Skip to main content
Matrix42 Self-Service Help Center

Creating an initialization policy

Creating an initialization policy

This section details how to create an initialization policy for the FDE component only.

You need to have knowledge about the target computer for deployment. Details such as number of partitions, drive letters, whether encrypted, and so on are necessary for the successful deployment of Matrix42 Full Disk Encryption. Once the policy is created, deploy it, for details see Deploying FDE policies.

Follow the steps below to create a FDE initialization policy:

  • Open the Control Center (as described in section 1.5).
  • Double-click the Policy Builder icon.
  • Select Full Disk Encryption policy builder.

clipboard_e83e8101f811668811f085c27de812519.png

  • The FDE Policy Builder Welcome dialog appears.

clipboard_edd05ea39651d4709f08491162e0bb535.png

  • Click Next.
  • The Policy selection dialog appears.

clipboard_eea2820e98118d4eab339b7f826f59e71.png

  • Select Create a new policy.
  • The Policy type dialog appears.

clipboard_ebbbb38983f12af87df0eb6119c101c6f.png

  • Select Create an initialization policy and click Next to continue.
  • The Administration Password dialog appears:

clipboard_e269dab9ec3a79710feabc622dd634534.png

  • Enter the administration password defined during installation/initialization. Set the Switch to expert mode checkbox to configure every aspect of initialization instead of leaving the defaults active. If you do not check Switch to expert mode then you need only refer to steps 9, 12, 13 and 18.
  • Once you have made your selection click Next.
    • If you DID NOT check Switch to expert mode in the previous step then, the Drive encryption dialog appears (skip the following step if you did check Switch to expert mode).
  • Check Encrypt all local NTFS drives. This will encrypt all the local hard disk partitions using the AES encryption algorithm (256 bits). Click Next to continue.

clipboard_e41d00a70d465e9dd6d3aa157bd8c0fa3.png

  • The Configuration options dialog appears.

clipboard_e401949404b09ccdc1a477bfa7a4e322c.png

This dialog allows you to configure the following:

Option Details Steps

Configure encryption of hard disk partitions

Check this option to configure how each partition is encrypted.

11

Create an Emergency Recovery Information file

Check this option to create new ERI for the target computer.

12, 13

Configure ERI password restrictions

Check this option to configure how the ERI password is handled.

11 (part 2)

Configure Logging

Check this option to configure the FDE log file location, filename, and maximum size.

14

Configure TPM

Check this option to enable the TPM for Matrix42 Full Disk Encryption.
NOTE: This feature is for the FDE component only! You cannot install the PBA if this is enabled.

15

Configure FDE tray settings

Check this option to define whether to hide or to show the encryption tray icon.

16

Configure additional encryption key protection

Check this option to configure the additional key for the disk encryption key.

17

  • Once you have made your selection, press Next to continue.

Checking the options in this dialog will affect the dialogs that appear hereafter. The following steps assume that you have checked every option to configure every detail. If you have not checked every option and have reached one of the steps here that does not match that on your monitor, then skip the step(s) until you reach the correct dialog.

PBA Partition options

  • The PBA partition options dialog appears:

clipboard_e678e985366833dfa5c67680508887ef7.png

The following options are available:

Option Details

Select drive to be resized

The drive to be resized to accommodate the PBA partition.

Reboot automatically after installation

Reboot the target computer automatically to initialize PBA directly. If you do not check this option Matrix42 Full Disk Encryption will be initialized upon the next reboot.

  • Once you have made your selection, click Next to continue.

Hard Disk Encryption Options

  • The Hard Disk Encryption Options dialog appears.

clipboard_ec5073413b7c1a47f811a24ed03e6a914.png

The following options are available:

Option Details

Encrypt all local drives using the same settings for each

This option enables the encryption for every partition/hard disk on the target computer with the same settings. If you uncheck this option, all the available drives in the hard disk will be displayed in the list. To display every drive letter, click Show all.

Show all

Display every drive letter in the drive list.

Set encryption options

Set the encryption options for every partition or the selected drive in the list. The following dialog will appear:

clipboard_e254688158b1e1820108f562939f7e959.png

The dialog has the following options:

  • Algorithm: Select which algorithm will be used for the encryption of the selected drive.
  • Key length: Some encryption algorithms support different key lengths. Click the up/down arrows to define the preferred key length for the selected algorithm. The key that will be generated out of the Password will be of this length.
  • Encryption Key (Password), Confirm key (Confirmation Password): The encryption key will be generated out of the password you enter (and confirm) here.
  • Random key: With this option you do not have to enter an encryption password. The encryption key will be generated randomly when encryption takes place.
  • Password required for decryption: This option is only active if the option Random key is unchecked.
  • Encrypt only the used sectors of the drive: When a drive is initially encrypted, either all the sectors (regardless of whether they contain data or not), or only those sectors that contain data, can be encrypted. Encrypting only those portions of the drive that are used is much faster in most cases. Select this option, if you want to encrypt only the used sectors of the drive.

Clear

Clear any incorrect settings made to a drive.

Emergency Recovery Information Password

  • The Emergency Recovery Information Password dialog appears.

clipboard_ec8c662dba7d6ea05a307a05455d344c5.png

The following options are available:

Option Details

Allow blank password while saving emergency recovery password

Check this option if you do not want to protect the ERI file with a password (not recommended!).

Minimum required password length

Set a minimum password length for the ERI file (recommended!).

Private emergency recovery information

This option should be used if you do NOT intend to define a single ERI file for company-wide use. This disables the recovery of all notebooks through one ERI file.

Allowing the storage of ERI files without a password imposes a security risk! It is recommended to ALWAYS use a password to protect ERI files.

  • Once you have made your selection, press Next to continue.

Emergency Recovery Information Options

  • The first Emergency Recovery Information options dialog appears.

 clipboard_e3fed004c986b36563aa8b26aae5d432f.png

The options available are in the table below:

Option Details

Create emergency recovery information

Check this option to create ERI (highly recommended!).

Emergency recovery password

The password used to access the ERI file in an emergency.
Only the English keyboard layout is supported in the recovery application, that is why please enter the password, which contains no symbols from other languages.

Confirm password

Confirm the password for the ERI file.

Path for ERI file

 

The location to which the ERI file is saved. Either enter the path for the ERI file manually or click “…” to browse for a location. Remember that this location must be accessible from the target computer!

For details about ERI copies, see Creating an ERI file.

  • Make your selection and click Next.
  • The second Emergency Recovery Information options dialog appears.

clipboard_eac8b1ee9e65465a6d40f60d799cca315.png

The following options are available:

Option Details

Cache Emergency Recovery Information on hard disk

Check this to store the ERI on the hard disk.

Define the user account that will store the Emergency Recovery Information

Check this if you want a specific user to be able to store ERI to a network drive that requires specific access.

Username

The Windows credentials username required for network access.

Domain

The Windows credentials domain required for network access.

Password

The Windows credentials password required for network access.

  • Once you have made your selection, click Next to continue.

Logging Options

  • The Logging dialog appears. 

clipboard_e936107d8ac2b5b6a793e26df8731c570.png

The following options are available:

Option Details

Path

Enter a full path for the FDE log file either directly into the field Path or click “…” to open a file explorer. Remember to enter the log file name and *.log extension.

Size

Set the maximum log file size.

  • Once you have made your selection, press Next to continue.

TPM

  • The TMP dialog appears.

clipboard_ee90ad93f6e2f39b9f2619b005894f82d.png

The following options are available:

Option Details

Activate TPM protection

Check this option to enable the TPM feature for Matrix42 Full Disk Encryption on your computer.

Open key files for additional systems

Check this option to import TPM keys from another Matrix42 Full Disk Encryption installation.

  • Make your selection and click Next.

Hide Encryption Tray Icon

  • The step for hiding an encryption tray icon appears.
  • By default, the encryption tray appears on the Windows taskbar once a disk is encrypted and shows information about the state of all disks on a computer.

clipboard_e8806eaf2caf0d55bc05c99c3d6baf265.png

  • To hide the icon, check the Hide encryption tray icon box and click Next.

Additional Encryption Key Protection

  • The step for configuring additional encryption key protection appears.

clipboard_e999bf73ceba27b63f9cca74861380fa1.png

  • Enable an additional layer of security to the disk encryption key (DEK).
  • The HKEK option utilizes unique hardware-based information from the client to generate an additional hardware-based key encryption key (HKEK).
  • The TKEK option uses uses unique TPM information from the client for generating a TPM-based key encryption key (TKEK). Check TPM system requirements before enabling the option.
  • The options protect against moving the encrypted drive into another computer within the same network, where the same KEK is used.
  • You can use both options at the same time for the protection.

System requirements for computers with TKEK

  • UEFI systems starting with Windows 10 and later
  • TPM devices with specification version 2.0 are supported only
  • TPM must implement the following set of commands:
  • ®  TPM2_CreatePrimary
    • TPM2_Create
    • TPM2_Load
    • TPM2_EvictControl
    • TPM2_FlushContext
    • TPM2_GetRandom
    • TPM2_RSA_Encrypt
    • TPM2_RSA_Decrypt
    • TPM2_ObjectChangeAuth
  • ¾  TPM must support the following set of algorithms:
    • TPM_ALG_SHA256
    • TPM_ALG_RSA
    • TPM_ALG_OAEP
    • TPM_ALG_AES
    • TPM_ALG_CFB
  • TPM device must be in the Ready state.

When updating BIOS or replacing hardware, the information used for key generation changes and disk recovery will no longer be possible. That is why, please, follow the steps below to avoid it:

  1. Decrypt the disk.
  2. Update BIOS or replace hardware.
  3. Encrypt the disk.
  • Check the Generate hardware-based key encryption key (HKEK) box and/or Generate TPM-based key encryption key (TKEK), and then click Next.

Boot Messages Options

  • The Boot messages options dialog appears. The messages below are shown only on computers with Windows versions below Windows 10.

clipboard_e7ef60c767e83efd8163ad3c0b4bd0dc5.png

This dialog allows you to define the following installation messages:

Option This option determines if...

Show status dialogs

… status dialogs should be displayed on the target computer during policy deployment.

Show warning messages

… warning messages should be displayed on the target computer during policy deployment. If you do not select this option, warning messages are suppressed.

Show error messages

… error messages should be displayed on the target computer during policy deployment. If you do not select this option, error messages are suppressed.

Show success messages

… success messages should be displayed on the target computer that relate to individual policy tasks during deployment.

Show other messages

… information messages should be displayed on the target computer during and after policy deployment. If you do not select this option, information messages are suppressed.

  • Make your selection and press Next to continue

Administration Password

  • The Administration password (target computer) dialog appears.
  • Enter and confirm the Matrix42 Full Disk Encryption administration password already set on the target computer.

clipboard_e64ab018694eb8748e8927e1009001d5f.png

  • Click Next to continue.

Policy Location

The Policy location dialog appears.

clipboard_eca3faeecf500e47699f91074c4d35de0.png

The following options are available:

Option Details

Policy file path

Enter the path for the policy in this field by clicking ‘…’ and selecting a location and filename for the file in the file browser.

Create an unencrypted copy of the policy

Check this option to create an unencrypted copy of the policy (recommended for reconfiguration).

If you want to reconfigure a computer that has already been configured using a policy, then check this option - the Policy Builder can only open an unencrypted policy to edit the settings.

Plain copy of policy

Enter the path for the plain copy of the policy in this field by clicking ‘…’ and selecting a location and filename for the file in the file browser.

  • Enter the paths for your policy and click Finish to complete the procedure.
  • It is recommended to always store plain copies in a safe place. Use the plain copies to create new policies for future changes in configuration.
  • For security reasons encrypted policies cannot be edited with the FDE Policy Builder.
  • Was this article helpful?