Device & Data Encryption



In the course of University business, Arizona State University personnel routinely handle sensitive information including Personally Identifiable Information (PII), student records, health records, financial records, and research data. Federal laws, state statutes, and industry standards apply civil penalties for failure to protect sensitive information adequately. Encryption plays a key role in keeping information safe by ensuring that it can't be obtained through theft or eavesdropping.

As part of its overall program to ensure appropriate measures to protect PII and other sensitive data in a robust and least-intrusive manner, Arizona State University provides requirements for encrypting data in transit and storage.

Implementing encryption of data in storage is one of ASU's 2014 Top Five Critical Security Initiatives. As per a document cited by the CFO and Provost in a faculty/staff newsletter dated October 9, 2014, "Faculty and staff need to implement encryption and other standard security requirements on all devices accessing the ASU network.  This can include desktops, laptops, mobile devices, printers, HVACs, RFID readers, cameras, display boards, etc." []


Endpoint Encryption

Endpoint Encryption ensures that if your computer is stolen, any sensitive information on its disk will be unavailable to the thief. Encrypt your computer's hard disk using your operating system's built-in disk encryption software or other encryption software suggested by UTO.

All ASU maintained computers, backup media, and other devices used to store electronic data should be secured using full-disk encryption (FDE) everywhere possible, with key escrow adequate to provide for third-party data recovery in the event of legal requirements or business need. The minimum standard for encryption algorithms should be 128-bit AES, or the highest level allowed by export controls in the case of international applications.

Devices should comply with minimum hardware and software requirements for ASU-sanctioned FDE solutions. If a device cannot be encrypted because its operating system is obsolete, the device should be upgraded to a current operating system. If a device lacks the recommended hardware (e.g., minimum system requirements for compliant operating system, chipset including compliant TPM chip), the device should be upgraded or replaced with a compliant device.

Where possible, devices should use ASU's Active Directory environment for key escrow. If this is not possible, the administrative or academic unit responsible for a device must establish and document a key escrow process to ensure authorized third-party access to encryption keys when necessary.

The following documents provide more information on how to encrypt your computer. Consult your departmental technical support personnel for assistance.


Encryption in transit

Encryption in transit reduces the chance that data you access and send will be available to someone who is eavesdropping on the network. Here are some general practices to follow. Consult your departmental technical support personnel for assistance.

  • Use ASU ENCRYPTED wireless. Upgrade at
  • Use the SSLVPN when accessing ASU systems from any network off campus; download and installation instructions are available at
  • Use encrypted protocols (e.g., https, ssh) when accessing any networked system.
  • Note that electronic mail is not secure; even if you get and send your email using an encrypted connection, the person on the other side might not!

Please refer to the ASU Data Handling Standard for more information about use, transmission and storage of sensitive data.



Enterprise & Systems Encryption

The ISO can assist with implementation and review of Enterprise & Systems encryption technologies. For more information, please contact the ISO



Android Stagefright

There is a potentially severe and unpatched flaw to be announced in a talk at BlackHat & DefCon in a few days. It is expected that almost all unpatched Android devices can be compromised by merely receiving a malicious text message.
Google has acknowledged (and has actually fixed in their Android distributions) the bug in the Stagefright media library which allows a single crafted malicious MMS 'text' to remotely execute code (all the attacker needs is your cell phone's telephone number to send you an MMS text).

Critical Microsoft Update - MS15-078

Microsoft Security has pushed a patch for all supported Windows systems to patch a critical security vulnerability.

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts.