USB Encryption

USB Drive Data Protection

In accordance with the University's Information Security Policy, portable storage media that contain sensitive and confidential information should be protected by reasonable and effective measures to safeguard the confidentiality of the data. Effective from Jan 2026, the University will implement a new USB drive encryption initiative for all centrally managed computing devices, ensuring that data stored on USB drives is securely encrypted. The selected approach offers extensive coverage across our existing systems.

Key Highlights:

  • Covers all staff Windows devices (Mac OS will be included in a later phase)
  • Integrates seamlessly with current infrastructure
  • Supports our commitment to responsible data handling and compliance

Note:
Please note that it takes some time to encrypt a USB drive, and the duration varies depending on the drive's size and speed. For instance, it takes approximately 20 minutes to encrypt a 4GB USB 2.0 drive and 90 minutes to encrypt a 128GB USB 3.2 drive. You can continue to use your PC during encryption, but removing your USB drive before completion can lead to data corruption and damage to the drive. DO NOT interrupt the encryption process. Please plan ahead and encrypt your USB drives in advance to avoid any last-minute issues.

 

Colleagues are advised to use files directly stored on the network or cloud storage with password protection and access controls (without downloading them), especially on clients that are not solely used by you, whenever possible, and limit the use of USB drives to essential situations only. When the use of USB drives is deemed necessary, follow the encryption steps below.

How does USB drive data encryption work?

  1. The University adopts BitLocker Drive Encryption. Users will be prompted to encrypt the USB drive when it is connected to a centrally managed PC for the first time. Click Encrypt this drive using BitLocker Drive Encryption. If you choose not to encrypt the drive, you can still open and view files but saving files on it will be forbidden.

     
  2. Check the box Use a password to unlock the drive. Type in your own password, which should be at least 8 characters/digits.

     
  3.  Either save or print the recovery key and click Next. (NOTE: It is a Microsoft limitation that the recovery key saved cannot be used to recover the USB and this step is mandatory in the process. The real-time recovery key is kept centrally by OCIO. Colleagues who need to recover the USB should contact IT Help Desk for assistance.) 



    You can now press the Next button to proceed.


     
  4. When prompted to choose how much of your drive to encrypt, choose Encrypt entire drive.

     
  5. Click Start encrypting.

     
  6. Wait patiently. Encryption may take some time depending on the size and speed of the drive.

     
  7. After encryption completes, you can save files on the encrypted USB drive.

     
  8. To access the encrypted USB drive, enter the password and click Unlock.



     

Colleagues need to install the Microsoft Configuration Manager (MCM) client in order to enable USB encryption policy on non-centrally managed departmental notebooks/PCs. To check if the MCM client is installed, go to Control Panel and look for Configuration Manager.

If you cannot find Configuration Manager on the notebook/PC, follow the steps below to install it manually. Should you need any assistance in the process, please do not hesitate to reach out to IT Help Desk.

Installation of the MCM client on non-centrally managed departmental notebooks (click to expand)

 

  1. Go to Online Software Installation for Staff PC from the Software tab on OCIO webpage. Then click on the Microsoft Configuration Manager (MCM) client to download.

     
  2. Locate the downloaded file from the Downloads folder and right-click to select Run as administrator.

     
  3. Wait around 15 minutes for the installation to complete. You will be prompted to submit the device name (or computer name formerly) via a Qualtrics form. Click OK to proceed and then log in with your EdUHK account. You will see that your device name has been copied onto the form. Just click Submit.



    Note: The device name can also be found under the System section in Control Panel.
     
  4. It normally takes around one working day for us to activate the MCM client on the notebook. Look for Configuration Manager in Control Panel to check if the MCM client is installed. They, try inserting a USB drive into the notebook and see if you will be prompted by BitLocker as below. Otherwise, contact IT Help Desk at 2948 6601 for assistance.

 

For enquiries, please contact Help Desk at 2948 6601 or helpdesk@ocio.eduhk.hk