URL: https://it.desy.de/services/operating_systems/windows/windows_10/encryption_of_hard_drives_bitlocker_desy/index_eng.html
Breadcrumb Navigation
Encryption of Hard Drives (Bitlocker DESY)
for end users
Since January 2022, an encryption of the Windows laptops is carried out at DESY, this is currently done groupwise. From 01.05.2022, the encryption of the devices for all DESY Windows laptops will be carried out automatically in the background without users normally noticing this.
However, until the general release on 01.05.2022, users must currently take action in order to trigger the encryption of the devices. The necessary steps and other important questions and answers in connection with encryption of Windows laptops are explained below.
Why should Hard Disks be encrypted?
The encryption of data on mobile devices such as notebooks aims to prevent third parties from gaining access to your business or personal data, for example, if the device is lost or stolen.
Procedure
|
|
If the device is switched off during encryption, the encryption will be resumed at that point the encryption stopped, as soon as the device is started again. Please also note the section "How can I check whether the encryption was completed / successful?".
My Device asks for a "Recovery Key" - what do I have to do?
If the stored key for decrypting the hard drive is lost, your device will ask for a "recovery key" at startup. This is required to access the hard drive again. If this happens, please follow the steps below.
First you need a second device that is connected to the internal DESY data network. If you do not have a second device available, please contact one of your group admins or the central IT helpdesk (e-mail: uco@desy.de; Tel: 5005).
-
Open the following link to enter the self-service portal:
https://ad19mbam.win.desy.de/SelfService/Recovery/Index - Start your encrypted laptop, which asks for a Recovery Key.
-
You will now see a "Recovery Key ID" displayed (see Figure 1).
- From the Recovery Key ID, now enter at least the first eight characters in the first text field "Wiederherstellungsschlüssel-ID" and select a reason why the recovery is required. See figure 2.
-
Confirm with a click on the button "Schlüssel abrufen"
-
You should now be provided with a Recovery Key. See Figure 3
-
Now enter the recovery key in the field provided on the encrypted device and confirm with the Enter key. See figure 4. Afterwards your device should be accessible again.
Frequently Asked Questions
How can I check whether the ecryption was successful?
To see if the encryption is complete, press WIN + R. A "Run" input field should now open, in which you enter "Control Panel" and confirm with ENTER.
In the window that then opens, enter "Bitlocker encryption options" in the search field at the top right and click on the suggested search result.
In the following window you can see if your hard drive is encrypted. If it is, it says "Encryption On", as you can see in the picture.
How long does the encryption process take?
The duration of the encryption depends first of all on the size of the hard disk. For a 250GB hard disk, you can expect about 10 minutes.
Afterwards, it is still necessary to leave the device switched on and connected to the internal DESY data network for at least two hours. This is necessary to ensure that the encryption is recognized by the central administration system (Active Directory / MBAM) and to make sure that the security key is transferred to it. This way the key can be queried at a later time if required.
Who do I contact when problems arise?
In case you are already waiting longer than expected for the encryption to complete and in the Control Panel the encryption is not marked with "Encryption On".
- Make sure your device has a stable power supply, as the device often takes longer when in power-saving mode.
- Contact your Windows Group Admins. If your device does not meet the technical requirements for encryption, your Windows Group Admins can determine this.
-
Please feel free to contact the central IT-Helpdesk (Email: uco@desy.de, Tel: 5005)
What happens with my data?
The hard drive on which your data is stored is encrypted. If you have the corresponding key, you can access it at any time.
The key is stored on the PC. So you don't have to remember it, carry it around, or enter it every time you start the device.
Is a data backup necessary?
In principle, a backup of locally stored data is always recommended. This can be done by saving your files to a central storage system like the Windows net drives (H:/N:/S:), DESY Sync & Share or similar.
If you need help with this, please contact your Windows Group Admins or contact the IT-Helpdesk (Email: uco@desy.de, Tel: 5005).
Can I still access my data?
After encryption, you can continue to access your data as usual.
The encryption only restricts access if the stored key is lost. This is noticeable as you will be prompted to enter the recovery key after starting your device.
Are there any performance losses to be expected as a result of encryption?
No, encryption does not affect the performance of your device.
Is the encryption user-based or device-based?
The encryption applies to the device; more precisely, to the hard drive on which Windows is installed. If the key is lost, the entire device is no longer accessible to any of the users until the recovery key is entered.
Travelling (especially other time zones)
In special cases, it may be advisable to carry the recovery key with you in paper form. This is especially true when traveling abroad, especially to other time zones. Since the UCO is not available at night, a person who needs the recovery key might not have the possibility to reach someone at DESY at local daytime.
In this case, your namespace administrator can query the recovery key locally and provide it to you.
If you have any further questions, please do not hesitate to contact your Windows group administrators or the central IT helpdesk (e-mail: uco@desy.de; Tel: 5005).