Creating an initialization policy
Creating an initialization policy
This section details how to create an initialization policy for the FDE component only.
You need to have knowledge about the target computer for deployment. Details such as number of partitions, drive letters, whether encrypted, and so on are necessary for the successful deployment of Matrix42 Full Disk Encryption. Once the policy is created, deploy it, for details see Deploying FDE policies.
Follow the steps below to create a FDE initialization policy:
- Open the Control Center (as described in section 1.5).
- Double-click the Policy Builder icon.
- Select Full Disk Encryption policy builder.
- The FDE Policy Builder Welcome dialog appears.
- Click Next.
- The Policy selection dialog appears.
- Select Create a new policy.
- The Policy type dialog appears.
- Select Create an initialization policy and click Next to continue.
- The Administration Password dialog appears:
- Enter the administration password defined during installation/initialization. Set the Switch to expert mode checkbox to configure every aspect of initialization instead of leaving the defaults active. If you do not check Switch to expert mode then you need only refer to steps 9, 12, 13 and 18.
- Once you have made your selection click Next.
- If you DID NOT check Switch to expert mode in the previous step then, the Drive encryption dialog appears (skip the following step if you did check Switch to expert mode).
- Check Encrypt all local NTFS drives. This will encrypt all the local hard disk partitions using the AES encryption algorithm (256 bits). Click Next to continue.
- The Configuration options dialog appears.
This dialog allows you to configure the following:
Option | Details | Steps |
---|---|---|
Configure encryption of hard disk partitions |
Check this option to configure how each partition is encrypted. |
|
Create an Emergency Recovery Information file |
Check this option to create new ERI for the target computer. |
|
Configure ERI password restrictions |
Check this option to configure how the ERI password is handled. |
|
Configure Logging |
Check this option to configure the FDE log file location, filename, and maximum size. |
|
Configure TPM |
Check this option to enable the TPM for Matrix42 Full Disk Encryption. |
15 |
Configure FDE tray settings |
Check this option to define whether to hide or to show the encryption tray icon. |
|
Configure additional encryption key protection |
Check this option to configure the additional key for the disk encryption key. |
- Once you have made your selection, press Next to continue.
Checking the options in this dialog will affect the dialogs that appear hereafter. The following steps assume that you have checked every option to configure every detail. If you have not checked every option and have reached one of the steps here that does not match that on your monitor, then skip the step(s) until you reach the correct dialog.
PBA Partition options
-
The PBA partition options dialog appears:
The following options are available:
Option | Details |
---|---|
Select drive to be resized |
The drive to be resized to accommodate the PBA partition. |
Reboot automatically after installation |
Reboot the target computer automatically to initialize PBA directly. If you do not check this option Matrix42 Full Disk Encryption will be initialized upon the next reboot. |
- Once you have made your selection, click Next to continue.
Hard Disk Encryption Options
- The Hard Disk Encryption Options dialog appears.
The following options are available:
Option | Details |
---|---|
Encrypt all local drives using the same settings for each |
This option enables the encryption for every partition/hard disk on the target computer with the same settings. If you uncheck this option, all the available drives in the hard disk will be displayed in the list. To display every drive letter, click Show all. |
Show all |
Display every drive letter in the drive list. |
Set encryption options |
Set the encryption options for every partition or the selected drive in the list. The following dialog will appear: The dialog has the following options:
|
Clear |
Clear any incorrect settings made to a drive. |
Emergency Recovery Information Password
- The Emergency Recovery Information Password dialog appears.
The following options are available:
Option | Details |
---|---|
Allow blank password while saving emergency recovery password |
Check this option if you do not want to protect the ERI file with a password (not recommended!). |
Minimum required password length |
Set a minimum password length for the ERI file (recommended!). |
Private emergency recovery information |
This option should be used if you do NOT intend to define a single ERI file for company-wide use. This disables the recovery of all notebooks through one ERI file. |
Allowing the storage of ERI files without a password imposes a security risk! It is recommended to ALWAYS use a password to protect ERI files.
- Once you have made your selection, press Next to continue.
Emergency Recovery Information Options
- The first Emergency Recovery Information options dialog appears.
The options available are in the table below:
Option | Details |
---|---|
Create emergency recovery information |
Check this option to create ERI (highly recommended!). |
Emergency recovery password |
The password used to access the ERI file in an emergency. |
Confirm password |
Confirm the password for the ERI file. |
Path for ERI file
|
The location to which the ERI file is saved. Either enter the path for the ERI file manually or click “…” to browse for a location. Remember that this location must be accessible from the target computer! For details about ERI copies, see Creating an ERI file. |
- Make your selection and click Next.
- The second Emergency Recovery Information options dialog appears.
The following options are available:
Option | Details |
---|---|
Cache Emergency Recovery Information on hard disk |
Check this to store the ERI on the hard disk. |
Define the user account that will store the Emergency Recovery Information |
Check this if you want a specific user to be able to store ERI to a network drive that requires specific access. |
Username |
The Windows credentials username required for network access. |
Domain |
The Windows credentials domain required for network access. |
Password |
The Windows credentials password required for network access. |
- Once you have made your selection, click Next to continue.
Logging Options
- The Logging dialog appears.
The following options are available:
Option | Details |
---|---|
Path |
Enter a full path for the FDE log file either directly into the field Path or click “…” to open a file explorer. Remember to enter the log file name and *.log extension. |
Size |
Set the maximum log file size. |
- Once you have made your selection, press Next to continue.
TPM
- The TMP dialog appears.
The following options are available:
Option | Details |
---|---|
Activate TPM protection |
Check this option to enable the TPM feature for Matrix42 Full Disk Encryption on your computer. |
Open key files for additional systems |
Check this option to import TPM keys from another Matrix42 Full Disk Encryption installation. |
- Make your selection and click Next.
Hide Encryption Tray Icon
- The step for hiding an encryption tray icon appears.
- By default, the encryption tray appears on the Windows taskbar once a disk is encrypted and shows information about the state of all disks on a computer.
- To hide the icon, check the Hide encryption tray icon box and click Next.
Additional Encryption Key Protection
- The step for configuring additional encryption key protection appears.
- Enable an additional layer of security to the disk encryption key (DEK).
- The HKEK option utilizes unique hardware-based information from the client to generate an additional hardware-based key encryption key (HKEK).
- The TKEK option uses uses unique TPM information from the client for generating a TPM-based key encryption key (TKEK). Check TPM system requirements before enabling the option.
- The options protect against moving the encrypted drive into another computer within the same network, where the same KEK is used.
- You can use both options at the same time for the protection.
System requirements for computers with TKEK
- UEFI systems starting with Windows 10 and later
- TPM devices with specification version 2.0 are supported only
- TPM must implement the following set of commands:
- ® TPM2_CreatePrimary
- TPM2_Create
- TPM2_Load
- TPM2_EvictControl
- TPM2_FlushContext
- TPM2_GetRandom
- TPM2_RSA_Encrypt
- TPM2_RSA_Decrypt
- TPM2_ObjectChangeAuth
- ¾ TPM must support the following set of algorithms:
- TPM_ALG_SHA256
- TPM_ALG_RSA
- TPM_ALG_OAEP
- TPM_ALG_AES
- TPM_ALG_CFB
- TPM device must be in the Ready state.
When updating BIOS or replacing hardware, the information used for key generation changes and disk recovery will no longer be possible. That is why, please, follow the steps below to avoid it:
- Decrypt the disk.
- Update BIOS or replace hardware.
- Encrypt the disk.
- Check the Generate hardware-based key encryption key (HKEK) box and/or Generate TPM-based key encryption key (TKEK), and then click Next.
Boot Messages Options
- The Boot messages options dialog appears. The messages below are shown only on computers with Windows versions below Windows 10.
This dialog allows you to define the following installation messages:
Option | This option determines if... |
---|---|
Show status dialogs |
… status dialogs should be displayed on the target computer during policy deployment. |
Show warning messages |
… warning messages should be displayed on the target computer during policy deployment. If you do not select this option, warning messages are suppressed. |
Show error messages |
… error messages should be displayed on the target computer during policy deployment. If you do not select this option, error messages are suppressed. |
Show success messages |
… success messages should be displayed on the target computer that relate to individual policy tasks during deployment. |
Show other messages |
… information messages should be displayed on the target computer during and after policy deployment. If you do not select this option, information messages are suppressed. |
- Make your selection and press Next to continue
Administration Password
- The Administration password (target computer) dialog appears.
- Enter and confirm the Matrix42 Full Disk Encryption administration password already set on the target computer.
- Click Next to continue.
Policy Location
The Policy location dialog appears.
The following options are available:
Option | Details |
---|---|
Policy file path |
Enter the path for the policy in this field by clicking ‘…’ and selecting a location and filename for the file in the file browser. |
Create an unencrypted copy of the policy |
Check this option to create an unencrypted copy of the policy (recommended for reconfiguration). If you want to reconfigure a computer that has already been configured using a policy, then check this option - the Policy Builder can only open an unencrypted policy to edit the settings. |
Plain copy of policy |
Enter the path for the plain copy of the policy in this field by clicking ‘…’ and selecting a location and filename for the file in the file browser. |
- Enter the paths for your policy and click Finish to complete the procedure.
- It is recommended to always store plain copies in a safe place. Use the plain copies to create new policies for future changes in configuration.
- For security reasons encrypted policies cannot be edited with the FDE Policy Builder.