Mobile Device Encryption Chris Edwards IT Services

Mobile Device Encryption Policy “All confidential data must be encrypted where stored on a mobile device”

What do we mean by “encrypted” ??

Password Protected Encrypted Trivially bypassed Protects data if lost / stolen

Can we avoid encrypting ? Could maybe: avoid storing confidential data on the laptop work completely “across the network” But often convenient to store locally anyway Also: data cached on device temporary folders In practice, virtually all laptops contain confidential data.

What type of encryption tool ? Folder encryption – save confidential data in a special encrypted folder need to remember to do this one day will forget and this still doesn’t encrypt: data cached on device temporary folders Full disk encryption (FDE) encrypts everything hence much safer!

Full Disk Encryption Encrypts everything Fast Transparent Native on common OS platforms Can be enabled without reinstall

Full Disk Encryption Windows BitLocker macOS FileVault Linux LUKS

Standard Staff Desktop (SSD) BitLocker default-on in SSD (enabled at build time)

Other Laptops Needs to be organised in your : College School Research Institute University Service

Other Laptops Users should be asked to bring University-owned laptops to their Local IT Support so that Full Fisk Encryption can be configured

Recovery Keys Data stored on laptops should exist elsewhere Hard drive could suffer physical failure ! Might forget the encryption password Prudent to keep a recovery key - somewhere safe BitLocker also requires key for certain hardware changes For SSD, ITS holds recovery keys in campus AD For non-SSD, local IT teams will want to organise their own repository Keep recovery keys as part of School IT asset register AD Create a school “recovery agent” certificate

How to… Detailed guides with pictures at: www.gla.ac.uk/confidentialdata Click on: “Laptops” “Memory sticks”

How to… Guides accessible enough for most reasonably tech savy users. However, where possible we recommend IT support staff should do the encrypting. Precise arrangements need to be determined in your School or College. IT Services happy to advise.

Consumer Grade Laptops May not have TPM chip Workaround to enable BitLocker boot time password memory stick (unsafe??) May come with a “Home” edition of Windows no BitLocker! may be unsuitable for storing confidential data

Personal Laptops University cannot mandate FDE for personally-owned laptops However, requirement to encrypt confidential data stored on a mobile device still applies!! Must encrypt it be some means FDE might be the easiest (MS “Device Encryption”?) Excellent Plan - use a terminal server (or equivalent) to completely avoid storing the data on the laptop in the first place: SSDremote Remote Desktop Session (e.g RDP)

Smartphones / Tablets Essential to set a PIN, or equivalent protection Fingerprint check Swipe pattern Many devices come with encryption in some cases this is default-on and the PIN is used to unlock the encryption

Memory Sticks Must be encrypted if confidential data is stored guides with pictures at: www.gla.ac.uk/confidentialdata In many cases easier to not store confidential data on sticks use the network instead