Encrypting Personal (non-Tufts) Laptops

When you’re working with sensitive Tufts data on your personal laptop, such as HIPAA data or student research, it’s important to encrypt your computer. Encryption protects you if your computer is lost, stolen, or "borrowed".

If you’re working with Tufts’ information on your personal laptop, follow the instructions to encrypt your specific operating system below.

Despite being a big concept, the steps to set encryption up aren’t long. Contact it@tufts.edu if you run into problems or have questions.

Encrypting your laptop is like locking all the files on your computer in a language that only you know. You can log in and use the laptop normally and not see a difference, but whenever you’re not logged, the files are completely unreadable to anyone

Why isn’t a login password enough?

If someone gains access to your computer, setting a log in password on your laptop is a great first step! This will stop many people from gaining access to your machine when they turn the laptop on and are stymied by the “Please enter your password to log in” prompt. However, a password only stops someone from logging in to your laptop. For the more technically savvy, a password won’t stop the person from copying all your files and information onto their own computer. Analogy: Imagine that your personal laptop is like a filing cabinet. Setting a login password is the same as locking the filing cabinet with a key, but a locked filing cabinet isn’t going to stop someone determined from simply sawing the cabinet open to bypass the lock.

This is where encryption comes in. It’s a step above and beyond simply password protecting your laptop – it’s making all the information inside the computer completely unreadable. To go back to the filing cabinet, imagine that all the files are in an imaginary language unless you have unlocked the cabinet with the key. If someone saws the cabinet open, the files will still be unreadable.

Encryption also protects information if your laptop breaks – even if no one can log in, the information is still there. Even though you cannot delete all its sensitive files, at least they are safely encrypted.

When you’re working with Tufts’ information on your personal laptop, your laptop should be encrypted. This way, if you lose the laptop or it’s stolen, the information on the laptop can’t be read by anyone else.

Microsoft windows comes in various versions and editions. Versions of Windows are Windows 7, Windows 8, Windows 10, and Windows 11 (as of July 2020); editions of Windows are “Home”, “Education”, “Pro”, and “Enterprise”. For example, you might have “Windows 10 Home” or “Windows 10 Pro”. Windows versions 10, 11, or higher Pro, Enterprise, and Education editions support whole disk encryption using a program called BitLocker, which is our goal.

In this section, we will check that you have Windows 10+ Pro, Enterprise or Education. If you don’t, we’ll upgrade your version of Windows to Windows 10 Education.

  1. Click the Start button start icon on the task bar (usually in the bottom left corner of your screen). The Start menu will be displayed.
  2. On the Start menu, click the Settings gear icon (usually on the left side column) to bring up the Settings dialog box.
  3. Click System (usually the top left choice).
  4. On the left-hand side of the System dialog box, scroll to the end (bottom) of the System menu and click About.
  5. On the right-hand side, you will see information about Device specifications and Windows specifications. Scroll to the Windows Specifications section and check which edition of Windows you have. This will be to the right of the heading “Edition.”
  6. If you see you have Windows 10 or Windows 11, either Pro, Enterprise, or Education, you’re set! Close this section and follow the instructions in the section Windows Laptops, pt 2: Setting Up Encryption.
  7. If you have Windows 10+ Home, Windows 7, or Windows 8, you will have to upgrade to Windows 10 Education, which you can do free of charge through Tufts. Continue with these instructions.
    • If you need to upgrade an additional device, you will probably need to pay for it.
    • If you have Windows 7 or Windows 8 and the below upgrade instructions don’t work because your laptop does not permit the upgrade, we strongly recommend you purchase a new laptop with a newer version of Windows.  Microsoft (and many accompanying software and applications) no longer support Windows 7 or 8.
  8. If you currently have Windows 7, 8, or 10 Home – continue these instructions and let’s upgrade you to Windows 10 Education– it’s free! This is going to restart your computer, so save and close any open files.
  9. Go to https://tufts.onthehub.com and log in using your Tufts Credentials.
  10. Select Windows 10 Education.
    • If you don’t see the purple Windows 10 Education icon on the first screen, please type Microsoft Windows Education in the Product Search bar.
      Windows Education icon
  11. Click Add to Cart, and then go to Check Out.
  12. Enter your UTLN and name (type it in exactly as listed in the example box on the screen). Select Accept.
  13. Select the Agree button and make sure to copy the product key information from the screen (usually right-click + copy). Don’t close this window in case you don’t successfully copy the key.
  14. You have to enter the product key into Windows. Click on the Search icon on the bottom task bar.
    task bar corner
  15. In the search bar, type in the words Control Panel; when it appears, click it to open it. 
  16. Click on the System and Security option, then click on System (usually the third item on the list).
  17. Select Change Product Key (usually in the bottom right).
    Change product key is on the right of the third section
  18. Paste in the new Product Key that you copied from On the Hub website.
  19. The upgrade will take about 10 minutes; then, there will be a restart.
  20. You have completed the upgrade and are now running Windows 10 Education.

Now that you have upgraded your laptop to a version of Windows that supports encryption, let’s encrypt it – continue to the next section, Windows Laptops, pt 2: Setting Up Encryption

You should currently be running Windows 10+ Pro, Enterprise, or Education. If you aren’t sure what Windows version and edition you have, close this section and go through the steps in the above section, Windows Laptops, pt 1: Checking Your Windows Version.

  1. Head to Windows’ Control Panel > System and Security > BitLocker Drive Encryption (possibly, it might be called Manage BitLocker).
  2. If you aren’t sure where the Control Panel is, search for it using the Search icon on the bottom task bar.
    search icon is in left of task bar
  3. The BitLocker Drive Encryption application displays the status of the drives attached to the system. Your operating system drive is OS (C:), which is what you need to encrypt.
    turn on bitlocker is to the left of the C drive
  4. If encryption for the C: drive is on, you’re done! You can close these If you instead see “Turn on BitLocker”, continue with these instructions.
  5. Select the C: drive and click the Turn On BitLocker button, following the prompts to create a password that will function as your encryption key. This key is a backup unlock method provided to you in case the unlock-enabled user password is forgotten. Write this down & keep somewhere private and safe – perhaps in tufts.box.com or a locked desk drawer – so you can find and use it if you forget your daily password.
    • Warning: If you turn on BitLocker and then forget both your login password and your recovery key, you will not be able to log into your account. Your files and settings will be lost forever as we cannot recover encrypted drives – so save that key.

You're done!

This section applies to Apple computers - Macbooks, iMacs, Mac Pros, etc.

  • If you instead have an iPad, it actually comes encrypted! Please make sure your passcode is set and Find My iPad is turned on - then, if you only have an iPad, you're done!

On Apple computers, Mac OSX comes with an encryption feature called FileVault, so you don’t need to download any extra software. It’s already there – you just have to turn it on.

  1. Open the Apple menu.
    apple menu is in top left of screen
  2. Select System Preferences.
    system preferences is about halfway down the apple menu
  3. Select Security & Privacy.
    security & privacy is in the top right
  4. Click FileVault.
    Firevault is the second tab
  5. There is a large button on the right-hand side.
    • If that button is grayed out and says, Turn Off FileVault, then your Mac is already encrypted. You’re done!
      turn off firevault is near the top of the screen
    • If instead the button reads “Turn on FileVault”, continue with these instructions.
      turn on firevault is on right of panel

  6. The Security preferences pane is locked by default, so click the lock icon in the bottom left. lock says click here to make changes
  7. You’ll be prompted for an administrator name and password – since you’re on your personal laptop, this is likely your regular username and password you always use to log into the computer.
  8. Select Turn On FileVault.
    • If your Mac has multiple user accounts, you will be asked to identify the user accounts that will be allowed to unlock the encrypted drive (to start the computer or recover from sleep or hibernation). If you’re not sure, select all users.
    • Explanation: Users not enabled for FileVault unlock will only be able to log in to that Mac after an unlock-enabled user has started or unlocked the drive. Once unlocked, the drive remains unlocked and available to all users, until the computer is shut down.
  9. After enabling users for disk unlock, you will be shown your recovery key. It likely look like a series of numbers and capital letters, in groups of four, separated by hyphens. This key is a backup unlock method provided to you in case the unlock-enabled user password is forgotten. Write this down & keep somewhere private and safe – perhaps in tufts.box.com or a locked desk drawer – so you can find and use it if you forget your daily password.
    • Warning: If you turn on FileVault and then forget both your login password and your recovery key, you will not be able to log into your account. Your files and settings will be lost forever as we cannot recover encrypted drives – so write down that key!
  10. FileVault will take between 10-80 minutes to turn on. When you've completed the process of turning on FileVault, you may be prompted to restart your Mac.

You’re done!

To encrypt a linux laptop, you’ll likely want to use the gpg command – GNU Privacy Guard. gpg is an open-source encryption software installed by default on most Linux flavors. Because there are several different flavors of Linux and ways to use gpg, head to the official GNU Privacy Guard site and follow the instructions that work best for your machine.