Full Disk Encryption

Last updated
Save as PDF

Overview

EgoSecure Full Disk Encryption is a product developed separately from EgoSecure Data Protection Server. EgoSecure Full Disk Encryption can be installed locally or via the EgoSecure Data Protection Console (remotely). Remote installation and management is performed if the EgoSecure Agent is installed on a computer.

The encryption settings and encryption keys under Product settings | Encryption are NOT connected to Full Disk Encryption.

Detailed information about FDE you can find in:

Applying changes made locally. Changes made locally (except statuses about initialization/deinitialization and disk encryption) are not transferred to the EgoSecure Server and, therefore, not displayed in the EgoSecure Data Protection Console.

Installation

The installation of the Full Disk Encryption consists of three stages:

FDE installation
FDE initialization
PBA installation and initialization

FDE installation and update

Preparing the installation

Go to Product settings | FDE | Installation settings.
If the installation files will be located on the EgoSecure Server:
- Select the EgoSecure Server radio button.
- In the FDE 32-bit installation file and FDE 64-bit installation file areas, click … to upload the EgoSecure Full Disk Encryption by Matrix42 [version].msi and EgoSecure Full Disk Encryption by Matrix42 [version] x64.msi files respectively.
If the installation files are located in the network directory:
- Select the Network directory radio button.
- In the Network folder field, define a network folder where the Full Disk Encryption installation file is stored. Make sure the installation archive has been unzipped.
- In the User and Password fields, specify a login, with which the EgoSecure Server can access the share.
- Enter the file names of MSI files.
In the Component selection field, define which components to install on the clients. The FDE component is enabled automatically and cannot be disabled, because without it no other component can be installed.
- PBA: PBA components
- Control Panel: EgoSecure Full Disk Encryption Control Center Plugin for the Windows control panel
- Policy Builder: Policy Builder components
- Report API: Support for status information retrieval via third-party applications
- Recovery Tools: Windows PE Emergency Recovery Disk (ERD), Secure Erase and Secure Wipe
Click Save.

Creating a configuration profile

Go to Product settings | FDE | Configuration profiles.
Click Add.
A new profile appears in the list.
Double-click the profile and enter a name.
In the lower area, specify the settings.
Click Save.
You can now use the profile for the FDE installation.

Installing FDE

Go to Computer management | FDE.
Select the domain and folder in the Directory service structure work area.
In the Computer management - FDE work area, right-click an online computer and click Activate. To select multiple computers, hold down the Ctrl key and click.
The Full Disk Encryption license is activated for the selected computer.
To apply a user-defined profile or to specify settings manually, right-click on the client and select:
- Configuration profiles | [profile name]: install with a user-specific configuration profile. For details, see: Creating a configuration profile
- Configuration profiles | <None>: install without a profile.
If this step is skipped, the Default profile is used.
Right-click the client and select Install Full Disk Encryption from the context menu.
The installation starts. In the FDE status column, the Installation in progress entry appears.

Updating FDE

Prepare the latest EgoSecure Full Disk Encryption installation files in the network directory or reupload them to the EgoSecure Server. For details, see Preparing the installation.
Go to Computer management | FDE.
Select a computer. To multiselect, hold down Ctrl and click.
Right-click a computer and select Update Full Disk Encryption from the context menu.

Troubleshoot Installation Issues

In Product settings | FDE | Installation settings, check whether the FDE installation package exists in the specified network share, check the credentials for accessing the network share.
Check the access to the network share from the client computer using the same credentials specified in the Console.
Check whether the EgoSecure Agent is installed on target computers.
Check the communication and connectivity between the EgoSecure Server and the EgoSecure Agent:
- telnet computername 6006 – to check connectivity from the Server to the Agent
- telnet servername 6005 – to check connectivity from the Agent to the Server
Windows Firewall or other 3rd party firewalls can block communication and exception rule is required for the communication ports used.

If nothing helps and installation fails, technical support and the Matrix42 engineering team needs the following information:

Error message screenshot or behavior description.
The time when the error occurred to locate the information in the log files (full screenshot with the time in the system tray is preferable).
Server log file collected with maximum detail (Log level = Debug or Extreme debug).

FDE initialization

Please note that during the initialization, the computer on which the initialization is performed must be restarted.

Under Computer management | FDE, right-click a computer. To select multiple ones, hold down Ctrl and click.
Select Initialize FDE from the context menu.
Click OK to confirm the message.
The initialization starts. In the FDE status column the Executing script entry appears.
Once the FDE initialization is finished, the not initialized status in the FDE column changes to initialized.

PBA installation and initialization

PBA is installed together with FDE if the PBA check box is selected under Product settings | FDE | Installation settings. If PBA check box was not enabled before installation, right-click a computer and select Install PBA from the context menu.

PBA can be initialized only after the FDE initialization.

Under Computer management | FDE, right-click a computer.
Select Install PBA from the context menu if PBA has not been installed along with FDE.
Select Initialize PBA from the context menu.
PBA is installed and initialized, the script to transmit the changes is created.

Protecting installation with the administrator password

The administrator password is defined to forbid a user to make changes in Full Disk Encryption locally without a password.

Changing administrator password

Under Computer management | FDE, right-click a computer.
Select Change administrator password from the context menu.

Enter a new password and confirm it.
Click OK.

The administration password from the Administrator tab is used for computer authentication, but doesn’t change a password.

Entering password for authentication

This password is used only to authenticate the client with FDE installed. This password must be the same as the administration password.

Select a computer under Computer management | FDE.
In the Administrator tab, Administration password area, click Change.
The Enter password dialog appears.
Enter the password and confirm it.
Click OK.
The dialog closes.

Configuring PBA

Configuring authentication via a smart card

Pre-boot authentication is performed via user credentials (domain, user and password) or via a smart card. To perform authentication via the smart card, a special certificate must be copied to it and the smart card must meet the requirements.

Requirements for smart cards

Smart card model is supported by EgoSecure.
Smart card supports buffer encryption (contains special key usage attributes).

Before using smart cards in the production environment, check in the test environment whether the configured smart card works correctly.

Preparing a smart card

The steps below describe on how to get a certificate signed by Microsoft in the Active Directory Certificate Services. Smart cards with self-signed certificates may also work with PBA, but we cannot guarantee. That is why, better use the solution below.

Create a certificate signing request in the utility of your smart card or in the Microsoft Management Console.
Deploy the PKI. For details, see the Microsoft Article which describes how to configure the internal certificate authority.
In Internet Explorer, open an enterprise Certification Authority page (generally, it looks like https://IP-adress_of_CA/certsrv or https://domain_name_of_certificate _authority/certsrv). When authorization is required, enter the credentials of the user, whom the certificate must be given to.
Click the Request a certificate link.

Click the advanced certificate request link.

Click the link Submit a certificate request by using a base 64-encoded CMC…

Open the certificate request file in any text editor (for example, Notepad), and copy its content to the clipboard.
Paste information from clipboard to the Saved Request field. In the Certificate Template section, select Smartcard User from the drop-down list, and press the Submit button

Select the Base 64 encoded radio button, and then click the Download certificate link to save the certificate in the Base 64 format.

Save the certificate to the smart card.
Unplug and re-attach the smart card.

Preparing YubiKey smart cards

Download and install the following utilities:
- YubiKey Manager
  - YubiKey PIV Manager
Start the YubiKey Manager utility.
Click Configure.

The Configure USB Interfaces dialog appears.
Enable the CCID check box, and click Save.

Unplug and re-attach YubiKey Neo device, and close the YubiKey Manager utility.
Open the YubiKey PIV Manager utility, and click the Certificates button.

In the Authentication tab, click Generate new key.
Select the RSA (2048 bits) encryption algorithm. In the Output panel, select the Certificate Signing Request (CSR) radio button.

Only certificates signed by a domain with a Certificate Authority are supported.

Specify the path for the subject of the user in the Active Directory.
For example, for the user who is in the Organizational unit of the cit.local domain, the path looks like this:
- /CN=user/OU=OrganizationUnit/DC=cit/DC=local
Click OK.
The Save Certificate Signing Request as dialog appears.
Enter a file name to save a certificate request, and select the folder where to store the file.
Enter PIN for device access.
The private key is generated and saved to the device. Perform steps 2-9 described in Preparing a smart card.
Open the YubiKey PIV Manager utility application, and then click the Certificates button.

In the Authentication tab, press the Import from file… button to load the certificate created from file.
Unplug and re-attach the device to use the YubiKey Neo device with a new certificate.

Adding a smart card for PBA

Using the EgoSecure Data Protection Console, smart card can be added manually or automatically. It is better to use an automatic way of capturing credentials instead of a manual one till the moment the smart card is checked in a test environment. Once the logon with the smart card is performed successfully in the test environment, enable user capturing for all computers (automatically) or add smart card credentials for all computers manually.

Adding a smart card automatically

Open the EgoSecure Data Protection Console. Under Computer management | FDE, select a computer where PBA is initialized.
In the Pre-Boot Authentication tab, select the smart card logon method.
Check Enable user capturing.
Click Save.
Right-click the computer and select Apply PBA settings.
During next boot on the selected computer, smart card credentials are captured automatically and a user is added to the list. During all other boots performed after it, pre-boot authentication with the smart card occurs.

Adding a smart card manually

Open the EgoSecure Data Protection Console. Under Computer management | FDE, select a computer where PBA is initialized.
In the Pre-Boot Authentication tab, select the smart card logon method.

Click Add.
The PBA Smartcard dialog appears.

Double-click a smartcard certificate and select Properties from the context menu.
The Certificate dialog appears.
In the Certificate dialog, navigate to the Details tab.
Copy the data from the Value column of the Subject entry to the Distinguished name field of the PBA smartcard dialog. E.g.: local, vc, de, plana, Users, Administrator, administrator@....

Special characters and order. In most cases, the values of the Subject field are pasted in the reverse order. Test if it works, if not - import a certificate locally (as described in the EgoSecure FDE – Installation and troubleshooting guide, “Importing a certificate”) to see which order is the right one. The order depends on the smart card specification. Special characters are not supported. Check if there are any special characters in the required fields.

Copy the data of the Public key entry to the Key value field of the PBA smartcard dialog.

Click OK in the PBA Smartcard dialog.
Right-click the computer and select Apply PBA settings.

Defining smart card reader and PKCS#11 provider

By default, the smart card reader and PKCS#11 provider are detected automatically, but it increases the amount of computer start time.

Under Computer management | FDE, select a computer where PBA is initialized.
In the Smart card tab, in the smart card reader drop-down, select the card reader you want to use for PBA. Selecting Automatically detect card reader means that all the CCID-compliant readers contained in the generic CCID bundle delivered with Linux will be used – this will increase the startup time.
In the PKCS#11 provider drop-down, select the PKCS#11 provider mechanism on the smart card. Selecting Automatically detect provider means that all the providers will be checked upon startup - this setting does not work with several smart cards.

Defining criteria for selecting the certificate used for encryption (optional)

Define the criteria for selecting the certificate used for encryption. Certificates can be distinguished by labels or key usage. The certificate label and key label entries are case sensitive! Bear this in mind when defining the certificate labels or the key labels. If the labels are configured incorrectly, it will prevent the successful authentication of the user and, therefore, the system will not start. If the Key Usage is set to the wrong values, i.e. no certificate on the smart card matches the usage set in the list, then authentication is also not possible and the system will not start.

Label

The term ‘Label’ refers to the filename of the certificate file on the smart card, for example User_Certificate. Follow these steps to add a certificate based on a Label:

Under Computer management | FDE, select a computer where PBA is initialized.
In the Certificates tab, select the Label radio button.
Enter the label into the Label field and click Add. If the smart card contains more than one certificate (multi-user access) then you should add the labels for those as well.
If you have mistakenly entered a false label, select it from the list and click the Remove button to remove it from the list.
To sort label preference, select a label in the list and click either Up or Down - the certificate that will be used for authentication is the first one in the list that matches the label criteria.

Key Usage

Key usage extensions define the purpose of the public key contained in a certificate. You can use them to restrict the public key to as few or as many operations as needed. For example, if you have a key used only for signing, select Digital signature and/or Non-repudiation extensions from the drop-down menu. Alternatively, if a key is used only for key management, select Key encipherment. For further details about the key usages supported by EgoSecure Full Disk Encryption smart card authentication, see the EgoSecure FDE - Administration and Usage Guide, chapter 6.2.

Follow these steps to add a certificate based on Key Usage:

Under Computer management | FDE, select a computer where PBA is initialized.
In the Certificates tab, select the Key Usage radio button.
Choose a standardized form of key usage from the Key Usage drop-down menu, for example, Data Encipherment.
Click Add.
To give preference to a specific key usage, select it from the list and click either Up or Down. Key usages at the top of the list have preference (the certificate that will be used for authentication is the first one whose key usage matches the criteria in the list).
Select one of the following matching policies:
- Any. The first certificate that contains any key usage from the list will be used.
- All. The certificate must fulfill all the key usages in the list.
- None. No certificate may contain any of the key usages from the list.
If you have mistakenly entered a false certificate label, select it from the list and click Remove.

Configuring authentication via user credentials

Using the EgoSecure Data Protection Console, user credentials be added manually or automatically. It is better to use an automatic way of capturing credentials instead of a manual one till the moment the smart card is checked in a test environment. Once the logon with the smart card is performed successfully in the test environment, enable user capturing for all computers (automatically) or add smart card credentials for all computers manually.

The maximum password length for Pre-Boot Authentication is 32 symbols.

Adding user credentials automatically

Open the EgoSecure Data Protection Console. Under Computer management | FDE, select a computer where PBA is initialized.
In the PBA authentication tab, select the user credentials logon method.
Check Enable user capturing.
Click Save.
Right-click the computer and select Apply PBA settings.
During next boot on the selected computer, user credentials are captured automatically and a user is added to the list. During all other boots performed after it, pre-boot authentication with user credentials occurs.

Adding user credentials manually

Open the EgoSecure Data Protection Console. In Computer management | FDE, select a computer where PBA is initialized.
In the Pre-Boot Authentication tab, select the User/Password logon method.

Click Add.
The PBA User dialog appears.
In the Domain field, enter a domain, to which a user belongs.
Enter a user name and password. The password must me no longer that 32 symbols.
Click OK.
The dialog closes and a new entry appears.

Click Save.
Right-click the computer and select Apply PBA settings.

Permitting single sign-on (SSO) for a user

When SSO is enabled, a user only needs to enter smart card or user credentials in the EgoSecure PBA dialog once, because standard Windows logon dialog will be performed automatically. When SSO is disabled, a user needs to enter smart card or user credentials twice: in the EgoSecure PBA dialog and then in standard Windows logon dialog.

Under Computer management | FDE, select a computer where PBA is initialized.
In the Pre-Boot Authentication tab, enable Activate single sign-on.

Enable the No automatic confirmation option so that user credentials will be pre-entered into the Windows logon dialog but user confirms them manually. If the option is not enabled, the Windows logon dialog doesn’t appear for a user at all.
Enable the Show last username option to always display the user name of the last known logged-on user in the PBA logon dialog.
Click Save.
Right-click the computer and select Apply PBA settings.

Enabling Helpdesk for a computer

Helpdesk assists users to boot their computers in case of emergency, for example, when a user has forgotten the password or lost the smart card. The Challenge-Response mechanism is used to securely unlock PBA.

Under Computer management | FDE, select a computer.
Go to the Helpdesk tab.
Select the mode (comfort or strong).
Click Add.
Click Save.

Right-click the computer in the Computer management - FDE work area.
Select Apply PBA settings from the context menu.
Once the script is executed, the Helpdesk activated message appears.

Using Helpdesk

Goal: to deactivate PBA for a user for 1 boot.

User:

Restarts a computer to boot Windows once PBA is installed and initialized.
Restarts a computer once again and cannot remember the password.
Clicks the Helpdesk button.

Selects the Deactivate pre-boot authentication option. Clicks Next.

Contacts an administrator and clicks Next.
Sends the displayed Request ID to the administrator. Clicks Next.

Sends the displayed Challenge code to the administrator. Clicks Next.

Administrator:

Enters the request ID code into the Request

Enters the challenge code into the Challenge field.

Sets the number of boot actions permitted without PBA authentication.

Clicks Generate.
The response code is automatically generated in the Response field.

Sends the code to the user.

User:

Enters the code.

Clicks Finish.

Using Friendly network

Overview

Friendly network simplifies the process of booting if the network is known. If connection to the Server can be established during PBA, the authentication is skipped and boot into Windows occurs. If computer is outside the known network, the PBA asks for authentication.

Functionality

PBA authentication phase is skipped with the help of Helpdesk. When PBA is booted, helpdesk request is generated and sent to the Server. An attempt to sign in to the system on the basis of a server response is made. If the attempt is successful, the computer is restarted followed by Windows boot. If the attempt is unsuccessful (incorrect network configuration, no connection to the Server etc.), PBA authentication is needed as usually.

Requirements

Helpdesk is activated for the computer. For details, see helpdesk.
Computer has at least one Ethernet adapter connected to the network that has access to the EgoSecure Server.
The connected adapter is supported by EgoSecure. See the list of Supported Ethernet manufacturers for Friendly Network.
The network supports DHCP protocol.
The network uses IPv4.

Restrictions

The ACPI boot mode is not supported.
Not compatible with BIOS Simple PBA (text-based mode).
Not compatible with Linux-based PBA if SSL is enabled.

Recommended on BIOS. Disable Quick Boot (Fast Boot) in BIOS settings as it skips the network drivers necessary for Friendly Network.

Enabling Friendly network

Under Computer management | FDE, select a computer where PBA is initialized.
In the Pre-Boot Authentication tab, enable the Activate Friendly Network option.
Click Save.
Right-click the computer and select Apply PBA settings.

Local changes do not display in Console. Friendly network is activated not only via the EgoSecure Data Protection Console, but also via the EgoSecure Full Disk Encryption Control Center. If the option state changes locally in the EgoSecure Full Disk Encryption Control Center, the option state in the EgoSecure Data Protection Console doesn’t change.

Temporary disabling PBA

Sometimes computer reboot without PBA is needed. To deactivate PBA and activate it automatically after reboot, the following steps are performed:

Go to Computer management | FDE.
Right-click a computer and select Deactivate PBA from the context menu.

Enable the checkbox and define the number of reboots.
Click OK.
The dialog closes.
Once a defined number of reboots is performed, PBA is activated back automatically.
Computer reboot can be initiated only when status in the PBA column is changed to deactivated and script is executed successfully.

Defining the number of failed PBA login attempts

The locking option enables the process of system locking when the user enters incorrect login data. Leaving the Locking option disabled allows users to enter their password incorrectly a limitless number of times without penalty.

Under Computer management | FDE, select a computer where PBA is initialized.
In the PBA settings tab, check the Enable locking option.
In the Failed logins after which login is delayed field, enter the number of times a user may enter an incorrect password before being penalized with a time penalty the next time they logon. This number should be less than that for Maximum number of failed attempts.
In the Maximum number of failed logins field, enter the number of times a user may attempt to enter the correct password. This number should be more than that for Failed attempts after which login is delayed. Entering the value 0 means that locking is deactivated!
Click Save.
Right-click the computer and select Apply PBA settings.

Configuring PBA login dialog

Selecting the background image and keyboard layout for PBA logon dialog

Under Computer management | FDE, select a computer where PBA is initialized.
In the PBA settings tab, under Other settings, select one of the Background image option for the PBA logon dialog:
- Default to use a default PBA image.
- Sync desktop wallpaper to use an individual desktop wallpaper of each computer where PBA is launched.
- Sync lock screen wallpaper to use an individual lock screen wallpaper of each computer where PBA is launched.
- Custom to select an optional background image. The image is automatically resized to the correct resolution and color depth for the PBA screen: 800x600 pixels, 24-bit.
If you selected Custom in the previous step, click in the Custom image path field to define a path for a background image.
In the Keyboard layout drop-down, select which keyboard layout is used for PBA.
Click Save.
Right-click the computer and select Apply PBA settings.

Showing the name of the last logged in user in the PBA logon dialog

Under Computer management | FDE, select a computer where PBA is initialized.
In the Pre-Boot Authentication tab, enable the Show last username option.
Click Save.
Right-click the computer and select Apply PBA settings.

If PBA loading with current motherboard failed

If PBA loading with current motherboard failed or your motherboard is considered as an old one, reinitialize FDE with the enabled Use alternate loader option.

Under Computer management | FDE, select a computer where FDE has been uninitialized.
In the Full Disk Encryption tab, enable the Use alternate loader option in the Alternate loader area.
Click Save.
Initialize FDE again.

Using FDE

Requirements for encryption

Hard disk encryption applies to IDE, SATA, and SCSI hard disks formatted using the NTFS file system under Windows. Hard disks formatted using the FAT file system are not supported. EgoSecure Full Disk Encryption supports the integrated power management mechanisms of Windows ‘Suspend to RAM’ and ‘Suspend to Disk’ with enabled, as well as disabled, PBA. If your hard disk is already encrypted using a third-party product, please, decrypt it BEFORE re-encryption with EgoSecure Full Disk Encryption.

You cannot apply hard disk encryption to the following:

Disks formatted with FAT
A remote (network) hard disk
A drive that uses software BIOS, for example: EZ-Drive, Drive-Pro or Disk Manager.

Possible data loss. To avoid data loss, follow the points below:

Do not encrypt drives that are already encrypted. If your hard drive is already encrypted with a third-party product, decrypt it BEFORE encryption with EgoSecure Full Disk Encryption.
Do not encrypt system logical drives where the operating system is installed.
Make sure that you close, or stop, applications that perform hard disk intensive operations before you start the initial encryption.
Do not turn off the computer or work on the computer while the initial encryption is in progress. Doing so would result in data corruption

Emergency recovery

Below is described why emergency recovery is needed and how to get the emergency recovery file. For details about performing emergency recovery, see the EgoSecure FDE – Administration and usage guide, chapter 1.13.

Why ERI file is needed?

ERI file is used to decrypt an encrypted disk if, for example, administrator password is forgotten.

How to create ERI file?

ERI file is created automatically during a disk encryption. Click Change to specify a password for the ERI file before the disk encryption. If the password is not specified the disk encryption fails.

How to export ERI file?

If Automatically save ERI file option was checked before the disk encryption, the ERI file is copied to the EgoSecure database automatically and, therefore, can be saved as a file via the Export button.
If Automatically save ERI file option was NOT checked before encryption, ERI file is not copied to the EgoSecure database automatically and, therefore, can NOT be saved as a file via the Export button. In this case, copy ERI file to the EgoSecure database manually by clicking Copy and then click Export.

Storing data for emergency recovery in cache. To store data for emergency recovery in cache of the computer where FDE is installed, enable Cache emergency recovery information on disk. This data is stored on the FDE partition in an encrypted form. That allows for administrator to load emergency recovery information directly from computer cache when it is needed.

Encrypting a disk

Define settings to decrypt a disk in case of emergency.
Read the requirements for encryption.
Under Computer management | FDE, in the Full Disk Encryption tab, select one of the encryption options:
- Encrypt the whole drive. Encrypting all sectors of the drive provides more security because even such things as already deleted data will be encrypted. Select this option to encrypt all the sectors of the partition.
- Encrypt just used parts of the drive. When a drive is initially encrypted, either all the sectors (regardless of whether they contain data or not) or only those sectors that contain data, can be encrypted. Encrypting only those portions of the drive that are used is much faster in most of the cases. Select this option to encrypt only the currently used sectors during the initial encryption.
Select an encryption algorithm:

Algorithm	Description
Blowfish	A strong, fast, and compact algorithm that supports key lengths of up to 448 bits.
DESX	A widely used cryptosystem and uses a key length of up to 128 bits.
DES	A widely used cryptosystem and uses a key length of up to 56 bits.
AES	Provides the most effective protection using a 256-bit key. The AES (Advanced Encryption Standard) provides the highest security coupled with fast encryption speed. This algorithm is the optimal choice for most users.

Define a key length if the selected algorithm supports several key lengths. Use the slider to define the preferred key length for the selected algorithm. The key that will be generated out of the password will be of this length.
Generate a random key automatically or define a key password:
- With generating random key option, you do not have to enter an encryption password. The encryption key will be generated randomly when encryption takes place.
- With defining a key password, the encryption key will be generated from (but is not a copy of) the password you enter (and confirm) here. The encryption password should be different to the EgoSecure Full Disk Encryption administration password.
Click Save.
Right-click a computer where FDE is initialized.
Select Encrypt | [disk letter] from the context menu.
The dialog where you agree with a possible reboot of computer where encryption is performed appears.
Click OK to confirm.
The encryption starts: the entry in the FDE status column changes to Executing script and the icon appears on a user side. When the user clicks this icon, the EgoSecure FDE dialog appears, where the encryption progress is shown. Once the disk is encrypted, the Script executed successfully status is displayed in Console.
Export and save the emergency recovery file to external storage or a network folder. For details, see How to export ERI?.

Improving encryption security

Enable an additional layer of security to the disk encryption key (DEK). The HKEK option utilizes unique hardware-based information from the client to generate an additional hardware-based key encryption key (HKEK). The TKEK option uses uses unique TPM information from the client for generating a TPM-based key encryption key (TKEK). Check TPM system requirements before enabling the option. The options protect against moving the encrypted drive into another computer within the same network, where the same KEK is used. You can use both options at a time for the protection.

Before updating BIOS or replacing hardware. When updating BIOS or replacing hardware, the information used for key generation changes and disk recovery will no longer be possible. That is why, please, follow the steps below to avoid it:

Decrypt the disk.
Update BIOS or replace hardware.
Encrypt the disk.

Improving security by enabling hardware-based key generation (compatible only with FDE 14.1 and higher)

Navigate to Computer management | FDE.
Select a computer.
In the lower work area, under Full Disk Encryption tab, enable the Generate hardware-based key encryption key (HKEK) option.

Click Save.
In the FDE info column, the Settings not applied entry appears.
Right-click a computer and select Apply FDE settings.

Improving security by enabling TPM key generation (compatible only with FDE 22.0.0 and higher)

Navigate to Computer management | FDE.
Select a computer.
In the lower work area, under Full Disk Encryption tab, enable the Generate TPM-based key encryption key (TKEK) option.

Click Save.
In the FDE info column, the Settings not applied entry appears.
Right-click a computer and select Apply FDE settings.