Symantec Endpoint Encryption FAQ

Brown offers free full disk encryption using Symantec Endpoint Encryption software (SEE), which provides advanced data and file encryption for desktops, laptops, and removable storage devices.

The following FAQ covers the basic points of installation and use. Should you have other questions to add to the list, please contact us at ISG@brown.edu.

» Who should be using SEE?
» How can I obtain a copy?
» Are there any precautions or risks I should be aware of?
» What are the steps involved once SEE is installed?
» Where can I find written documentation?
» What should I know about decryption?
» What restrictions are there when traveling out of the country with an encrypted laptop?
» Resources

Q. Who should be using SEE?
A. ISG recommends that faculty and staff install SEE if they use laptops containing Brown Restricted Information (especially frequent travelers). Use Identity Finder to determine the presence of BRI. If detected, either remove it, or if necessary, encrypt it.

Q. How can I obtain a copy?
A. SEE should be installed by a qualified support person. Contact your Departmental Computing Coordinator (DCC) or IT Support Consultant (ITSC) to make arrangements. If you do not have one, contact the Help Desk (help@brown.edu, 863-4357) to assist you in locating a support person.

Q. Are there any precautions or risks I should be aware of?
A. Though unlikely, you could experience a disk crash during the installation process, resulting in the loss of your data. As a precaution, it is recommended that you backup your laptop before the installation. As above, only a qualified support person should install SEE due to possible risks. In addition, once your laptop is encrypted, data recovery after a crash will no longer be possible. You should therefore make it part of your routine to backup your laptop regularly.

Q. What are the steps involved once SEE is installed?
A. After SEE is installed you should take the following precautions:

• Make sure that an ALERT tag has been affixed to your laptop (this should have been done as part of the installation process).
• Do NOT attempt to run any disk tools by booting from another boot drive or USB stick. Doing so may result in the loss of data.
• Updating the BIOS may cause Windows to freeze at next boot.
• Macintosh owners cannot and should not encrypt any externally attached drives.
• Note that the encryption process can take up to 8 or more hours to complete depending on the volume of data stored on your hard drive. However, this process can run in the background and be stopped and started as needed.
• If your encrypted computer requires servicing, turnaround time may be extended due to the time it will take us to de-encrypt and re-encrypt data.
• If you plan to travel out of the country, please review the security considerations listed below.

Q. Where can I find written documentation?
A. Users guides from Symantec can be found at: Windows and Mac OS X. Should you need additional assistance, your first point of contact for support should be your DCC or IT Support Consultant (ITSC). If unavailable, contact the Help Desk during regular business hours.

Q. What should I know about decryption?
A. In the event that you feel your computer needs to be decrypted contact your local DCC, or if none, the Help Desk. Note that the decryption process will take about the same length of time as encryption did.

Q. What restrictions are there when traveling out of the country with an encrypted laptop?
A. U.S. federal regulations control the export of "encryption commodities, software and technology" (see Code of Federal Regulations, Title 15, Section 740.17). There are, however, license exceptions that allow you to take encrypted laptops with them, provided that they return within the year and "retain effective control and ownership." This coverage is global except for the handful of embargoed countries that the U.S. government has designated as supporting terrorism. Travel to any of these countries requires that you remove any encryption technology from your laptop before entering it.

In addition, as some countries ban or severely regulate the use of encryption, you should check country-specific information before traveling with an encrypted laptop. Following is a partial list of those countries. Check the U.S. State Department website before traveling to verify that the information is still current. In addition, any faculty, post-docs, graduate students and PI's should check in with OVPR, Insurance and Risk, and the CISO before travelling overseas.

• Burma (you must apply for a license)
• Belarus (import and export of cryptography is restricted; you must apply for a license from the Ministry of Foreign Affairs or the State Centre for Information Security or the State Security Agency before entry)
• China (you must apply for a permit from the Beijing Office of State Encryption Administrative Bureau)
• Hungary (import controls)
• Iran (strict domestic controls)
• Israel (personal-use exemption – must present the password when requested to prove the encrypted data is personal)
• Morocco (stringent import, export and domestic controls enacted)
• Russia (you must apply for a license)
• Saudi Arabia (encryption is generally banned)
• Tunisia (import of cryptography is restricted)
• Ukraine (stringent import, export and domestic controls)

Resources

• SEE Data Sheet/Overview
• SEE Documentation: Windows User Guide | Mac OS X User's Guide
• For SEE Client Administrators

Internal links about traveling:

• International Travel Information for all Brown University Travelers
• International Research Administration

External links about traveling:

• Federal Commercial Encryption Export Controls Guidance
• Encryption License Exception Chart (Bureau of Industry & Security, BIS)
• Department of State's Travel Alerts and Warnings
• Regulations for International Travel by US Residents
• Department of State Websites of US Embassies Consulates, and Diplomatic Missions
• Department of State Foreign Travel Registry