View Source

Workstation hard drive encryption policies require all connected storage to be encrypted so that data cannot be accessed from a computer without the proper keys or user authentication. Encryption policies apply to both Windows and Mac computers and are managed by ITS.

Due to the nature of our work at Cal Poly, university-owned computers may have access to sensitive data dependent on a user’s role.
It is the responsibility of Cal Poly to safeguard any data that is accessed and stored locally on all computers and protect that data from misuse.

What is encryption?

Encryption is the process of converting or scrambling data and information into an unreadable, encoded version that can only be read with authorized access. Encryption is a widely used security tool that can prevent the interception of sensitive data, either while stored in files or while in transit across networks.

How is encryption enforced?

Encryption on Cal Poly devices is performed using native tools for each major operating system: FileVault for MacOS and BitLocker for Windows. Each technology is managed by different external tools and controlled by ITS. For MacOS, JAMF Pro is the main centralized Mac management software and Windows devices are co-managed by both System Center Configuration Manager and Intune.

How is encryption managed locally?

Once a device is encrypted, it requires either an authenticated login or a recovery key. When a device is initially encrypted, a recovery key is created and saved to the management server.

What if I cannot unlock my computer?

Please contact the Cal Poly service desk or create a ticket to have an administrator contact you for assistance

What about external disks such as USB drives?

External disks are different for each platform. MacOS does not encrypt external disks by default and will only enforce internal disk protection. Windows requires all disks to be encrypted to have data written to them. For instance, if you insert a USB drive into a Cal Poly Windows device it will require you to encrypt the device prior to writing any data to it. You can opt to not encrypt the device, but it will remain read-only.

Once an external device is encrypted, it is recommended to save your secure passphrase to LastPass for future retrieval.

To encrypt external devices on a Mac you will need to utilize Disk Utility.

Some devices may be allowed as an exception for external disks. To acquire an exception, please create a ticket and each case will be reviewed by the Information Security Office.

The official recommendation for file sharing on campus is via Microsoft OneDrive

Resources

How does FileVault encryption work on a Mac?

Encrypt Mac data with FileVault

Encrypt and protect a storage device with a password in Disk Utility on Mac

BitLocker overview

BitLocker Overview and Requirements FAQ

Microsoft 365 - OneDrive