DDPE EMS Frequenty Asked Questions (FAQ)
What is DDPE EMS?
Dell Data Protection Encryption (DDPE) is UCSF's enterprise-wide desktop and laptop encryption application. External Media Shield (EMS) is DDPE's feature that enables saving encrypted files on removable storage devices like flash drives or external hard drives.
How do I encrypt files on my USB drive?
First you need to activate EMS on your drive. You can do this by plugging it in to a UCSF computer with DDPE and clicking "Yes" on the encryption prompt.
This links the drive with your UCSF login and requires you to set up a drive password.
After activating EMS on a drive, files copied from a computer with DDPE to the drive will be encrypted.
Files that are already on the drive are not automatically encrypted. To encrypt them, copy the files off the drive and then back on.
How do I read encrypted files on a computer without DDPE?
After activating EMS on a drive, Windows and Mac applications named "AccessEncryptedData" are copied on to the drive. The EMS Explorer application will allow you to read and save encrypted files on the drive using the drive password you created when you activated EMS on the drive.
What if I forget my drive password?
You can plug your drive in to any UCSF PC with DDPE and reset the password using the DDPE application.
If you do not have access to a UCSF PC, call the IT Service Desk at 415-514-4100 and ask them to reset the password. You will need to verify your identity similar to a email password reset.
How do I prevent a device from being encrypted by DDPE EMS?
DDPE has the ability to exclude certain devices from being used with EMS. We've already added common hardware-encrypted USB drives. Contact the IT Service Desk at 415-514-4100 or submit a ticket at https://help.ucsf.edu. A whitelist request must include a business justification include a business justification for whitelisting a device (for example, the device is hardware encrypted).
How do I decrypt a drive that has been encrypted with DDPE EMS?
You can copy files off the drive on a computer with DDPE or using the on-drive DDPE applications and format the drive. Campus users can choose to not activate EMS on the drive again and copy files back on to the drive.
Contact the IT Service Desk at 415-514-4100 or submit a ticket at https://help.ucsf.edu if you have a drive that cannot be formatted but needs to have DDPE EMS encryption removed from it.
I don't have DDPE on my computer, how can I encrypt my external drives?
You can use hardware encrypted drives, such as the ones recommended on http://it.ucsf.edu/how_do/recommended-security-products
If you have access to any UCSF computer with DDPE, you can activate EMS on it by logging in with your UCSF account and plugging your drive in to the computer.
You can also contact the IT Service Desk at 415-514-4100 or submit a ticket at https://help.ucsf.edu if you would like to install DDPE on your computer. You should always back up your data before encrypting or decrypting a device. You may need to decrypt and remove older encryption applications.
I have a hardware-encrypted external drive, will DDPE EMS ask to encrypt it?
UCSF has excluded some common hardware-encrypted external drives. If you have one that is not in this list, contact the IT Service Desk at 415-514-410 or submit a ticket at https://help.ucsf.edu to request the creation of an exclusion for the hardware-encrypted drive.
Aegis Padlock 3.0
Aegis Padlock DT
Aegis Padlock SSD
Aegis Secure Key 2.0
Aegis Secure Key 3.0
DiskGo Secure Pro 3.0
DataTraveler Locker+ G3
Are there other ways to encrypt data on removable drives that do not use DDPE?
Yes, you can also use hardware-encrypted drives or software-based encryption.
You can purchase and use a hardware-encrypted removable drive. Hardware-encrypted drives are costlier, but require no additional software to install and can be formatted in any way. The drive encrypts information using a built-in mechanism. These require a user-created code for access and do not require any additional software. See /how_do/recommended-security-products for a list of recommended hardware-encrypted removable drives. These drives should not be prompted to enable EMS as they are already encrypted (See above list).
PGP/Symantec Encryption Desktop
Symantec Encryption Desktop or PGP can encrypt external drives. UCSF is no longer deploying PGP - contact the IT Service Desk for assistance in determining if you should encrypt a removable storage device with PGP or with DDPE EMS. A removable drive encrypted with PGP can only be accessed by a computer that has PGP installed. If you have PGP on your computer, you can read more about using PGP to encrypt an external drive here: https://support.symantec.com/en_US/article.TECH182856.html
FileVault2 is Apple's native encryption service that is included with OS X, and it can be used to encrypt removable drives as well. FileVault2 will only work on Mac-formatted drives, you cannot read a FileVault2-encrypted drive on a PC. You can read more about using FileVault2 on an external drive here: https://support.apple.com/kb/PH21791
If you use FileVault2 without DDPE to secure UCSF data, you will need to fill out a Proof of Encryption form: http://it.ucsf.edu/services/proof-encryption
BitLocker To Go
BitLocker To Go is an removable storage encryption service that is built-in to Pro, Ultimate, and Enterprise editions of Microsoft Windows 7, 8, and 10. BitLocker will only work on PC-formatted drives, you cannot read a BitLocker-encrypted drive on a Mac. You can read more about BitLocker here:
If you use BitLocker to secure UCSF data, you will need to fill out a Proof of Encryption form: http://it.ucsf.edu/services/proof-encryption