CUMC Home | Columbia University | Jobs at CUMC | Contact CUMC | Find People
     
Columbia University Medical Center logo,  Columbia University Medical Center Information Technology
For support: call extension 5-Help (212-305-4357) or email us
 
 
 Encryption
 

Encryption FAQs

Encryption basics are covered on the main Using Encryption page, and see these FAQs for information specific to the CUMC Endpoint Security Campaign.

How do different types of encryption work?
Individual encryption programs can vary greatly, however we've provided a general description of how most programs work. Please be sure you've read all help files for any specific program or device, if encryption is used improperly you risk permanently damaging important files!

  • Individual file and folder encryption - this encrypts only the data or locations that you specify, whether on a computer or removable media such as a USB key, CD, external hard drive, SD card, etc. Some of these programs can also be used to send encrypted email attachments.
    • Most programs providing this type of encryption allow you to select a password specific to the individual file. This allows you to give a password that you don't already use to encrypt other files (or use to login to your computer) to an intended receiver.
    • Some programs require that when you save the file to or attach it to an email, you specify that it should be encrypted and select a password. The encryption program will include the ability to decrypt with the proper password so that the receiver does not have to have your same encryption software installed on their computer. NOTE: CUMC IT Exchange email accounts can send encrypted information to outside addresses, click here for instructions.
  • Full disk encryption - installed on a computer, external hard drive, or USB key, full disk automatically encrypts all data stored on the drive or "disk".
    • On computers the authorization to access to encrypted data is often tied to the user/computer login; an additional password won't have to be typed in.
    • On an external hard drive or USB key the encryption software will typically prompt for the authorized password when it is "mounted", or connected to a computer - though it may not appear until you attempt to open a file that is stored on it.
    • IMPORTANT - In general, files are NOT encrypted when opened, sent through email, or moved to an unencrypted location off of the computer. This is due to decryption having already occurred when authorization was provided (successful computer login).
  • Pre-boot authentication - pre-boot authentication (PBA) provides a higher level of security than full disk encryption, which does not encrypt a computer's operating system files. See Encryption Requirements for information on equipment (including personally owned) that must use PBA.
    With pre-boot authentication a password prompt will appear when the computer first starts up, before the Windows or Macintosh operating system/splash screen loads.

Can I use a BIOS password for pre-boot authentication?
No, since a BIOS password does not authenticate encryption (or even offer encryption), it does not meet CUMC Encryption Requirements even when used in conjunction with full disk encryption.

Will encryption protect my computer or data from viruses and hacker attacks?
Encryption does not provide the same methods of protection as antivirus and antispyware programs, or software and operating system updates; you must be sure that your computer is still receiving appropriate updates and scanning for viruses, etc.

Remember that encryption serves to add an additional layer of security in the event that data is accidentally or maliciously and purposely released. It employs strong encryption algorithms or methods of scrambling data that are not made readable again until the correct credentials are supplied. If someone is able to obtain your credentials for the program they will be able to decrypt the data, which is why it is important to use a strong password that is not shared with others.

How do I know if my smartphone or tablet is encrypted?
Any smartphone or tablet configured for CUMC IT Exchange Email is automatically enforced to use a passcode and encryption. If your device isn't, please see specific instructions on the Smartphone and Tablet Encryption and Security page to set up a password and encryption. Most devices released in the past year are encrypted if a password is used after start up and a short period of inactivity, however it is your responsibility to make sure that the device meets CUMC policies.

What happens if I forget my encryption password?
Almost all encryption programs will make encrypted data irretrievable if the password or other credentials are lost; after all, the point of encryption is to prevent unauthorized people from being able to read or understand the data. There may be a back up or safety net method that can be used to retrieve encrypted data, however it will vary based on the specific program being used. Please refer to the documentation or help files provided with the encryption program.

Symantec Endpoint Encryption (SEE) and GuardianEdge (GE) FAQs

How can I tell if my computer has SEE or GE installed?
Either program will appear in your computer's All Programs list:
  1. Click the Start icon in the lower left corner of your computer screen and select All Programs

    Windows All Programs Link

  2. Look a folder called Symantec Endpoint Encryption Client or GuardianEdge, if either is installed it will appear alphabetically in the list. You may need to use a scroll bar to the right of the program list to find it. IMPORTANT: Symantec Endpoint Protection (SEP) is not the same as Symantec Endpoint Encryption. SEP is an antivirus program used by many Columbia faculty, staff and students but it does not provide encryption.

    GuardianEdge in Windows Program List Symantec Endpoint Encryption
    GuardianEdge Symantec Endpoint Encryption

How can I use or verify that pre-boot authentication is running on a computer with SEE or GE installed?
Please see information under the Verifying or Requesting Pre-boot Authentication with Symantec Endpoint Encryption heading near the top of the SEE PBA web page. Both versions have a similar pre-boot authentication screen but will either display "Symantec" or "GuardianEdge" in the initial splash screen with a black background.

Can I use SEE Pre-boot Authentication on a shared computer?
Yes, but you must set up your own SEE login. Once a computer has an SEE Pre-boot Authentication account created on it, you will not see the Windows login screen or be able to create your own account without having the existing SEE PBA account holder log in first. See the NOTE under step 1 of the Registering SEE Pre-Boot Authentication on Your Computer instructions for step by step assistance.

Why am I prompted to log in to both Symantec Endpoint Encryption and Windows after changing my MC password?
The passwords for your MC domain account and SEE with pre-boot authentication do not synchronize automatically. Please see the Synchronize Your SEE and MC Account Passwords page for details and instructions to manually synchronize the passwords.

Should or can I upgrade to Symantec Endpoint Encryption if I have GE installed?
At this point it is fine to continue using GE as your encryption program on a computer if it is already installed, however you can contact us at 5-Help, option 5, to request that GE is removed and SEE is installed.

  • It is not possible to do a straight upgrade (installing SEE over GE), instead the computer must first be fully decrypted and GE must be properly removed before SEE can be installed.
  • CUMC IT must be involved in any removal of the site licensed GuardianEdge program due to the use of a GE administrative password that can not be given to non-CUMC IT staff.
  • If you are running GE, you may not be able to open files that have been encrypted by SEE. Computers using SEE can open GE encrypted files.

Why am I getting prompted for two different passwords on my hardware encrypted USB drive?
If your computer was running GuardianEdge and had not recently been on campus or done a GE server check in to get updated settings, it will have automatically encrypted an attached USB drive. Please see instructions under Preventing or Resolving Double-Encryption on a Drive to resolve this issue.

| TOP |

Last updated 12/12/2013

 
 
bullet Home                bullet Faculty and Staff                bullet Students                bullet Policies                bullet About CUMC IT
CUMC Home | At Columbia University | Affiliated with New York-Presbyterian Hospital | Comments | Text-Only Version