USB External Drives and Encryption

WHY: Stanford University security policies require the transport of storage of sensitive data must be on encrypted physical media. If you must transfer or store sensitive data on a physical medium and cannot use other secure data transport methods, that media must be encrypted. The loss or theft of this type of USB device could have serious consequences to the University as well as to you personally. While it has long been policy to use only encrypted media, the School of Medicine has only recently begun to apply technical controls to prevent it.

WHAT: If in your role at Stanford School of Medicine, you may access or receive High Risk data, security software Endpoint Protector by CoSoSys is deployed to ensure that you can only copy from your computer to encrypted USB media. You will still be allowed to copy from any drive to your computer.

TDS can provide one encrypted Apricorn SecureKey to School of Medicine personnel to work with sensitive data. If you don't already have one, you can request one using the button below or stop by the nearest TDS Tech Bar to pick one up.

You can manually encrypt your external USB drive using your operating system's native encryption software.

For Macs: https://support.apple.com/guide/disk-utility/encrypt-protect-a-storage-device-password-dskutl35612/mac

For Windows: https://www.windowscentral.com/how-use-bitlocker-encryption-windows-10

(Note: Some methods require erasing the drive, so be sure to back up necessary information beforehand. Also, it's possible there may be problems with compatibility using the encrypted drive on an older computer.)

If your drive is already encrypted with BitLocker or Filevault, CoSoSys Endpoint Protector can recognize native encryption automatically. You will still get a pop-up but just click OK so you can write to it.

The recommended hardware encrypted flash drive is the Apricorn Secure Key. For larger capacity external drives, the Apricorn Aegis external drives. These devices have a keypad that require the code to unlock and will work on both Mac and Windows computers

Other non-Apricorn, hardware-encrypted drives can be added to the policy list of they meet the standards for compliance. To add your existing hardware-encrypted drive, please go to the link below to Submit a USB Drive Help Request and select the second radio button.

The School of Medicine can provide an Apricorn flash/thumb drive to SoM personnel. If you don't already have one, you can stop by any of the four Tech Bars in the School to obtain one.

Note, you will need to sign an acknowledgement with your SUNet ID and the serial number of the drive that is being issued to you. If the device is lost, this assists us to confirm that you were issued a specific drive. Also, drives have been accidentally lost and then found by the physical security department so were able to be returned to the user.

You can purchase additional or larger capacity Apricorn drives at ofweb.stanford.edu - select SU Internet Procurement and in the Amazon Business search field, type Apricorn store.
Portable drives: Apricorn Aegis Fortress L3 USB 3.0, FIPS level 3
Desktop drives: Apricorn Padlock DT FIPS USB 3.0
The drives range in capacity from 500GB to 22TB and some are also Solid State Drives (SSD).
Drives can also be purchased directly from the vendor at apricorn.com.

What do I need to do to install Endpoint Protector?

Nothing. Endpoint Protector will be deployed to your computer via the University system management software (BigFix or Jamf) just like other critical patches or security software.

The team has done extensive testing and no performance issues have been identified. You should not notice the agent unless you attempt to write to a non-approved drive.

Will the IT staff be able to see the contents of data on or being transferred from my computer?

What if my drive is already encrypted?

Apricorn drive: you can continue to transfer data to it
Any other drive encrypted with Filevault or BitLocker: the native encryption is automatically detected by CoSoSys Endpoint Protector. You will still get a popup, but just click OK and you can write to it. It shows up due to the timing of mounting the drive but will let you use it after clicking OK.
Hardware-encrypted non-Apricorn drive: submit a request to have your drive type to be recognized by Endpoint Protector. Go to somdrives.stanford.edu and select the second radio button

Will this affect using my USB mouse, phone or other accessories?

What should I do if I need help?

Please contact the TDS Service Desk for assistance at (650) 725-8000 or submit a ticket using the link below.

Is there an exception process?

If you have unusual circumstances that will impact your work, please submit a ticket and provide a full description of why this should exclude you. You will also need to obtain your Make and Model IDs as well as the serial number of your drive.

Submit a USB Drive Help Request

Find a doctor

Clinics & Services

Research Resources

Professional Training

Education Resources

USB External Drives and Encryption

Is there an exception process?