Encrypt My Devices

If you have a Microsoft-based system and you are running one of the following operating systems, then you can use Microsoft's BitLocker encryption tool:

• Windows 8/8.1: Pro and Enterprise Editions
• Windows 10: Pro, Education, and Enterprise Editions

How to encrypt a Windows computer with BitLocker

If you are running Windows 10 Home, you may be able to use Microsoft device encryption. Not all devices that run Windows 10 Home can use Microsoft device encryption. To see if your device meets the requirements, please see the Device encryption in Windows 10 article on the Microsoft website.

How do I know which Windows Operating System I have?

To find out which version of Windows your PC is running, press Windows logo key + R on your keyboard, type winver then press Enter.

What if I don't have one of these versions of Windows?

We recommend that you upgrade to a version of Windows that will support BitLocker. If this isn't an option, and the version of Windows on your personally owned computer does not support native BitLocker encryption (e.g. Windows 10 Home), then the best route to encrypt your computer is to use VeraCrypt. VeraCrypt is a technical tool and it is very important to follow all of the following steps carefully:

How to encrypt a Windows computer with VeraCrypt

If you have an Apple machine running macOS then you can use Apple's FileVault encryption.

How to encrypt a Mac OS X/macOS computer with FileVault

If you are using your own personal (non-UBC-supported) device to access UBC Electronic Information and Systems, then it is your responsibility to ensure that it is encrypted.

Both VeraCrypt and dm-crypt/LUKS are common encryption options, allowing a user to encrypt either a full disk during installation or a new volume.

Full Disk Encryption

All modern desktop Linux instances have a full disk encryption option at installation that simply involves checking a box and setting a security key. See the example for Ubuntu in Figure 1 below.

You must remember your password which unwraps the security key. It is isolated on your device, and UBC IT will not have access. You will be required to enter this password at every boot, and you will no longer be able to remotely reboot your system.

It is recommended that you save a copy of your security key (not password) to your personal network storage drive (UBC Home Drive - Vancouver; F: Drive - Okanagan), so that University IT Support Staff can assist you in the event of an incident.

There is no easy way to encrypt a system that is already built. To set-up full disk encryption on devices that already have Linux installed, the only way is to backup all your data, reinstall Linux (with encryption enabled), reinstall all your applications and then restore your data.

Due to operability or performance constraints, this is not always viable. Please see the guidance from Information Security Standard U5, Encryption Requirements

Encrypting a partition or new volume

Native tools are available in common Linux desktops are available to encrypt a new volume or partition.

Online Guides

• Cryptsetup and LUKS - open-source disk encryption
• VeraCrypt (downloadable software packages and installation instructions)
• Securing Red Hat Enterprise Linux 8 (PDF, see Chapter on Encrypting Block Devices using LUKS)
• How to Encrypt a Drive on Ubuntu 18.04

Getting Help

If you have any questions or concerns, please contact privacy.matters@ubc.ca.

Reminder: Even an encrypted device is vulnerable if it does not have proper password protection. Your password should be unique, comply with the UBC password policy, and if used as an encryption password comply with the key escrow requirements.

iPhone and iPads

How do I know if my device is encrypted?
iPhones and iPads are not encrypted by default. However, if you password protect the device or use a thumb/fingerprint to access the device, it is encrypted.

How do I encrypt?
Turn on a passcode (which can be found under setting, usually in the “Touch ID & Passcode” submenu.)

All other phones and tablets

How do I know if my device is encrypted?
Android, Windows and BlackBerry phones and tablets are not encrypted by default, so if you are not sure, your device is probably not encrypted.

Having to enter a password to access the device does not guarantee it is encrypted.

Different versions of Android, Windows and Blackberry devices place their encryption settings behind different menus.

You can often see if your device is encrypted under menus such as “System”, “Security” and “Passcode”, and “Encryption”. You can often find device specific instructions by doing an internet search for your device and the word encryption.

If in doubt, contact your departmental IT support.

How do I encrypt?
In most cases, if you were able to find the menu that told you that your device is encrypted the option to encrypt is in the same location.

Check with your local IT Support or device provider if you have questions about encrypting.

For BlackBerry 10: Go to Settings > Encryption. Set Device Encryption to ON & set the device password

How do I know if my device is encrypted?
When storage devices are encrypted, the encryption software used will normally ask for a password when you plug it into your USB port.

You can encrypt specific files and folders on USB sticks using freely available encryption tools such as 7zip. UBC has also provided instructions on how to encrypt an external USB drive using BitLocker (Windows), VeraCrypt (Windows) and FileVault (Mac).