Encryption Tools

Stanford Whole Disk Encryption (SWDE)

As part of its Whole Disk Encryption service, Stanford encourages the use of native encryption tools: the software built into your operating system. Stanford Whole Disk Encryption (SWDE) provides an installer, which checks your computer for certain requirements before proceeding with encryption using those native encryption tools. Individuals working with High Risk information must use SWDE to encrypt.

  • OSX Lion (10.7) and later come with FileVault 2, which provides whole-disk encryption. We recommend upgrading Macs to 10.8, which includes an option to automate the storage of recovery information.)
  • OS 10.5 or 10.6 can only run McAfee Endpoint Encryption, which is no longer one of the recommended encryption methods. If your computer will run 10.8, we recommend upgrading your software; if not, we recommend upgrading your hardware, to meet minimum campus security standards.
  • Make sure you've backed up first, then:

    Download the Macintosh encryption installer and see whole-disk encryption instructions for FileVault.



If you do not ever encounter High Risk data in your Stanford work, you may, if you wish, encrypt your computer with the VLRE whole-disk encryption installer, instead. It is a more "lightweight" installer; it includes the attestation questionnaire and makes use of the computer's native encryption software, but it doesn't require the use of BigFix. While it can report your correct encryption status to the AMIE database, the absence of BigFix means that making updates such as adding security patches is entirely your responsibility.



Stanford University IT Services used to support and encourage the use of PGP, a public-key signing and encryption software. Now Stanford supports native encryption technologies (as opposed to third-party software), and therefore strongly encourages anyone who is still running PGP to transition to SWDE instead.

Mobile Devices

Many smartphones and tablets—but not all—also come with their own native encryption, and Stanford has software to help centrally manage your device: MDM (Mobile Device Management). If your phone, iPad, or other device is used to access Stanford information (even if it belongs to you personally), it must be registered with MDM or a comparable Stanford service. Not all phones are approved to handle Stanford information; see our page for criteria, and instructions for enrolling.

External Drives

If you are working with High Risk or Moderate Risk information, it must always remain encrypted: while in transit (through email), and at rest (on your computer or another disk drive). There are ways to send such information securely that avoids using external drives altogether (Stanford secure email or MedSecureSend)—but if you must store or send such information on an external drive, such as a USB stick or other hard drive, it needs to be encrypted as well. You can either obtain a specifically encrypted drive, or use your native encryption software to encrypt a drive of your own.

How to encrypt external drives (on the "Sending Securely" page)

For help encrypting your computer, phone, or tablet, submit a HelpSU request to IT Service.

Additional Links