Manual Encryption Without Key Escrow

Below are descriptions on how to enable encryption on your own without using any ITS services for Windows Bitlocker, macOS FileVault, and Linux. This option is not recommended by ITS -- we will not be able to assist you in regaining access to your data in the event of a forgotten password. 

If you would like a walkthrough to look at other options, please fill in a service request and a technician will contact you shortly - Request Campus Computer Encryption

Follow the instructions below for "Manual Encryption Without Key Escrow"

Operating Systems:

How to enable Bitlocker in Windows:

 

Please note: The system must be running Windows 10 or later. Supported additions are Pro, Enterprise and Education.

Setup TPM:

To enable Bitlocker, the Trusted Platform Module (TPM) version 1.2 or higher must be installed. It must also be enabled and activated (or turned on).

See these instructions for checking about TPM


Additional requirements:

You must be logged in as an administrator.
You must have access to a printer to print the recovery key.

Steps to enable Bitlocker:

  1. Click start and type "bitlocker"
    • Alternate: Click start and type "control panel" and change view to "small icons"
  2. Select "Manage Bitlocker" or "Bitlocker Drive Encryption"
  3. Select "Turn on BitLocker"enable_bitlocker_windows10
  4. You may be asked to enable TPM. Follow the prompts and complete any steps required.
How to enable FileVault in macOS:

Please follow this link - https://support.apple.com/en-us/ht204837

Encryption on Linux:

Below describes some methods for encrypting hard disks on a Linux system.


The Short and Sweet version: Choose a good passphrase and enable disk encryption when you install Linux. If you're already running Linux, back-up your data, reinstall Linux (enabling disk encryption when you do so), and then restore your data from the backups.

Choose a Good Passphrase

Effective disk encryption requires a good passphrase. Please see the UCSC Password Strength and Security Standards section of our overview page for appropriate recommendations.

Disk Encryption During System Installation

Linux has built-in disk encryption known as LUKS (Linux Unified Key Setup). Unfortunately, there aren't really any good ways to add encryption to an existing system without reinstalling everything. We recommend making a copy of your /home directory (and possibly /etc, if you've altered your system configuration significantly) onto an external disk or another computer, reinstalling Linux, enabling encryption during the installation, copying your data back onto the system, and wiping the external disk (unless it was also encrypted).

The methods for enabling encryption vary with each Linux distribution. We do not have the resources to support all of them, but we have some guidance on several of the more popular distributions at the time of this document's writing.

Ubuntu 16.04 LTS

In the "Installation type" screen, make sure you have checked "Encrypt the new Ubuntu installation for security".

On the next screen, enter your disk passphrase and check "Overwrite empty disk space".

When you create an account, you do not need to check "Encrypt my home folder".

Debian 9 (stretch)

In the "Partition disks" screen, select "Guided - use entire disk and set up encrypted LVM". If you prefer to use manual partitioning, create your boot and main partitions, use the main partition as an encryption partition, use the new encrypted device as an LVM physical volume, and proceed from there as usual.

Fedora 27, RHEL 7, CentOS 7

(As of January 2018, the latest Fedora, RHEL, and CentOS releases all work the same with respect to disk encryption.)

Go into the "Installation Destination" section of the installer. Under "Other Storage Options", check the box next to "Encrypt my data".

OpenSUSE Tumbleweed

On the "Suggested Partitioning" screen, click the "Edit Proposal Settings" button. Check both "Create LVM-based Proposal" and "Encrypt Volume Group".

Disk Encryption After Installation

Linux doesn't have great support for encrypting an existing filesystem. There are a few possibilities for that, but we don't have the resources to provide support for them.

The follow information is provided for reference, but our recommendation is to perform a complete reinstallation and enable full-disk encryption during the installation process.

Ubuntu

If you're running Ubuntu, you might be able to encrypt your home directory on the fly by installing ecryptfs and then running ecryptfs-migrate-home -u account-name. Note that the migration command must be run as root without the affected account being logged in (so you'll have to log out, switch to a text console, log in as root, and then run it).

This is not as good as full disk encryption. Although your home directory will be protected, information can still leak to unencrypted places such as system log files and swap space. You should perform a reinstall and enable full disk encryption during the installation process.

luksipc

There is a program named luksipc (LUKS in-place conversion) that was created to convert existing partitions to encrypted partitions. It is a very low-level program that comes with the strong possibility of erasing all of your data. We do not support its use; it's mentioned here for completeness.

luksipc can delete all of your data if you're not extremely careful (and possibly even if you are). We recommend re-installing Linux and enabling full disk encryption during the installation process.

How to get help

If these directions are unclear or don't seem to apply to your computer, please fill out a service request for a full consultation or contact help@ucsc.edu