Encryption Requirements

Information Security Standard U5

1. Introduction

  • 1.1 Encryption is the process of making information unreadable to protect it from unauthorized access. After information has been encrypted, a secret key or password is needed to unencrypt it and make it readable again. This document defines standards that Users must comply with for encrypting Devices and files used to access or store UBC Electronic Information so that the information is protected from unauthorized access. This standard may also be used to protect the User’s own personal data, e.g., personal banking information.
  • 1.2 This standard incorporates the legal requirement to encrypt Personal Information stored on Devices, which has been affirmed by the British Columbia Information and Privacy Commissioner in their interpretation of the BC Freedom of Information and Protection of Privacy Act (FIPPA).
  • 1.3 The Chief Information Officer has issued this standard under the authority of Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems Questions about this standard may be referred to information.security@ubc.ca.

2. Password Protection and Zipping

  • 2.1 Password protecting a Device or file merely creates a barrier that can be easily bypassed by a technically knowledgeable individual. By contrast, encrypting a Device or file protects information by “scrambling” it to make it unreadable. It is virtually impossible to bypass Encryption that complies with UBC standards.
  • 2.2 Zipping files does not automatically encrypt them; a zip file is simply a way to compress data into an easy-to-transport package. Most zip programs contain the ability to protect the compressed file with strong Encryption, but this feature is not turned on by default.
  • 2.3 For instructions on encrypting Word, Excel, and other general files, refer to the How to Encrypt Files Using Common Applications guideline.
  • 2.4 For requirements on emailing UBC Electronic Information, refer to the Transmission and Sharing of UBC Electronic Information standard.

3. Storage Encryption Risk and Classification Model

  • 3.1 For details on the types of risks associated with the storage of information, and which Encryption tiers mitigate which risks, refer to Storage Encryption Risk and Classification Model section of the Cryptographic Controls standard.

4. Device Encryption Requirements

  • 4.1 Encryption requirements apply to Devices, whether UBC-supplied or personally-owned, that are used to access UBC Electronic Information and Systems, or store UBC Electronic Information. At a minimum, Encryption must be implemented as follows:

    §Device TypesEncryption RequirementsRecommended Toolset
    4.1.1Laptop and desktop computers (Workstations)Must be encrypted with Tier 1 Encryption. For Users working remotely on personally-owned laptop or desktop computers, refer to the Working Remotely standard for supplemental guidance.Use native Encryption for Windows (BitLocker), macOS (FileVault) or Linux (see section 6).
    4.1.2Smartphones, tablets and PDAsMust be encrypted with Tier 1 Encryption.Use native Encryption for Apple or Android Mobile Devices. Apple and Android Mobile Devices with a vendor-supported OS that is still receiving updates may already be encrypted by default.
    4.1.3Mobile storage devices/mediaMust be encrypted with Tier 1 Encryption.Refer to How to Encrypt USB Sticks and Other Removable Media guideline.
  • 4.2 If Users are travelling abroad with a laptop that has an encrypted drive or that contains encrypted information, authorities of that country may require them to unencrypt the information or hand over the Encryption keys (see Security Considerations for International Travel with Mobile Devices guideline).
  • 4.3 The requirements in the How to Report Incidents section of the Reporting Cybersecurity Incidents standard must be followed in the event of a lost or stolen Device.

5. IT Infrastructure Encryption Requirements

  • 5.1 Encryption requirements apply to all UBC Electronic Information and Systems, including those stored and accessed in cloud-based technologies. In all cases, the best practice is to encrypt with Tier 3 Encryption or Tier 3+ Encryption. An analysis of appropriate Encryption requirements is best performed during a Privacy Impact Assessment (PIA) or a Security Threat Risk Assessment (STRA).

  • 5.2 Encryption must be implemented as follows (multiple may apply):

    §IT Infrastructure TypeEncryption Requirements
    5.2.1Databases that store High or Very High Risk InformationMust be encrypted with Tier 3 Encryption where technically possible.
    5.2.2IT Infrastructure storing files containing High or Very High Risk InformationFiles must be encrypted with Tier 3 Encryption where technically possible.
    5.2.3Virtual servers and any IT Infrastructure that stores volumes as files in a host environment, such as Containers and virtual disk or volume imagesVolume files must be encrypted with Tier 2 Encryption where technically possible.
    5.2.4Servers and storage infrastructure located in data centres that:
    - comply with the Physical Security of UBC Data Centres standard; or
    - have an equivalent level of security, specifically: data centres at other higher education institutions and health authorities in Canada; EduCloud; Digital Research Alliance of Canada; or other third-party data centres approved by the CISO.

    Storage infrastructure consists of non-mobile devices, such as Storage Area Networks (SANs), Network Attached Storage (NAS) devices, and Direct Attached Storage (DAS). This excludes mobile devices/media, which are covered under [section 4][#U5S4].    		No Tier 1 Encryption required, but files and databases are to be encrypted as per above.
    5.2.5Other IT Infrastructure than listed aboveMust be encrypted with Tier 1 or Tier 2 Encryption.
  • 5.3 Regardless of the Encryption requirements in section 5.2, a higher tier of Encryption may be required to meet additional obligations such as contractual requirements.
  • 5.4 To limit vendor access to UBC Electronic Information, Encryption keys must be stored with UBC (and not the vendor) unless not technically possible.

6. Encryption of Workstations using Operating Systems other than Microsoft Windows and Apple macOS (e.g., Linux)

  • 6.1 Due to operability or performance constraints, Tier 1 Encryption is not always feasible. In those cases, any of the following alternative options are considered acceptable, in recommended order
    • 6.1.1 Tier 2 Encryption on all volumes used to store UBC Electronic Information; or
    • 6.1.2 Tier 2 Encryption or equivalent encrypted Virtual Machine (VM); or
    • 6.1.3 a local home directory encrypted with Tier 2 or Tier 3 Encryption; or
    • 6.1.4 a securely mounted directory in a UBC Data Centre, e.g., TeamShare or Home Drive.
  • 6.2 University IT Support Staff must advise Users who implement any of the above options that:
    • 6.2.1 any user-accessible volumes that are unencrypted are not secure;
    • 6.2.2 the User must store all Medium, High or Very High Risk Information, including local replicated copies from cloud storage services (e.g., OneDrive), in one of the options listed in section 6.1; and
    • 6.2.3 the User should put Tier 1 Encryption in place as soon as it is feasible.

7. Encryption Exemptions

  • 7.1 The following types of UBC Systems are exempt from Encryption requirements if they are fully compliant with the Encryption Exemption Criteria and they have been documented in a completed and submitted Encryption Exemption Attestation Form:
    • 7.1.1 Direct Attached Storage (DAS);
    • 7.1.2 Containers;
    • 7.1.3 kiosks;
    • 7.1.4 public workstations;
    • 7.1.5 instructional lab workstations;
    • 7.1.6 instrument controllers; and
    • 7.1.7 lectern/podium workstations.
  • 7.2 If the UBC System cannot be encrypted and is not compliant with the Encryption Exemption Criteria, then a variance must be requested from the CIO, as per the Requesting Variances standard.

8. Password Requirements

  • 8.1 Strong passphrases or passwords must be used for Encryption in compliance with the Passphrase and Password Protection standard.
  • 8.2 If the password (also called a “key”) is forgotten or lost, the data may be unrecoverable. Therefore, it is essential to have a key recovery strategy. Where possible, faculty and staff should use a password safe (refer to the Password Safe guideline), or simply write down the password and store it in a secure location such as a safe. Further information about key recovery can be found in the Cryptographic Controls standard.

9. Technical Requirements

  • 9.1 UBC’s minimum Encryption standard is AES-128 bit Encryption or equivalent; AES-256 bit Encryption or better is recommended. Further technical requirements can be found in the Cryptographic Controls standard. University IT Support Staff, including staff in the IT Service Centre, are available to assist Users to implement these requirements where necessary.

Related Documents and Resources

BC Freedom of Information and Protection of Privacy Act (FIPPA)

Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems

How to Encrypt Files Using Common Applications guideline

Transmission and Sharing of UBC Electronic Information standard

Cryptographic Controls standard

Working Remotely standard

How to Encrypt USB Sticks and Other Removable Media guideline

Security Considerations for International Travel with Mobile Devices guideline

Reporting Cybersecurity Incidents standard

Privacy Impact Assessment (PIA) and Security Threat Risk Assessment (STRA)

Physical Security of UBC Data Centres standard

Encryption Exemption Criteria

Encryption Exemption Attestation Form (with CWL credentials)

Systems for Encryption Exemption

Requesting Variances standard

Passphrase and Password Protection standard

Password Safe guideline

Case Studies in Encryption Requirements

Standard Last Revised: 2025-03

Page last updated on January 20, 2026

Office of the CIO

6356 Agricultural Road
Vancouver, BC Canada
V6T 1Z2
604 822 3634
E-mail ubc.cio@ubc.ca

Related Sites

Need Help?

Urgent Message An exclamation mark in a speech bubble. Bluesky The logo for the Bluesky social media service. Bookmark A bookmark in a book. Browser A web browser window. Caret An arrowhead indicating direction. Arrow An arrow indicating direction. Arrow in Circle An arrow indicating direction. Arrow in Circle An arrow indicating direction. Time A clock. Chats Two speech clouds. E-commerce Cart A shopping cart. Facebook The logo for the Facebook social media service. Help A question mark in a circle. Home A house in silhouette. Information The letter 'i' in a circle. Instagram The logo for the Instagram social media service. Linkedin The logo for the LinkedIn social media service. Location Pin A map location pin. Locked A locked padlock. Mail An envelope. Menu Three horizontal lines indicating a menu. Minus A minus sign. Pencil A pencil indicating that this is editable. Telephone An antique telephone. Play A media play button. Plus A plus symbol indicating more or the ability to add. Print A printer pushing out a piece of paper. Search A magnifying glass. Settings A single gear. Arrow indicating share action A directional arrow. Speech Bubble A speech bubble. Star An outline of a star. Twitter / X The logo for the X (aka, Twitter) social media service. User A silhouette of a person. Vimeo The logo for the Vimeo video sharing service. Youtube The logo for the YouTube video sharing service.