Hard drive encryption with Kaspersky Endpoint Security 10 for Windows
This article concerns Kaspersky Endpoint Security 10 for Windows:
- Service Pack 2 Maintenance Release 4 (version 10.3.3.304)
- Service Pack 2 Maintenance Release 3 (version 10.3.3.275)
- Service Pack 2 Maintenance Release 2 (version 10.3.0.6294)
- Service Pack 2 Maintenance Release 1 (version 10.3.0.6294)
- Service Pack 2 (version 10.3.0.6294)
- Service Pack 1 Maintenance Release 4 (version 10.2.6.3733)
Preparation for hard drive encryption
The main features of hard drive encryption
- The application encrypts hard drives sector-by-sector. The encryption is initiated when the Kaspersky Security Center policy is applied.
- The application encrypts all logical partitions of hard drives.
- When signing in to the operating system after hard drive encryption has been completed, you will need to authenticate in the Authentication Agent in order to access the hard drives and start the OS. To do so, enter the account username and password set by the network administrator using the Authentication Agent account management tasks. These accounts are based on the Microsoft Windows user accounts used for logging in to the operating system.
- You can manage the Authentication Agent user accounts and use Single Sign-On (SSO) technology to enable users to sign in to the operating system automatically with the Authentication Agent account username and the password.
- The encrypted hard drives can be accessed only from computers with Kaspersky Endpoint Security installed and hard drive encryption available (see the table below). This minimizes the risk that information stored on the encrypted hard drive can be leaked when it is used outside the corporate LAN.
Requirements
Prior to configuring the encryption settings in the policy, make sure that the managed computer and the Administration Server meet the following conditions:
Managed computer | Server |
---|---|
1. The Encryption of hard drives component is installed as part of Kaspersky Endpoint Security 10 for Windows. | 1. Administration Server version 10 is installed. |
2. Network Agent version 10 is installed. | 2. Data encryption and protection settings are displayed in the policy. |
3. A license enabling the Advanced protection mode has been added. |
Encryption technology
The following technologies are available in Kaspersky Endpoint Security 10 for Windows:
- Kaspersky Disk Encryption
- Bitlocker Drive Encryption
Kaspersky Disk Encryption
To encrypt hard drives using Kaspersky Disk Encryption, do the following:
- Open Kaspersky Security Center 10.
- Go to the Policies node. Open the properties for the Kaspersky Endpoint Security 10 policy.
- Go to Encryption of hard drives.
- In the Encryption technology field, select Kaspersky Disk Encryption.
- In the Encryption mode field, select Encrypt all hard drives.
- Click Yes in the Apply hard drive encryption settings window.
- Go to Common encryption settings and configure the Authentication Agent password settings.
- Click OK and wait while the policy is applied on the work station.
Depending on the version of Kaspersky Endpoint Security 10 for Windows you are using, you can:
- For version SP1 MR4 (10.2.6.3733) and earlier:
- Enter the username and password for the Authentication Agent account.
- Create a new password to access the encrypted hard drive during the current user session.
- Create a temporary password to access the encrypted hard drive.
- Version SP2 (10.3.0.6294) and later:
- Enter the username and password for the Authentication Agent account.
- Create a temporary password to access the encrypted hard drive.
BitLocker Drive Encryption
To encrypt hard drives using BitLocker Drive Encryption:
- Open Kaspersky Security Center 10.
- Go to Managed devices and open Policies.
- Open the Properties for the Kaspersky Endpoint Security 10 policy and go to Encryption of hard drives.
- In the Encryption technology field, select Bitlocker Drive Encryption.
- In the Encryption mode field, select Encrypt all hard drives.
- Configure the encryption settings.
- Click OK and wait while the policy is applied on the work station.
After the policy has been applied on the work station with Kaspersky Endpoint Security 10, the following requests will be made:
- If the encryption policy is applied to a system hard drive, then a window will appear requesting a PIN code.
- If FIPS compliance is enabled on the operating system, then a window will appear requesting you to connect a USB device for saving recovery key files. This request will happen on Windows 8 and later.
Authentication in the Agent
When you start the computer again after completing hard drive encryption, you will have to go through the authentication process in the Authentication Agent in order to load the operating system.
User identification in the Authentication Agent is completed by:
- Entering the Authentication Agent account username and password that was created by the LAN administrator in Kaspersky Security Center 10.
- Entering the password for the token or smart-card connected to the computer.
If you shut down or reboot the computer during hard drive encryption, the Authentication Agent will load before the operating system starts up again. Kaspersky Endpoint Security will resume hard drive encryption after you complete authentication in the agent and the operating system has started up.
If the operating system switches to hibernation mode during hard drive encryption, the Authentication Agent will load once it switches out of hibernation. Kaspersky Endpoint Security will resume hard drive encryption after you complete authentication in the agent and the operating system has started up.
If the operating system enters sleep mode during hard drive encryption, Kaspersky Endpoint Security will resume encryption once it comes out of sleep mode without loading the Authentication Agent.
Before loading the operating system, enter a domain and the Authentication Agent account username and password. Click Continue.
Authentication in the Agent: request a password to access the encrypted hard drive
If the Prompt active user for password option is enabled in the policy, the Request password for access to encrypted system hard drive window will appear on the computer after the policy is applied and the hard drive encryption task has been launched.
To request a password to access the encrypted hard drive during the current user session:
- Set a password to access the encrypted hard drive. Click OK.
If the Use Single Sign-On (SSO) technology option is enabled in the policy, during the first reboot you will need to enter the password you set in Step 1. You should then enter your Windows user account password in the Windows welcome screen. After that, the password for the Agent and the Windows password are synchronized. From then on, the Authentication Agent will only request the Windows user account password to sign into the system automatically.
If the Use Single Sign-On (SSO) technology option is not enabled in the policy, you will need to enter the Authentication Agent password, and then your Windows user account password, when you start your computer.
- If the password does not match the Windows account password, click Yes.
- Wait until your password is saved.
- Make sure the process has been completed successfully. Click OK.
- Restart the computer.
- Complete authentication in the agent.
Authentication in the Agent: create a temporary password to access the encrypted hard drive
Kaspersky Endpoint Security 10 for Windows will generate a temporary password for each user in accordance with the passwords policy for the Authentication Agent. The password is then relayed to the Administration Server.
To get a temporary password:
- Request the password from the administrator to gain access to the encrypted hard drive.
- Open Kaspersky Security Center 10.
- Go to Managed devices.
- Open the computer Properties and go to Tasks.
- Select Encryption (account management) and open its Properties.
- Go to Properties.
- Open the required user account.
- Enable the Show original password option.
A temporary password for the Authentication Agent will be displayed in the field below. The administrator then informs the user of their temporary password.
- Complete authentication in the Agent the next time the system restarts exits hibernation mode. Change the temporary password if necessary.
If the user did not log in to the operating system under their user account (for example, Kav4isa\user2) before the hard drive encryption, the an Authentication Agent password for their account will not be created. In this case, add the user account to the Encryption (account management) task and set a password for it.