it.ucsf.edu

Removable Storage Encryption

Marc Lowe's picture

Dell Data Protection Encryption - External Media Shield (EMS)

UCSF's current standard encryption program, Dell Data Protection Encryption (DDPE), has the capability to encrypt data on removable storage devices through a feature called External Media Shield (EMS).

When you enable EMS on a removable storage device like a USB hard drive or flash drive, DDPE encrypts files that are copied from a UCSF computer to the drive. You can read and write encrypted data on the drive from any computer, even if it does not have DDPE installed. DDPE EMS is file-based encryption and is compatible with both Windows and Mac OS X, so you can read and write encrypted data from both platforms on the same external drive. EMS allows you to use common, inexpensive removable drives to securely store UCSF data.

UCSF IT Security & Policy will be rolling out EMS to UCSF Medical Center users, UCSF Campus users, BYOD Mac users, and finally BYOD PC users.

 

You will receive an email from IT Service Desk (ITServiceDesk@ucsf.edu) when EMS is enabled for your UCSF user account.

 

Remember: always have a backup of your data before encrypting or decrypting it. ITS-managed computers can use CrashPlan to backup their files.

 

 

Using DDPE Removable Storage Encryption

DDPE Removable Storage Encryption is currently enabled for Medical Center accounts. It will be enabled on Campus & SOM user accounts in a staged rollout.

 

Go Live Date # of Accounts Added
May 2, 2017 250 Campus & SOM user accounts
May 9, 2017 500 Campus & SOM user accounts
May 16, 2017 1500 Campus & SOM user accounts
May 23, 2017 3000 Campus & SOM user accounts
May 31, 2017 4000 Campus & SOM user accounts
June 6, 2017 4000 Campus & SOM user accounts
June 13, 2017 4000 Campus & SOM user accounts
June 20, 2017 ~4000 Campus & SOM user accounts

 

 

To turn on EMS on a removable drive:

 

  1. You will receive an email when EMS is activated for your UCSF user account
  2. Log in as yourself to a Mac encrypted with DDPE or a UCSF PC encrypted with DDPE.
  3. Plug in your removable storage device.
  4. DDPE will prompt you to enable encryption the drive.
  5. Create a password for the drive.
    Passwords should meet the same complexity rules as the UCSF Password Standard: 7+ characters, with an Upper Case, lower case, and number or symbol.

EMS does not encrypt data that is already stored on a removable drive. You will need to move files off the drive and then back on to encrypt them.

 

 

To access data on a drive with EMS:

 

To access data on a drive with EMS, you need either of the following:

  • A Mac encrypted with DDPE or a UCSF PC encrypted with DDPE

    or
  • The password you created when you activated EMS on the drive

If you are logged in to a UCSF PC or Mac with DDPE, DDPE will automatically unlock the drive based on your login. If you are sharing a drive with another person, they will need your drive password to access encrypted data on your EMS-encrypted drive.

 

If you are on a computer that is offline, does not have DDPE, or is logged in as somebody else, you will need to provide the drive password to access encrypted files.

DDPE includes a copy of EMS Explorer on each EMS-encrypted drive, which you can use to read and write encrypted data. You can access this by launching the "AccessEncryptedFiles" program on the drive.

 

 

EMS Explorer will allow you read+write access to encrypted data through the application, which works as a standalone file browser. You will need to access encrypted files through EMS explorer, rather than through your computer's normal file browser (Windows Explorer / Mac OS X Finder).

 

The EMS Service is recommended for non-UCSF computers that you frequently use, although computers frequently used for UCSF work should be encrypted. It will install and run in the background, and transparently provides read+write access to encrypted data if the correct password is entered. It does require administrator rights to and a reboot to install before use.

 

Both are available for Mac and Windows, and the programs are automatically copied on to a drive when EMS is activated on it.

 

Resetting an EMS password

If you forget your EMS password:

 

  1. Log in to a UCSF PC that has DDPE
  2. Open the DDPE application
  3. Click on "Removable Storage"
  4. Click on "Change Password"

 

 

If you forget your EMS password and do not have access to a UCSF PC with DDPE:

 

  1. Click the "I Forgot" button on the EMS password prompt
  2. Call the IT Service Desk at 415-514-4100
  3. Provide the IT Service Desk with the:

    Shield ID
    Device Code
    (Recovery Key ID is not necessary)


    To avoid confusion, letters are colored blue and numbers are colored red.
  4. The IT Service Desk will generate a corresponding Access Code, which will allow you to create a new password for your EMS-encrypted drive.

 

 

Removable Storage Encryption Policies

 

If you are using a UCSF PC and have a Medical Center (UCSFMC) user account

You will be prompted to enable encryption or have read-only access to any removable storage device you plug in to a UCSF PC. You will not be able to copy data from a UCSF PC to a non-encrypted removable drive.

 

If you are using a UCSF PC and have a Campus or SOM user account

You will be prompted to enable encryption or proceed with read and write access to any removable storage device you plug in to a UCSF PC. If you do not enable encryption on a removable drive, you will be asked the next time you plug in the drive. Some Campus departments may require you to enable encryption on removable drives, please ask your manager or departments’ IT liaison for more information.

 

If you are using a UCSF Mac with DDPE, or a personally-owned Mac with DDPE

You will be prompted to enable encryption or proceed with read and write access to any removable storage device you plug in to your Mac. If you do not enable encryption on a removable drive, you will be asked the next time you plug in the drive.

 

If you are using a personally-owned PC with DDPE

You will be prompted to enable encryption or proceed with read and write access to any removable storage device you plug in to your PC. If you do not enable encryption on a removable drive, you will be asked the next time you plug in the drive.

 

 

Frequently Asked Questions

See https://it.ucsf.edu/pages/ddpe-ems-frequenty-asked-questions-faq