it.ucsf.edu

How to Encrypt Your Computer

Marc Lowe's picture

Introduction

These instructions are for encrypting devices used for UCSF work that are not supported by ITFS.

If you are an ITFS customer and need help with encryption, please contact the IT Service Desk at 415-514-4100.

Encrypting a computer can sometimes cause serious problems, so please follow these instructions precisely, including all steps, and in the correct order. You must also backup your machine before proceeding.

This process will also register your computer with BigFix, which is a security requirement for all devices used for UCSF business.

At any point, if you aren't comfortable proceeding, call the UCSF IT Service Desk (415-514-4100) for help.

If you would like hands-on help with encryption, please stop by and visit any of our UCSF IT Health Desk.

Parnassus:   Mondays - Fridays, 9am - 4pm
500 Parnassus Ave.
Millberry Union – 1st floor
**Note - the Moffitt Café Dining Area – 2nd Floor Health Desk has been relocated to the Health Desk at Millberry Union.

Laurel Heights Campus:  Tuesdays - Thursdays, 9am - 3pm
3333 California St.
The View Café – 2nd Floor

Mission Bay Campus:  Mondays - Fridays, 8am - 4:30pm
550 16th St.
Mission Hall Lobby

Mount Zion: Tuesdays-Thursdays, 9am-3pm
1600 Divisadero St.
Cafeteria

Zuckerberg San Francisco General: Opening soon!

A tech will walk you through the instructions step-by-step. You must backup your machine before encryption can be done.

If you would like to request an Encryption Exception: Encryption Exception.

Additional security software

UCSF provides additional software to keep your computer and the UCSF network safe, free of charge:

Unencrypting

Should you later need to unencrypt or uninstall, call the UCSF IT Service Desk at 415-514-4100 for help. The Service Desk will assist you – even after you leave UCSF.

Instructions

Jump below to instructions for:

Mac

Is my computer encrypted already?

  1. Proceed carefully: Encrypting a computer that has already been encrypted will render your computer inoperable.
  2. Check your applications folder for programs called TrueCrypt, VeraCrypt, or CipherShed. If any of these are found and if you are using whole disk encryption, you'll need to decrypt, uninstall it, then continue below to install DDPE.
  3. Check your computer for the following encryption applications:

    Icon

    Program name

    Location

    PGP or Symantec Encryption Desktop

    Applications folder

    DDPE or Dell Data Protection

    System Preferences

    or

    PointSec or Check Point

    Applications folder

    If any of these are present, your computer is probably already encrypted. You will still need to install BigFix if it is not already installed.

    If you have already enabled Apple FileVault2, you still need to install DDPE. Continue below to install DDPE.

Do I already have BigFix installed?

On a Mac, look in the upper-right of the menu bar near the clock for: a blue circle with a white letter "b" or a purple circle with a green arrow.

If you do not see the BigFix icon, download the installer for your computer here:

BigFix Installation for Windows and Mac OS

This is UCSF’s computer management program. It helps ensure that the network remains secure and allows UCSF to confirm the encryption status of lost or stolen devices.

What you need

Minimum requirements:

  • Mac OS X 10.10.5 or 10.11.6 or 10.12.x
  • 4GB RAM
  • 20% free Hard Drive space
  • Your MyAccess credentials (For help visit MyAccess FAQs.)
  • ~30 - 60 minutes of installation followed by 1-8 hours unattended while the computer encrypts
  • A way to backup your data (e.g., external hard drive or online backup service)
  • For laptops, the power adapter and access to power for ~ 4 hours
  • An internet connection

Before encrypting

  1. If your computer is more than four years old, call the UCSF IT Service Desk and a support engineer will help you determine if you should proceed.
  2. At UCSF, DDPE is not supported with a Boot Camp configuration. Call the UCSF IT Service Desk for next steps in the transition to VMWare Fusion.
  3. You must back up your data and application installers!
    Encrypting a computer can sometimes cause serious problems, including drive failure. The UCSF community is eligible to use CrashPlan, an online backup service, at a significant discount. We also recommend Apple Time Machine or Time Capsule.
  4. Install any pending Apple software updates.
    1. Click on the Apple menu in the top left corner.
    2. Select “App store…”
    3. Click on “Updates”
    4. The first section should be labeled “Software Updates” Click the “Update All” button if it appears.
    5. Your computer may ask for a reboot.
    6. Click on the Apple menu in the top left corner.
    7. Select “About this Mac” to determine your OS X version.
    8. If you have OS X 10.6.8 – 10.9.5
      Click on the Apple menu in the top left corner.
      Select “App store…”
      Click on “Updates”
      Click the “Free Upgrade” button to install OS X 10.12 "Sierra"
      Your computer will reboot
    9. If you have OS X 10.10.x – 10.12:
      You do not need to upgrade to OS X 10.11 "El Capitan" or OS X 10.12 "Sierra"
      School of Dentistry and Pharmacy students may need to delay upgrading to OS X 10.12 "Sierra" due to incompatibilities with ExamSoft SofTest. Please check with your school's technology coordinator(s) before upgrading to OS X 10.12.
  5. Perform disk maintenance. This step identifies or resolves problems with your hard drive that might cause encryption problems.
    1. From the top menu select “Go” and click on “Utilities”
    2. Launch “Disk Utility”
    3. In Disk Utility, in the left pane, select the top-most icon.
    4. Click “Verify disk” on the right side
    5. This process might take between 30 minutes – 2 hours.

If there are no problems, you will see a message like this:

  • The volume Macintosh HD appears to be okay.

If Disk Utility finds any problems with your disk, you may see a message like these:

  • Error: This disk needs to be repaired...
  • The volume Macintosh HD could not be repaired.
  • Error: Disk Utility can't repair this disk...

If needed, call the UCSF IT Service Desk at 415-514-4100 for help.

If no problems were reported, you are ready to encrypt.

Encrypting

If during encryption your computer loses power or is jostled, it could render your computer inoperable. Take steps to eliminate these risks before you begin.

  1. Adjust your computer’s power settings so that the computer never sleeps.

    1. Click Apple menu (in top left corner)
    2. Click System Preferences
    3. Click “Energy Saver” (Or press Command + Spacebar, type “energy saver” and press enter)
    4. Click “Power adapter” button at top if present
    5. Slide “computer sleep” to “Never”
    6. Uncheck “Put hard disks to sleep when possible”
  2. Log in to software.ucsf.edu using your MyAccess credentials.
  3. Click DDPE (Dell Data Protection Encryption). DDPE encrypts your data so that if your computer is lost or stolen unauthorized persons cannot retrieve it.

  4. Download and open the installer for Mac OS X.

  5. Follow the instructions that appear to progress through the installer, then log in to MyAccess. (For help logging in, visit MyAccess FAQs.) After you successfully log in to MyAccess, a computer registration page will appear.

  6. Registration – At the UCSF Computer Registration page, answer the question about who owns the computer, then select Submit.

    A thank you page will appear.You can close the browser window now.

  7. Follow the instructions to restart your computer and then log in to your computer.

Activate DDPE

  1. A dialog called Dell Data Protection Activation should appear. If it does not appear, ensure that you are connected to the internet.

    In this dialog, fill in:

    Name



     

    use your UCSF email username
    • not your email address or full name
    • typically first initial + last name
    • Students: use your SF###### number

    Password

    use your UCSF email password

    Log on to


     

    • SOM = School of Medicine
    • UCSFMC = Medical Center
    • CAMPUS = students and all others
  2. Installation will continue, and a Shield dialog box will appear.

    Click “Restart” to restart your computer.
  3. After the computer restarts, a dialog box requesting your account password should appear:

    Enter the password you use to log in to your computer.

    Follow the instructions to restart your computer again
     
  4. The encryption process will begin and usually takes between ~2-4 hours to complete. While it encrypts you may use your computer, put it to sleep, or turn it off.
     

If you had enabled Apple FileVault2 before installing DDPE, a dialog box called Dell Data Protection should appear:

If it appears, enter the following:

Key or credentials?

select Bootable Account Credentials

Username

use the login ID for your computer

Password

use the password for your computer

Your computer is already encrypted and DDPE will periodically confirm its encryption status with UCSF.

Confirming

To confirm your Mac has DDPE installed and is currently in the process of encrypting:

  1. Click on the Apple menu in the top left corner.
  2. Select “System Preference”
  3. Click the “Dell Data Protection” icon on the bottom row
  4. While your Mac is encrypting, it will look like this:

     
  5. Once your Mac is finished encrypting is completed you will see a complete green bar:


    If you don’t see the Dell Data Protection icon in System Preferences, or if disk status says something like “Repair needed” or “Unable to encrypt”, call the IT Service Desk for help.
    DDPE will save a copy of your FileVault2 recovery key on a UCSF server. The recovery key will not be displayed to you and is not saved on your Mac. If you ever need your Mac's FileVault2 recovery key, you can contact the IT Service desk 24/7 to obtain it.

Windows

Windows 10 Version 1803 "April 2018 Update"

DDPE works with Windows 10 Version 1803 (all editions). For more information, please visit https://www.dell.com/support/article/us/en/19/sln307922/dell-data-security---dell-data-protection-windows-10-feature-update-compatibility?lang=en

It is discovered that there is an issue between Microsoft Windows 10 Version 1803 (all editions) and DDPE where encryption will not activate unless an automatic sign-in option is turned off. Below are instructions on how to do so:

  1. Go to Settings > Accounts > Sign-in options
  2. Scroll down and find the feature under ‘Privacy’ that is labeled “Use my sign-in info to automatically finish setting up my device and reopen my apps after an update or restart”
  3. Click on the switch to turn that feature off. It should look like this:
  4. Restart your computer and log back in. DDPE should complete encryption activation automatically within a few minutes while connected to the Internet.

Installing Windows 10 Updates

Some Windows 10 "feature updates" or "version updates" cannot be installed while DDPE is installed - Windows Update will stop the update process and tell the user to uninstall DDPE or contact Dell for more information

This applies to "feature updates" or "version updates" only. Regular Windows 10 Security Updates and Quality Updates can always be installed.."Feature updates" only contain new features, and do not contain any security fixes.

  • Quality updates are the "required" updates that protect your computer against security threats. You should always be able to install quality updates, UCSF provided programs like Dell Data Protection Encryption (DDPE) and Symantec Endpoint Protection (SEP) will not prevent the installation of quality updates.
  • Feature updates are optional and do not impact your computer’s vulnerability to security risks like viruses or ransomware. They only add new features, like digital pen support or the ability to watch 360° video. Since feature updates contain major upgrades to core parts of Windows, some software is not immediately compatible with new feature updates. UCSF provided security software such as Dell Data Protection Encryption (DDPE) and Symantec Endpoint Protection (SEP) may prevent the installation of feature updates.

You may be unable to install Windows 10 Feature Updates until a newer version of a UCSF provided program is available, but this does not put your computer at any greater risk to security threats like viruses or ransomware. We recommend checking https://software.ucsf.edu to download the latest version of UCSF security software programs as necessary.

Is my computer encrypted already?

  1. Proceed carefully: Encrypting a computer that has already been encrypted will render your computer inoperable.
  2. Check your Start menu for programs called TrueCrypt, VeraCrypt, or CipherShed. If any of these are found and if you are using whole disk encryption, you'll need to decrypt, uninstall it, then continue below to install DDPE.
  3. Check your computer for the following encryption applications.

    Icon

    Program name

    Location

    Windows BitLocker

    Control Panel – All items

    DDPE

    System tray (lower right corner)

    PGP or Symantec Encryption Desktop

    Start menu

    PointSec or Check Point

    Start menu

    If any of these are present, your computer is probably already encrypted. You will still need to install BigFix if it is not already installed.

Do I already have BigFix installed?

On Windows computers check the system tray (aka "task bar") and verify that you see the icon with purple circle and a green arrow.

 

If you do not see the BigFix icon, download the installer for your computer here:

BigFix Installation for Windows and Mac OS

This is UCSF’s computer management program. It helps ensure that the UCSF network remains secure and allows UCSF to confirm the encryption status of lost or stolen devices.

What you need

Minimum Hardware and Software Requirements:

  • Windows 7, 8.1, or 10.
  • Intel Core i3, i5, or i7 processor; or AMD Ryzen, A series, FX, Opteron, or Phenom II processor
  • 4GB RAM (For Windows 10, we recommend 8GB RAM)
  • 20% free Hard Drive space
  • Your MyAccess credentials (For help visit MyAccess FAQs.)
  • ~ 30 - 60 minutes of installation followed by 1-8 hours unattended while the computer encrypts
  • A way to backup your data (e.g., external hard drive or online backup service)
  • For laptops, the power adapter and access to power for ~4 hours
  • An Internet connection

Before encrypting

  1. If your computer is more than four years old, call the Service Desk and a support engineer will help you determine if you should proceed.
  2. You must back up your data and application installers!
    Encrypting a computer can sometimes cause serious problems, including drive failure. The UCSF community is eligible to use CrashPlan, an online backup service, at a significant discount. Windows 7 users: see Backup and Restore. Windows 8 users: see Set up a drive for File History. Windows 10 users: see Back up and restore your files
  3. Install any pending software updates.
    1. Press the Windows key
    2. Start typing “Windows Update”
    3. Select “Windows Update” from the search results
    4. Click “Check for Updates” or “View details”
    5. Install any available “Important” or “Optional” or “Recommended” updates
    6. Your computer may ask for a reboot.
  4. Confirm that your internet connection is working. If you are on campus, please connect to UCSFwpa; see the Tutorials section at UCSFwpa - Secure Wireless.
  5. Perform disk maintenance. This step identifies or resolves problems with your hard drive that might cause encryption problems.
    1. Click on the start menu
    2. Open “Computer”
    3. Right click on “Local Disk (C:)”
    4. Select “properties”
    5. Click the “Tools” tab
    6. In the “Error-checking” section, click “Check now”
    7. Make sure both checkboxes are unchecked and click Start
    8. When the disk check is done, the results will show up in a new dialog box like this one:

If there are no problems, you will see a message like this:

  • Windows has checked the file system and found no problems.
  • No problems were found on the device or disk. It is ready to use.
  • Windows has made corrections to the file system.
  • No problems were found on the device or disk.

If the disk check finds problems with your disk, you may see a message like this:

  • Windows found problems with the file system.

If needed, call the UCSF IT Service Desk at 415-514-4100 for help.

If no problems were reported, you are ready to encrypt.

Encrypting

If during encryption your computer loses power or is jostled, it could render your computer inoperable. Take steps to eliminate these risks before you begin.

  1. Adjust your computer’s power settings so that the computer never sleeps.

    1. Click on the Start button
    2. Start typing “sleep”
    3. Click on “Change when the computer sleeps” or just press enter, it should be the first result
    4. Change the “Put computer to sleep” setting under “Plugged in” to “never”
  2. Log in to software.ucsf.edu using your MyAccess credentials. (For help logging in, visit MyAccess FAQs.)
  3. Click DDPE (Dell Data Protection Encryption). DDPE encrypts your data so that if your computer is lost or stolen unauthorized persons cannot retrieve it.

  4. Download and open the installer for Windows.

  5. Right click on the downloaded file and select “Run as administrator”.

  6. Follow the instructions that appear to progress through the installer, then log in to MyAccess. (For help logging in, visit MyAccess FAQs.) After you successfully log in to MyAccess, a computer registration page will appear.

  7. Registration – At the UCSF Computer Registration page, answer the question about who owns the computer, then select Submit.

    A thank you page will appear. You can close the browser window now.

  8. Follow the instructions to restart your computer and then log in to your computer.

If you have Windows 8, 8.1, or 10: 

You will need to temporarily disconnect your computer login account from the Microsoft Live service

  1. Hit the Start button to bring up the Start menu
  2. Start typing “your account”
  3. Select “Your account settings”
  4. Click “Disconnect” under your account name if it appears. If it does not show up, skip to “Confirming
  5. Windows will ask for your current password and then ask you to set a new password- you can reuse your current password.
  6. Reboot the computer.
  7. After reboot DDPE should begin an encryption sweep. (see “Confirming” below for more details)

Once DDPE begins an encryption sweep or shows “In compliance”, you can reconnect your account to your Microsoft account

  1. Hit the Start button to bring up the Start menu
  2. Start typing “your account”
  3. Select “Your account settings”
  4. Click “Connect to a Microsoft Account”
    • Enter the computer password
    • Enter your Microsoft Account login and password
    • Reboot the computer if prompted

The encryption process will begin and usually takes ~2-4 hours to complete. While it encrypts you may use your computer, put it to sleep, or turn it off.

​Confirming

To confirm your computer is fully encrypted:

  1. Double-click the Dell Data Protection Encryption icon bottom right of your taskbar

     
  2. “OSDisk” should show following text: “In Compliance”. The dot over “System Storage drive” should be green as well.