CUMC Home | Columbia University | Jobs at CUMC | Contact CUMC | Find People
     
Columbia University Medical Center logo,  Columbia University Medical Center Information Technology
For support: call extension 5-Help (212-305-4357) or email us
 
 
Encryption
 

Encryption FAQs

Encryption basics are covered on the main Using Encryption page, and see these FAQs for information specific to the CUMC Endpoint Security Campaign.

How do different types of encryption work?
Individual encryption programs can vary greatly, however we've provided a general description of how most programs work. Please be sure you've read all help files for any specific program or device, if encryption is used improperly you risk permanently damaging important files!

  • Individual file and folder encryption - this encrypts only the data or locations that you specify, whether on a computer or removable media such as a USB key, CD, external hard drive, SD card, etc. Some of these programs can also be used to send encrypted email attachments.
    • Most programs providing this type of encryption allow you to select a password specific to the individual file. This allows you to give a password that you don't already use to encrypt other files (or use to login to your computer) to an intended receiver.
    • Some programs require that when you save the file to or attach it to an email, you specify that it should be encrypted and select a password. The encryption program will include the ability to decrypt with the proper password so that the receiver does not have to have your same encryption software installed on their computer. NOTE: CUMC IT Exchange email accounts can send encrypted information to outside addresses, click here for instructions.
  • Full disk encryption - installed on a computer, external hard drive, or USB key, full disk automatically encrypts all data stored on the drive or "disk".
    • On computers the authorization to access to encrypted data is often tied to the user/computer login; an additional password won't have to be typed in.
    • On an external hard drive or USB key the encryption software will typically prompt for the authorized password when it is "mounted", or connected to a computer - though it may not appear until you attempt to open a file that is stored on it.
    • IMPORTANT - In general, files are NOT encrypted when opened, sent through email, or moved to an unencrypted location off of the computer. This is due to decryption having already occurred when authorization was provided (successful computer login).
  • Pre-boot authentication - pre-boot authentication (PBA) provides a higher level of security than full disk encryption, which does not encrypt a computer's operating system files. See Encryption Requirements for information on equipment that must support PBA.

Can I use a BIOS password for pre-boot authentication?
No, since a BIOS password does not authenticate encryption (or even offer encryption), it does not meet CUMC Encryption Requirements even when used in conjunction with full disk encryption.

Will encryption protect my computer or data from viruses and hacker attacks?
Encryption does not provide the same methods of protection as antivirus and antispyware programs, or software and operating system updates; you must be sure that your computer is still receiving appropriate updates and scanning for viruses, etc.

Remember that encryption serves to add an additional layer of security in the event that data is accidentally or maliciously and purposely released. It employs strong encryption algorithms or methods of scrambling data that are not made readable again until the correct credentials are supplied. If someone is able to obtain your credentials for the program they will be able to decrypt the data, which is why it is important to use a strong password that is not shared with others.

How do I know if my smartphone or tablet is encrypted?
Any smartphone or tablet configured for CUMC IT Exchange Email is automatically enforced to use a passcode and encryption. If your device isn't, please see specific instructions on the Smartphone and Tablet Encryption and Security page to set up a password and encryption. Most devices released in the past year are encrypted if a password is used after start up and a short period of inactivity, however it is your responsibility to make sure that the device meets CUMC policies.

What happens if I forget my encryption password?
Almost all encryption programs will make encrypted data irretrievable if the password or other credentials are lost; after all, the point of encryption is to prevent unauthorized people from being able to read or understand the data. There may be a back up or safety net method that can be used to retrieve encrypted data, however it will vary based on the specific program being used. Please refer to the documentation or help files provided with the encryption program.

Symantec Endpoint Encryption (SEE) and GuardianEdge (GE) FAQs
NOTE: SEE is no longer available for download. Currently this does not affect existing installations, please see the main SEE page for updates.

How can I tell if my computer has SEE or GE installed?
Either program will appear in your computer's All Programs list:
  1. Click the Start icon in the lower left corner of your computer screen and select All Programs

    Windows All Programs Link

  2. Look a folder called Symantec Endpoint Encryption Client or GuardianEdge, if either is installed it will appear alphabetically in the list. You may need to use a scroll bar to the right of the program list to find it. IMPORTANT: Symantec Endpoint Protection (SEP) is not the same as Symantec Endpoint Encryption. SEP is an antivirus program used by many Columbia faculty, staff and students but it does not provide encryption.

    GuardianEdge in Windows Program List Symantec Endpoint Encryption
    GuardianEdge Symantec Endpoint Encryption

How can verify that pre-boot authentication is running on a computer with SEE or GE installed?
One of the login prompts pictured below will appear when the computer first starts up, before Windows loads.

SEE PBA Splash Screen  SEE PBA Splash Screen
Click either picture for a larger image

Why am I prompted to log in to both Symantec Endpoint Encryption and Windows after changing my MC password?
The passwords for your MC domain account and SEE with pre-boot authentication do not synchronize automatically. Please see the Synchronize Your SEE and MC Account Passwords page for details and instructions to manually synchronize the passwords.

Why am I getting prompted for two different passwords on my hardware encrypted USB drive?
If your computer was running GuardianEdge and had not recently been on campus or done a GE server check in to get updated settings, it will have automatically encrypted an attached USB drive. Please see instructions under Preventing or Resolving Double-Encryption on a Drive to resolve this issue.

| TOP |

Last updated 2/25/2105