Encryption basics are covered on the main Using Encryption page.
How do different types of encryption work?
Individual encryption programs can vary greatly, however we've provided a general description of how most programs work. Please be sure you've read all help files for any specific program or device, if encryption is used improperly you risk permanently damaging important files!
- Individual file and folder encryption - this encrypts only the data or locations that you specify, whether on a computer or removable media such as a USB key, CD, external hard drive, SD card, etc.
- Most programs providing this type of encryption allow you to select a password specific to the individual file. This allows you to give a password that you don't already use to encrypt other files (or use to login to your computer) to an intended receiver.
- Some programs require that when you save the file, you specify that it should be encrypted and select a password. The encryption program will include the ability to decrypt with the proper password so that the receiver does not have to have your same encryption software installed on their computer.
- IMPORTANT: for security, CUMC email will block individually encrypted or password protected attachments. Secure Email (#encrypt at the beginning of the subject line) must be used instead.
- Full disk encryption - installed on a computer, external hard drive, or USB key, full disk automatically encrypts all data stored on the drive or "disk".
- On computers the authorization to access to encrypted data is often tied to the user/computer login; an additional password won't have to be typed in.
- On an external hard drive or USB key the encryption software will typically prompt for the authorized password when it is "mounted", or connected to a computer - though it may not appear until you attempt to open a file that is stored on it.
- IMPORTANT - In general, files are NOT encrypted when opened, sent through email, or moved to an unencrypted location off of the computer. This is due to decryption having already occurred when authorization was provided (successful computer login).
- Pre-boot authentication - pre-boot authentication (PBA) provides a higher level of security than full disk encryption, which does not encrypt a computer's operating system files. See Encryption Requirements for information on equipment that must support PBA.
Can I use a BIOS password for pre-boot authentication?
No, since a BIOS password does not authenticate encryption (or even offer encryption), it does not meet CUMC Encryption Requirements even when used in conjunction with full disk encryption.
Will encryption protect my computer or data from viruses and hacker attacks?
Encryption does not provide the same methods of protection as antivirus and antispyware programs, or software and operating system updates; you must be sure that your computer is still receiving appropriate updates and scanning for viruses, etc.
Remember that encryption serves to add an additional layer of security in the event that data is accidentally or maliciously and purposely released. It employs strong encryption algorithms or methods of scrambling data that are not made readable again until the correct credentials are supplied. If someone is able to obtain your credentials for the program they will be able to decrypt the data, which is why it is important to use a strong password that is not shared with others.
How do I know if my smartphone or tablet is encrypted?
Any smartphone or tablet configured for CUMC IT Exchange Email is automatically enforced to use a passcode and encryption. If your device isn't, please see specific instructions on the Smartphone and Tablet Encryption and Security page to set up a password and encryption. Most devices released in the past year are encrypted if a password is used after start up and a short period of inactivity, however it is your responsibility to make sure that the device meets CUMC requirements.
What happens if I forget my encryption password?
Almost all encryption programs will make encrypted data irretrievable if the password or other credentials are lost; after all, the point of encryption is to prevent unauthorized people from being able to read or understand the data. There may be a back up or safety net method that can be used to retrieve encrypted data, however it will vary based on the specific program being used. Please refer to the documentation or help files provided with the encryption program.
When is Secure Email (#encrypt) required?
Whenever you are sending EPHI to a recipient that is not on an Approved OHCA Email System (Section III D of the full policy text), you must use Secure Email. Note that due to the move of @columbia.edu email account space to LionMail, these accounts are not an Approved OHCA Email System. To ensure that EPHI is protected, Secure Email must be used when sending to an @columbia.edu address, as well as other external institutions and companies including Gmail, Yahoo, etc.
Secure Email should not be used within Approved OHCA Email Systems, which include email addresses ending in @cumc.columbia.edu, @nyp.org, and @med.cornell.edu.
Why won't my Kingston encrypted USB key open on my Mac?
Some Kingston hardware-encrypted USB keys won't automatically work with Macs running OS 10.10, also called Yosemite. Kingston has a download that can be run to allow the key to work with Yosemite, please contact their technical support with information on your USB key model so they can provide you with the correct download and instructions: http://www.kingston.com/us/company/contacts#tech
Note that you may need to run the download on a Windows computer before being able to use the drive on your Mac.
Symantec Endpoint Encryption (SEE) and GuardianEdge (GE) FAQs
How can I tell if my computer has SEE or GE installed?
IMPORTANT: Symantec Endpoint Encryption (SEE) is no longer available for download and should no longer be installed. Please contact your Certified IT Group to have SEE removed and BitLocker set up instead.
Information below is provided as a courtesy for computers still using SEE and will be removed in the near future.
Either program will appear in your computer's All Programs list:
- Click the Start icon in the lower left corner of your computer screen and select All Programs
- Look a folder called Symantec Endpoint Encryption Client or GuardianEdge, if either is installed it will appear alphabetically in the list. You may need to use a scroll bar to the right of the program list to find it. IMPORTANT: Symantec Endpoint Protection (SEP) is not the same as Symantec Endpoint Encryption. SEP is an antivirus program used by many Columbia faculty, staff and students but it does not provide encryption.
||Symantec Endpoint Encryption
How can verify that pre-boot authentication is running on a computer with SEE or GE installed?
One of the login prompts pictured below will appear when the computer first starts up, before Windows loads.
Click either picture for a larger image
Why am I prompted to log in to both Symantec Endpoint Encryption and Windows after changing my MC password?
The passwords for your MC domain account and SEE with pre-boot authentication do not synchronize automatically. Please see the Synchronize Your SEE and MC Account Passwords page for details and instructions to manually synchronize the passwords.
| TOP |