Full disk encryption using BitLocker Drive Encryption technology

Prior to starting full disk encryption, you are advised to make sure that the computer is not infected. To do so, start the Full Scan or Critical Areas Scan task. Performing full disk encryption on a computer that is infected by a rootkit may cause the computer to become inoperable.

The use of BitLocker Drive Encryption technology on computers with a server operating system may require installation of the BitLocker Drive Encryption component using the Add roles and components wizard.

To use BitLocker Full Disk Encryption, do the following:

1. Open the Kaspersky Security Center Administration Console.
2. In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
3. In the workspace, select the Policies tab.
4. Select the necessary policy and double-click to open the policy properties.
5. In the policy window, select Data Encryption → Full Disk Encryption.
6. In the Encryption technology drop-down list, select BitLocker Drive Encryption.
7. In the Encryption mode drop-down list, select Encrypt all hard drives.

   If the computer has several operating systems installed, after encryption you will be able to load only the operating system in which the encryption was performed.

8. If you want to enable BitLocker authentication in the preboot environment on tablet computers, select the Enable use of BitLocker authentication requiring preboot keyboard input on slates check box.

   The touchscreen of tablet computers is not available in the preboot environment. To complete BitLocker authentication on tablet computers, the user must connect a USB keyboard, for example.

9. If you want to use hardware encryption, select the Use hardware encryption check box. This lets you increase the speed of encryption and use less computer resources.
10. Select one of the following encryption methods:
    • If you want to apply encryption only to those hard drive sectors that are occupied by files, select the Encrypt used disk space only check box.
    • If you want to apply encryption to the entire hard drive, clear the Encrypt used disk space only check box.

      This function is applicable only to unencrypted hard drives. If a hard drive was previously encrypted using the Encrypt used disk space only function, after applying a policy in Encrypt all hard drives mode, sectors that are not occupied by files will still not be encrypted.

11. Select a method for accessing hard drives that were encrypted with BitLocker.
    • If you want to use a Trusted Platform Module (TPM) to store encryption keys, select the Use Trusted Platform Module (TPM) option.

      A Trusted Platform Module (TPM) is a microchip developed to provide basic functions related to security (for example, to store encryption keys). A Trusted Platform Module is usually installed on the computer motherboard and interacts with all other system components via the hardware bus.

    • If you are not using a TPM for full disk encryption, select the Use password option and specify the minimum number of characters that a password must contain in the Minimum password length field.

    For computers running Windows 7 or Windows Server 2008 R2, only encryption using a TPM module is available. If a TPM module is not installed, BitLocker encryption is not possible. Use of a password on these computers is not supported.

12. If you selected the Use Trusted Platform Module (TPM) option during the previous step:
    • If you want to set a PIN code that will be requested when the user attempts to access an encryption key, select the Use PIN check box and in the Minimum PIN length field, specify the minimum number of digits that a PIN code must contain.
    • If you would like access to encrypted hard drives without a trusted platform module on the computer using a password, select the Use password if Trusted Platform Module (TPM) is unavailable check box, and in the Minimum password length field indicate the minimum number of characters the password should contain.

      In this event, access to encryption keys will occur using the given password just like if the Use password check box is selected.

      If the Use password if Trusted Platform Module (TPM) is unavailable check box is cleared and the trusted platform module is not available, full disk encryption will not start.

13. Save your changes.

After applying the policy on the client computer with Kaspersky Endpoint Security installed, the following queries will be made:

• If encryption of the system hard drive is configured in the Kaspersky Security Center policy:
  • If a TPM module is available, a PIN code prompt window appears.
  • If a TPM module is not available, you will see a password prompt window for preboot authentication.
• If the Federal Information Processing standard compatibility mode is enabled for computer operating system → in Windows 8 and earlier versions of operating system, a request for connecting a storage device is displayed to save the recovery key file. You can save multiple recovery key files on a single storage device.

If there is no access to encryption keys, the user may request the local network administrator to provide a recovery key (if the recovery key was not saved earlier on the storage device or was lost).

Page top