Whole Disk Encryption for the University Project

PLEASE NOTE THAT THIS SITE REFERS TO AN OLD PROJECT. If you are looking for details on the current Whole Disk Encryption Service, please see the WDE Service web pages.

The project was established in 2011 with the aim of addressing the issue of securely protecting data in storage, specifically data on portable systems such as laptops.

Project Overview

New: In July 2012 an Information Security Policy was approved by Council and this will be implemented across the University. For further information about this IS Policy and resources such as the IS Toolkit to help you implement this in your unit please see the Information Security pages from the InfoSec project in the IT Services department.

As a result of the findings of the ISBP project, pressure from outside of the University, and noticeable growing demand within the University this project proposes to set up a Whole Disk Encryption Service, housed at OUCS.

Whole Disk Encryption (WDE) is a popular tool used for the prevention of unauthorized access or disclosure of sensitive information. Often, much is made in the press about breaches of "data security" as a result of unencrypted laptops, USB devices, and other peripherals such as CDs being lost or stolen, and these concerns apply also to University-held data. In the initial survey conducted around information security (which led to the ISBP project) this was highlighted as a major concern. Although the ISBP is providing policies and best practice guidelines, it is clear that what the University also needs is a central service that facilitates WDE in a managed way.

WDE implementation usually involves allowing the user to encrypt every bit of data on a storage device (e.g. a hard drive or USB stick). The encryption and decryption is made possible by cryptographic keys (usually the same key is used for both - known as symmetric encryption). The problem can then lie with the accidental loss of the key or passphrase, thus making the information irretrievably lost. It is for this reason then that many people advocate a centralised key management service, so that a trusted source can be used to hold keys for use in data retrieval in the case of accidental loss.

The PGP Whole Disk Encryption service offers:

  • centralised management and policy enforcement with single web-based management console for clients
  • easy passphrase and machine recovery
  • FIPS 140-2 validated, CAPS-approved, DIPCOG-approved

For the purposes of the trial:

  • OUCS will be running PGP Universal Server allowing central management of keys, policies and software.
  • Volunteer departments have been identified, and training will be offered to the relevant IT support staff.
  • Those departments will be provided with several licences for PGP Desktop which will run on either Windows, Mac or Linux
  • The volunteer departments will then identify users to trial the software and report back on any findings

Contact

Email: pgp-trial@oucs.ox.ac.uk