Removable Storage Encryption
Dell Data Protection Encryption - External Media Shield (EMS)
UCSF's current standard encryption program, Dell Data Protection Encryption (DDPE), has the capability to encrypt data on removable storage devices through a feature called External Media Shield (EMS).
When you enable EMS on a removable storage device like a USB hard drive or flash drive, DDPE encrypts files that are copied from a UCSF computer to the drive. You can read and write encrypted data on the drive from any computer, even if it does not have DDPE installed. DDPE EMS is file-based encryption and is compatible with both Windows and Mac OS X, so you can read and write encrypted data from both platforms on the same external drive. EMS allows you to use common, inexpensive removable drives to securely store UCSF data.
UCSF IT Security & Policy will be rolling out EMS to UCSF Medical Center users, UCSF Campus users, BYOD Mac users, and finally BYOD PC users.
You will receive an email from IT Service Desk (ITServiceDesk@ucsf.edu) when EMS is enabled for your UCSF user account.
Remember: always have a backup of your data before encrypting or decrypting it. ITS-managed computers can use CrashPlan to backup their files.
Using DDPE Removable Storage Encryption
DDPE Removable Storage Encryption is currently being enabled on Medical Center user accounts in a staged rollout.
|Go Live Date||# of Accounts Added|
|11/21/2016||250 MedCenter user accounts|
|11/28/2016||500 MedCenter user accounts|
|12/05/2016||1500 MedCenter user accounts|
|12/12/2016||3000 MedCenter user accounts|
|12/19/2016||4000 MedCenter user accounts|
|01/09/2017||4000 MedCenter user accounts|
|01/16/2017||4000 MedCenter user accounts|
|01/23/2017||~4000 MedCenter user accounts|
Campus and SOM users will have Removable Storage Encryption made available to them beginning in Spring 2017.
If you are interested in joining pilot group, please fill out the form at : http://tiny.ucsf.edu/emspilotsignup
To turn on EMS on a removable drive:
- You will receive an email when EMS is activated for your UCSF user account
- Log in as yourself to a Mac encrypted with DDPE or a UCSF PC encrypted with DDPE.
- Plug in your removable storage device.
- DDPE will prompt you to enable encryption the drive.
- Create a password for the drive.
Passwords should meet the same complexity rules as the UCSF Password Standard: 7+ characters, with an Upper Case, lower case, and number or symbol.
EMS does not encrypt data that is already stored on a removable drive. You will need to move files off the drive and then back on to encrypt them.
To access data on a drive with EMS:
To access data on a drive with EMS, you need either of the following:
- A Mac encrypted with DDPE or a UCSF PC encrypted with DDPE
- The password you created when you activated EMS on the drive
If you are logged in to a UCSF PC or Mac with DDPE, DDPE will automatically unlock the drive based on your login. If you are sharing a drive with another person, they will need your drive password to access encrypted data on your EMS-encrypted drive.
If you are on a computer that is offline, does not have DDPE, or is logged in as somebody else, you will need to provide the drive password to access encrypted files.
DDPE includes a copy of EMS Explorer on each EMS-encrypted drive, which you can use to read and write encrypted data. You can access this by launching the "AccessEncryptedFiles" program on the drive.
EMS Explorer will allow you read+write access to encrypted data through the application, which works as a standalone file browser. You will need to access encrypted files through EMS explorer, rather than through your computer's normal file browser (Windows Explorer / Mac OS X Finder).
The EMS Service is recommended for non-UCSF computers that you frequently use, although computers frequently used for UCSF work should be encrypted. It will install and run in the background, and transparently provides read+write access to encrypted data if the correct password is entered. It does require administrator rights to and a reboot to install before use.
Both are available for Mac and Windows, and the programs are automatically copied on to a drive when EMS is activated on it.
Resetting an EMS password
If you forget your EMS password:
- Log in to a UCSF PC that has DDPE
- Open the DDPE application
- Click on "Removable Storage"
- Click on "Change Password"
If you forget your EMS password and do not have access to a UCSF PC with DDPE:
- Click the "I Forgot" button on the EMS password prompt
- Call the IT Service Desk at 415-514-4100
- Provide the IT Service Desk with the:
(Recovery Key ID is not necessary)
To avoid confusion, letters are colored blue and numbers are colored red.
- The IT Service Desk will generate a corresponding Access Code, which will allow you to create a new password for your EMS-encrypted drive.
Removable Storage Encryption Policies
If you are using a UCSF PC and have a Medical Center (UCSFMC) user account
You will be prompted to enable encryption or have read-only access to any removable storage device you plug in to a UCSF PC. You will not be able to copy data from a UCSF PC to a non-encrypted removable drive.
If you are using a UCSF PC and have a Campus or SOM user account
You will be prompted to enable encryption or proceed with read and write access to any removable storage device you plug in to a UCSF PC. If you do not enable encryption on a removable drive, you will be asked the next time you plug in the drive. Some Campus departments may require you to enable encryption on removable drives, please ask your manager or departments’ IT liaison for more information.
If you are using a UCSF Mac with DDPE, or a personally-owned Mac with DDPE
You will be prompted to enable encryption or proceed with read and write access to any removable storage device you plug in to your Mac. If you do not enable encryption on a removable drive, you will be asked the next time you plug in the drive.
If you are using a personally-owned PC with DDPE
You will be prompted to enable encryption or proceed with read and write access to any removable storage device you plug in to your PC. If you do not enable encryption on a removable drive, you will be asked the next time you plug in the drive.
Frequently Asked Questions