On January 5, 2012, the UofA announced new information security policies for the campus in order to comply with Alberta Government requirements that all organizations adopt standard information security controls. As noted on the UofA’s Colloquy Blog, staff are legally required to secure sensitive information. (Yes, I have “sensitive information:” spreadsheets with students’ ID numbers and marks. Potentially, emails are also sensitive information.)
Importantly, this policy is not limited to University-owned laptops (from the memo sent out by the Vice-Provost, Information Technology):
Personally owned and other external laptops storing University personal and/or sensitive information must also undergo disk encryption according to the standard.
That’s right--by UofA policy, I must not only secure, but encrypt my own laptop. This fact has
royally pissed off a lot of faculty.
The “disk encryption standard,” according to the
Laptop Security and Encryption Standard and Guidelines on the VPIT’s website says:
a) Laptops and other mobile computing devices must run a current, fully patched, and modern operating system at all times.
b) Users must store documents on laptops in a single specific area only (such as a home folder or directory).
c) The contents of the disk storage area specified in b) must be securely encrypted.
d) Laptops and other mobile computing devices must be configured to ask for a password after any period of inactivity, including after resuming from suspend/standby/sleep/hibernate status and on operating system start-up.
Let’s see, a) check, b) check, c) um, no, d) check. Sigh, I guess I have to encrypt my laptop.
The
University Encryption Standards and Instructions on the VPIT’s website states:
The University advises that BitLocker must be configured to use the “TPM + PIN” authentication method.
Unfortunately, BitLocker is only available in Windows 7 Enterprise and Ultimate--and I’m only running Professional. Because it’s a personal laptop, I can’t buy Win7 Enterprise, so I had to upgrade to Ultimate. Naturally, the Bookstore was out of copies of the Win7 Ultimate upgrade disks when the policy came out. Once again, the left hand doesn’t know what the right hand is doing. Eventually, they got copies in, so I was good to go.
Encrypting my 500 GB drive took a while; I let the process run while I marked exams. It finally finished, so I rebooted and...error messages everywhere, apps crashing, WTF? My system runs the OS off an SSD and all my data is on a separate, larger hard drive. BitLocker was supposed to pop up a password request during the boot process, but it didn’t because my system--a high-end Dell XPS, only about a year old--doesn’t have a TPM chip. For that, you have to buy Dell’s business-oriented (and very expensive) Latitude line.
It was possible to “unlock” my data drive, but only after bootup was complete, which is too late to get all my apps running properly--they already started up and crashed. Nothing in Microsoft’s documentation makes this clear. Grr!!
I removed BitLocker’s encryption. Unfortunately, there is no easy way to downgrade to Win7Pro, so I’m stuck with Win7Ultimate. I wasted hours of time and a hundred bucks and still don’t have anything encrypted. I'm still going to encrypt my computer, but with some other
disk encryption software. Thanks for nothing, Microsoft. Nice job, UofA policy.
Why aren’t you studying?