Encrypted USB FAQ’s

If I won't place any Restricted data on a flash drive, and typing a password will interfere with my use by making it less convenient, can I just use an un-encrypted USB drive?
The intent of the UF policy and standard is that all storage devices will be encrypted. There are two very narrow and limited exceptions. See What are the exceptions for encrypting portable storage devices for more information.
What is Restricted data?
"Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities, that are subject to specific protections under federal or state law or regulations or under applicable contracts." - UF Policies on Restricted Data Examples include, medical records, social security numbers, credit card numbers, Florida driver licenses, non-directory student records, some research protocols and export controlled technical data.
Why am I required to encrypt all data, even when I don't plan on storing any Restricted data?
Computer equipment is lost and stolen every day, and data breaches happen far too often. It is UF's duty to protect the information entrusted to it. Failure to do so could result in significant financial penalties, loss of grants and contracts, damage to our reputation, and harm to people whose data was disclosed. Internal audits have found Restricted data stored in many places it was not intended to be (and where the owners insisted it wouldn't be). To to be sure, we must protect the most vulnerable places data can be stored.
What about external hard drives?
Portable, external hard drives must also be encrypted. There are not many models available that include hardware-based encryption, which is the best option. Ironkey now has several models that include hardware encryption.
External drives without built-in encryption can be used if encrypted using whole-disk encryption software. Options include:
  • PGP: The best software option is Symantec Encryption Desktop/PGP, because it has the same provability and manageability available to laptop drives. The only downside is that Symantec Encryption Desktop/PGP must be installed on all computers that will use the drive. 
  • Bitlocker / Filevault: Bitlocker on Windows and Filevault2 on Mac OS X can be used to encrypt external drives. This offers greater compatibility, because no extra software is required (if used on the same operating system) but does not provide management or provability.
Can I use a different model of encrypted USB drive?
Other models are acceptable, but it must be verified that the drives are truly hardware encrypted. Many drives advertised as 'secure' just implement a password in software, but the data is not actually encrypted and thus is easily accessible even without the password. We have tested and verified the security of the following models:
  • Kingston Data Traveler Vault Privacy
  • Kingston Data Traveler Locker+ G2
  • Ironkey
Which mobile devices are required to be inventoried?
Mobile computing devices purchased with University of Florida funds, including, but not limited to contracts, grants, and gifts, must be recorded in the unit’s information assets inventory. Mobile storage devices, including USB flash drives and CD or DVD media, do not need to be inventoried.
What are the exceptions for encrypting portable storage devices?
There are two exceptions included in the Mobile Computing and Storage Devices Standard that have a very limited scope:
Specific uses where no Restricted Data will be stored and encryption would interfere with the device’s intended use. Devices used in this way must be clearly marked as not for use with Restricted Data.
This exception is intended only for situations such as SD cards used in digital cameras or bootable USB drives used to install operating systems. This does not include situations in which encryption is inconvenient or adds undesired complexity.
Specific uses in which devices are used for marketing and public relations, no Restricted Data will be stored, and the intended recipient is not a member of the UF Community. Devices used in this way must be clearly marked as not for use with Restricted Data.
This exception is limited to marketing activities such as if prospective students are provided publicly available materials in an electronic form, or when team rosters are submitted to organizers of athletic events.
Back to Top