creates a recovery key which is required if an error occurs and the data on the disk needs to be recovered. This key will be stored on a secured server and can be retrieved if it is needed.
All IT Sevices' managed computers are deployed with BitLocker (Windows) or FileVault (MacOS).
Faculty and Staff with McGill-owned PCs.
The majority of managed computers provided by IT Services are encrypted by default.
Note: at this time, MacOS computers, shared amongst users, cannot be encrypted with FileVault. We hope to offer this option in the near future.
Users may request to have BitLocker (Windows) or FileVault (MacOS) enabled on their McGill-managed computers by contacting the IT Service Desk, or local technical support staff.
There is no associated cost for this service.
This service is available 24 X 7.
No. Full Disk Encryption (FDE) will only be installed on McGill-managed computers. If a computer is owned by a contractor or part-time faculty member, it will not be encrypted as part of this service.
If you have a Windows computer, the change will be deployed in the background without disrupting your work. No reboot is required.
Note: For laptops, if the installation occurs while the computer is in use, a prompt to connect to an external power source may appear. If the computer is powered off during deployment, this prompt may appear once it is restarted.
If you have a MacOS computer, you will need to do the following:
FDE for Windows is made up of 2 key components, BitLocker and the Azure portal. BitLocker, the encrypting engine, is part of the Windows operating system. As such, it should not affect the performance or functionality of your computer.
BitLocker recovery keys are stored, managed, and retrieved using the integrated functionality of the Windows operating system. The installation and configuration of FDE will create a recovery key (a 48-digit numeric code) used to decrypt your data. One example of when this key would be required is for restarting in “Safe Mode”.
When you connect to McGill’s Virtual Private Network (VPN), our centralized management servers should communicate with your computer to begin the encryption process. If that doesn’t happen, the encryption process should begin the next time your computer connects to the McGill network.
USB keys will not be encrypted as part of this deployment. However, it is strongly recommended that you delete any confidential data stored on a USB drive and transfer it to SharePoint, OneDrive or a network shared drive.
No action is required on your part; the recovery key will be pushed to the central server.
You can recover your encryption key by using a second computer or device. See How to recover an encryption key for a computer with full disk encryption.
See best practices from the Government of Canada's Canadian Centre for Cyber Security: Using Encryption to Keep Your Sensitive Data Secure.
You can set up disk encryption on your personal devices as well:
Note: The IT Service Desk is unable to assist with issues related to disk encryption on personal computers.
If you need assistance to recover your encryption key, contact the IT Service Desk.