* About: Full disk encryption (FDE)


Service overview | Who can use it | How to request & access | Cost | Availability | FAQs | Best practices & policies | Training & documentation | Support

Service overview

Encryption is a means of protecting data stored on your computer so that it is inaccessible to unauthorized users. It protects information by converting it to an unreadable format that cannot be easily deciphered by unauthorized users. Full disk encryption (FDE) protects all files and data saved to disk, including the operating system, executable files and documents.

FDE offers the highest level of security and privacy and is therefore highly recommended for all users. In case your computer is stolen or left unguarded, no one will be able to access your encrypted files without entering the password (usually referred to as an encryption key).

The installation of FDE creates a recovery key which is required if an error occurs and the data on the disk needs to be recovered. This key will be stored on a secured server and can be retrieved if it is needed.

All IT Sevices' managed computers are deployed with BitLocker (Windows) or FileVault (MacOS).

Who can use it

Faculty and Staff with McGill-owned PCs.

How to request access to the service

The majority of managed computers provided by IT Services are encrypted by default.

Note: at this time, MacOS computers, shared amongst users, cannot be encrypted with FileVault. We hope to offer this option in the near future.

Users may request to have BitLocker (Windows) or FileVault (MacOS) enabled on their McGill-managed computers by contacting the IT Service Desk, or local technical support staff.

Cost

There is no associated cost for this service.

Availability

This service is available 24 X 7.

Frequently asked questions

I am a contractor using my own computer. Will I get Full Disk Encryption (FDE)?

No. Full Disk Encryption (FDE) will only be installed on McGill-managed computers. If a computer is owned by a contractor or part-time faculty member, it will not be encrypted as part of this service.

Do I need to do anything when FDE is deployed?

If you have a Windows computer, the change will be deployed in the background without disrupting your work. No reboot is required.

Note: For laptops, if the installation occurs while the computer is in use, a prompt to connect to an external power source may appear. If the computer is powered off during deployment, this prompt may appear once it is restarted.

If you have a MacOS computer, you will need to do the following: 

  1. Sign out, then sign back in.  
  2. The following message will appear onscreen: “Your administrator requires that you enable FileVault”; click Enable Now to finish the deployment. 

Will encryption slow down my computer? 

FDE for Windows is made up of 2 key components, BitLocker and the Azure portal. BitLocker, the encrypting engine, is part of the Windows operating system. As such, it should not affect the performance or functionality of your computer.  

How does FDE work on a Windows computer? 

BitLocker recovery keys are stored, managed, and retrieved using the integrated functionality of the Windows operating system. The installation and configuration of FDE will create a recovery key (a 48-digit numeric code) used to decrypt your data. One example of when this key would be required is for restarting in “Safe Mode”.  

What if I am off campus?

When you connect to McGill’s Virtual Private Network (VPN), our centralized management servers should communicate with your computer to begin the encryption process. If that doesn’t happen, the encryption process should begin the next time your computer connects to the McGill network.

Are USB keys affected?

USB keys will not be encrypted as part of this deployment. However, it is strongly recommended that you delete any confidential data stored on a USB drive and transfer it to SharePoint, OneDrive or a network shared drive.

What if I’ve already encrypted using Bitlocker?

No action is required on your part; the recovery key will be pushed to the central server.

How do I recover my encrypted files if I get "locked out" of my computer?

You can recover your encryption key by using a second computer or device. See How to recover an encryption key for a computer with full disk encryption.

Best practices & policies

See best practices from the Government of Canada's Canadian Centre for Cyber Security: Using Encryption to Keep Your Sensitive Data Secure.

Training & documentation

See How to recover an encryption key for a computer with full disk encryption.

You can set up disk encryption on your personal devices as well:

Note: The IT Service Desk is unable to assist with issues related to disk encryption on personal computers.

Support

If you need assistance to recover your encryption key, contact the IT Service Desk.