Whole disk encryption

Laptops carrying sensitive data (as defined by the Duke University data classification standard) must be encrypted according to the Duke University ITSO technical standards (NetID required). It is also our strong recommendation that all laptops be encrypted. Computers in Duke Health are subject to different policies regarding encryption; see the "Duke Medicine PGP User How-To" Duke KnowledgeBase article for details.

Windows computers should use Windows BitLocker Drive Encryption.
Apple OS X computers should use Apple's FileVault 2.

For computers managed by end users

Users that are not supported by Duke IT staff should follow the instructions linked below:

These instructions are also recommended for individuals to use on their personally-owned computers.

For computers managed by Duke IT staff

Duke IT staff should follow the same processes linked above, but additional steps must be taken beforehand in order to ensure that the recovery key is recorded in a central location (i.e. "key escrow").

Note: Duke IT staff who are currently deploying Symantec Endpoint Encryption/PGP may continue to do so if they choose, but new encryption implementations are strongly encouraged to use BitLocker or FileVault 2.