Frequently asked questions

What is DDPE EMS?

• Dell Data Protection Encryption (DDPE) is UCSF's enterprise-wide desktop and laptop encryption application. External Media Shield (EMS) is DDPE's feature that enables saving encrypted files on removable storage devices such as flash drives or external hard drives.

When will DDPE and DDPE EMS become available for macOS Big Sur?

• DDPE is not available for macOS Big Sur as Dell discontinued further development of this software. Please click here for more information on encrypting and using your removable storage devices on macOS Big Sur at UCSF.

How do I encrypt files on my USB drive?

• First, you need to activate EMS on your drive. You can do this by plugging it in to a UCSF computer that has DDPE and clicking Yes on the encryption prompt. This links the drive with your UCSF login and requires you to set up a drive password.
• After you've activated EMS on a drive, files copied from a DDPE-enabled computer to the drive will be encrypted. Note: Files that are already on the drive you're using are not automatically encrypted. To encrypt them, copy the files off the drive and then back on.

How do I read encrypted files on a computer without DDPE?

• After you activate EMS on a drive, depending on your operating system, a Windows or Mac application named AccessEncryptedData is copied to the drive. The EMS Explorer application will allow you to read and save encrypted files on the drive, using the drive password you created when you activated EMS on the drive.

What if I forget my drive password?

• You can plug your drive into any UCSF PC that has DDPE and reset the password using the DDPE application.
• If you do not have access to a UCSF PC, call the IT Service Desk at 415-514-4100 and ask them to reset the password. You will need to verify your identity, similar to an email password reset.

How do I prevent a device from being encrypted by DDPE Removable Storage Encryption?

• Certain devices can be approved to bypass Removable Storage Encryption. We've already added common hardware-encrypted USB drives. Contact the IT Service Desk at 415-514-4100 or submit a ticket at https://help.ucsf.edu. A request must include a valid business justification for allowing a device to bypass DDPE Removable Storage Encryption (e.g., the device is hardware encrypted).

How do I decrypt a drive that has been encrypted with DDPE Removable Storage Encryption?

• You can (1) copy files off the drive onto a computer that has DDPE or (2) use the on-drive DDPE applications and format the drive. Campus users can choose to not activate EMS on the drive again and copy files back on to the drive.
• Contact the IT Service Desk at 415-514-4100 or submit a ticket at https://help.ucsf.edu if you have a drive that cannot be formatted but needs to have DDPE EMS encryption removed from it.

I don't have DDPE on my computer; how can I encrypt my external drives?

• You can use hardware-encrypted drives, such as the ones recommended here. 
• If you have access to any UCSF computer that has DDPE, you can activate EMS on it by logging in with your UCSF account and plugging your drive into the computer.
• You can also contact the IT Service Desk at 415-514-4100 or submit a ticket at https://help.ucsf.edu if you would like to install DDPE on your computer.
• Note: Always back up your data before encrypting or decrypting a device. You may need to decrypt and remove older encryption applications.

I have a hardware-encrypted external drive; will DDPE Removable Storage Encryption ask to encrypt it?

• UCSF has already approved some common hardware-encrypted external drives to bypass Removable Storage Encryption. If you have one that is not in the following list, contact the IT Service Desk at 415-514-4100 or submit a ticket at https://help.ucsf.edu to request approval for the hardware-encrypted drive to bypass DDPE Removable Storage Encryption.

Manufacturer	Model	Device Photo
Apricorn	Padlock 2
Apricorn	Aegis Padlock 3.0
Apricorn	Aegis Padlock DT
Apricorn	Aegis Padlock SSD
Apricorn	Aegis Secure Key 2.0
Apricorn	Aegis Secure Key 3.0
Corsair	Padlock v2
EDGE	DiskGO Secure Pro 3.0
IronKey	Secure Drive
Kingston	DataTraveler Locker+ G3

Are there ways to encrypt data on removable drives that do not use DDPE?

• Yes. You can also use hardware-encrypted drives or software-based encryption.

Hardware-encrypted drives

• You can purchase and use a hardware-encrypted removable drive. Hardware-encrypted drives are costlier, but they require no additional software to install and can be formatted in any way. The drive encrypts information using a built-in mechanism. These drives require a user-created code for access; they do not require any additional software.
• See /how_do/recommended-security-products for a list of recommended hardware-encrypted removable drives. These drives should not be prompted to enable EMS, as they are already encrypted. (See the list above.)

Symantec Encryption Desktop and PGP

• Symantec Encryption Desktop and PGP can encrypt external drives. Note: UCSF is no longer deploying PGP; contact the IT Service Desk for assistance in determining if you should encrypt a removable storage device with PGP or with DDPE EMS.
• A removable drive encrypted with PGP can only be accessed by a computer that has PGP installed. If you have PGP on your computer, you can read more about using PGP to encrypt an external drive here.

FileVault 2 (external)

• FileVault 2 is Apple's native encryption service that is included with OS X, and it can be used to encrypt removable drives as well. FileVault 2 will only work on Mac-formatted drives; you cannot read a FileVault 2–encrypted drive on a PC. Read more about using FileVault 2 on an external drive here. 
• If you use FileVault 2 without DDPE to secure UCSF data, you will need to fill out a Proof of Encryption form, found here. 

BitLocker To Go

• BitLocker To Go is a removable storage encryption service that is built into Pro, Ultimate and Enterprise editions of Microsoft Windows 7, 8 and 10. BitLocker will only work on PC-formatted drives; you cannot read a BitLocker-encrypted drive on a Mac. You can read more about BitLocker here.
• If you use BitLocker to secure UCSF data, you will need to fill out a Proof of Encryption form, found here.