Encryption is a means of protecting data stored on your computer so that it is inaccessible to unauthorized users. It protects information by converting it to an unreadable format that cannot be easily deciphered by unauthorized users. Full disk encryption (FDE) protects all files and data saved to disk, including the operating system, executable files and documents.
FDE offers the highest level of security and privacy and is therefore highly recommended for all users. In case your computer is stolen or left unguarded, no one will be able to access your encrypted files without entering the password (usually referred to as an encryption key).
The installation of FDE will create a recovery key (a 48-digit, unique numeric code). This key will be necessary in order to access encrypted data on a computer.
All centrally managed computers are deployed with BitLocker by default.
FDE for Windows is made up of 2 key components, BitLocker and the Azure portal. BitLocker, the encrypting engine, is part of the Windows operating system. As such, it should not affect the performance or functionality of affected computers. BitLocker recovery keys are stored, managed, and retrieved using the integrated functionality of the Windows operating system. The installation and configuration of FDE will create a recovery key (a 48-digit numeric code) used to decrypt your data. One example of when this key would be required is for restarting in “Safe Mode”. If you lose the recovery key, you can retrieve it from the Azure portal, by contacting the IT Service Desk, or local technical support staff.
Faculty and Staff with McGill-owned PCs.
All managed computers newly provisioned by IT Services are encrypted by default.
Users may request to have BitLocker enabled on their McGill-managed computers by contacting the IT Service Desk, or local technical support staff.
There is no associated cost for this service.
This service is available 24 X 7.
No. FDE will only be installed on McGill-managed computers. If a computer is owned by a contractor or part-time faculty member, it will not be encrypted as part of this project.
No. The change will be deployed in the background without disrupting users’ work, and no reboot will be required.
Note: For laptops, if the installation occurs while the computer is in use, a prompt to connect to an external power source may appear. If the computer is powered off during deployment, this prompt may appear once it is restarted.When you connect to McGill’s Virtual Private Network (VPN), our centralized management servers should communicate with your computer to begin the encryption process. If that doesn’t happen, the encryption process should begin the next time your computer connects to the McGill network.
USB keys will not be encrypted as part of this deployment. However, it is strongly recommended that you delete any confidential data stored on a USB drive and transfer to either OneDrive or a network shared drive.
No action is required on your part; the recovery key will be pushed to the central server.
You can recover your encryption key, using a second computer or device. See How to recover an encryption key for a computer with full disk encryption.
See best practices from the Government of Canada's Canadian Centre for Cyber Security: Using Encryption to Keep Your Sensitive Data Secure.
See How to recover an encryption key for a computer with full disk encryption.
If you need assistance to recover your encryption key, contact the IT Service Desk.