CUMC Home | Columbia University | Jobs at CUMC | Contact CUMC | Find People
For support: call extension 5-Help (212-305-4357) or email us

Encryption FAQs

Encryption basics are covered on the main Using Encryption page.

How do different types of encryption work?
Individual encryption programs can vary greatly, however we've provided a general description of how most programs work. Please be sure you've read all help files for any specific program or device, if encryption is used improperly you risk permanently damaging important files!
  • Individual file and folder encryption - this encrypts only the data or locations that you specify, whether on a computer or removable media such as a USB key, CD, external hard drive, SD card, etc.
    • Most programs providing this type of encryption allow you to select a password specific to the individual file. This allows you to give a password that you don't already use to encrypt other files (or use to login to your computer) to an intended receiver.
    • Some programs require that when you save the file, you specify that it should be encrypted and select a password. The encryption program will include the ability to decrypt with the proper password so that the receiver does not have to have your same encryption software installed on their computer.
    • IMPORTANT: for security, CUMC email will block individually encrypted or password protected attachments. Secure Email (#encrypt at the beginning of the subject line) must be used instead.
  • Full disk encryption - installed on a computer, external hard drive, or USB key, full disk automatically encrypts all data stored on the drive or "disk".
    • On computers the authorization to access to encrypted data is often tied to the user/computer login; an additional password won't have to be typed in.
    • On an external hard drive or USB key the encryption software will typically prompt for the authorized password when it is "mounted", or connected to a computer - though it may not appear until you attempt to open a file that is stored on it.
    • IMPORTANT - In general, files are NOT encrypted when opened, sent through email, or moved to an unencrypted location off of the computer. This is due to decryption having already occurred when authorization was provided (successful computer login).
  • Pre-boot authentication - pre-boot authentication (PBA) provides a higher level of security than full disk encryption, which does not encrypt a computer's operating system files. See Encryption Requirements for information on equipment that must support PBA.

Can I use a BIOS password for pre-boot authentication?
No, since a BIOS password does not authenticate encryption (or even offer encryption), it does not meet CUMC Encryption Requirements even when used in conjunction with full disk encryption.

Will encryption protect my computer or data from viruses and hacker attacks?
Encryption does not provide the same methods of protection as antivirus and antispyware programs, or software and operating system updates; you must be sure that your computer is still receiving appropriate updates and scanning for viruses, etc.

Remember that encryption serves to add an additional layer of security in the event that data is accidentally or maliciously and purposely released. It employs strong encryption algorithms or methods of scrambling data that are not made readable again until the correct credentials are supplied. If someone is able to obtain your credentials for the program they will be able to decrypt the data, which is why it is important to use a strong password that is not shared with others.

How do I know if my smartphone or tablet is encrypted?
Any smartphone or tablet configured for CUMC Email is automatically enforced to use a passcode and encryption. If your device isn't, please see specific instructions on the Smartphone and Tablet Encryption and Security page to set up a password and encryption. Most devices released in the past year are encrypted if a password is used after start up and a short period of inactivity, however it is your responsibility to make sure that the device meets CUMC requirements.

What happens if I forget my encryption password?
Almost all encryption programs will make encrypted data irretrievable if the password or other credentials are lost; after all, the point of encryption is to prevent unauthorized people from being able to read or understand the data. There may be a back up or safety net method that can be used to retrieve encrypted data, however it will vary based on the specific program being used. Please refer to the documentation or help files provided with the encryption program.

When is Secure Email (#encrypt) required?
Whenever you are sending EPHI to a recipient that is not on an Approved OHCA Email System (Section III D of the full policy text), you must use Secure Email. Note that due to the move of email account space to LionMail, these accounts are not an Approved OHCA Email System. To ensure that EPHI is protected, Secure Email must be used when sending to an address, as well as other external institutions and companies including Gmail, Yahoo, etc.

Secure Email should not be used within Approved OHCA Email Systems, which include email addresses ending in,, and

Why won't my Kingston encrypted USB key open on my Mac, or why am I seeing an "Unable to start the DTLocker..." error when I try to open it?
Some Kingston hardware-encrypted USB keys won't automatically on Macintosh. Kingston has a download that can be run to allow the key to work, please contact their technical support with information on your USB key model so they can provide you with the correct download and instructions:

| TOP |

Last updated 7/19/2018