You can select an encryption technology: Kaspersky Disk Encryption or BitLocker Drive Encryption (hereinafter also referred to as simply "BitLocker").
Kaspersky Disk Encryption
After the system hard drives have been encrypted, at the next computer startup the user must complete authentication using the Authentication Agent before the hard drives can be accessed and the operating system is loaded. This requires entering the password of the token or smart card connected to the computer, or the user name and password of the Authentication Agent account created by the local area network administrator using Authentication Agent account management task. These accounts are based on Microsoft Windows accounts under which users log into the operating system. You can also use Single Sign-On (SSO) technology, which lets you automatically log in to the operating system using the user name and password of the Authentication Agent account.
User authentication in the Authentication Agent can be performed in two ways:
Use of a token or smart card is available only if the computer hard drives were encrypted using the AES256 encryption algorithm. If the computer hard drives were encrypted using the AES56 encryption algorithm, addition of the electronic certificate file to the command will be denied.
BitLocker Drive Encryption
BitLocker is a technology that is part of the Windows operating system. If a computer is equipped with a Trusted Platform Module (TPM), BitLocker uses it to store recovery keys that provide access to an encrypted hard drive. When the computer starts, BitLocker requests the hard drive recovery keys from the Trusted Platform Module and unlocks the drive. You can configure the use of a password and/or PIN code for accessing recovery keys.
Kaspersky Disk Encryption component settings
Parameter |
Description |
|---|---|
Encryption mode |
Encrypt all hard drives. If this item is selected, the application encrypts all hard drives when the policy is applied. If the computer has several operating systems installed, after encryption you will be able to load only the operating system that has the application installed. Decrypt all hard drives. If this item is selected, the application decrypts all previously encrypted hard drives when the policy is applied. Leave unchanged. If this item is selected, the application leaves drives in their previous state when the policy is applied. If the drive was encrypted, it remains encrypted. If the drive was decrypted, it remains decrypted. This item is selected by default. |
Automatically create Authentication Agent accounts for users |
This check box enables / disables automatic creation of Authentication Agent accounts when applying a policy. Kaspersky Endpoint Security creates a list of Authentication Agent accounts based on Windows accounts. By default, Kaspersky Endpoint Security uses all local and domain accounts with which the user logged in to the operating system over the past 30 days. |
Authentication Agent account creation settings |
All accounts on the computer. If this check box is selected, when running the full disk encryption task Kaspersky Endpoint Security creates Authentication Agent accounts for all computer accounts that have ever been active. All domain accounts on the computer. If this check box is selected, when running the full disk encryption task Kaspersky Endpoint Security creates Authentication Agent accounts for all computer accounts belonging to a certain domain that have ever been active. All local accounts on the computer. If this check box is selected, when running the full disk encryption task Kaspersky Endpoint Security creates Authentication Agent accounts for all local computer accounts that have ever been active. Local administrator. If this check box is selected, when running the full disk encryption task Kaspersky Endpoint Security creates a local administrator account. Computer manager. If this check box is selected, when running the full disk encryption task Kaspersky Endpoint Security creates an Authentication Agent account for the account whose properties in Active Directory show that it is a management account. Active account. If this check box is selected, when running the full disk encryption task Kaspersky Endpoint Security automatically creates an Authentication Agent account for the computer account that is active during the task. |
Save user name entered in Authentication Agent |
If the check box is selected, the application saves the name of the Authentication Agent account. You will not be required to enter the account name the next time you attempt to complete authorization in the Authentication Agent under the same account. |
Encrypt used disk space only |
This check box enables / disables the option that limits the encryption area to only occupied hard drive sectors. This limit lets you reduce encryption time. After encryption started, enabling / disabling the Encrypt used disk space only function will not change this setting until the hard drives are decrypted. You must select or clear the check box before starting encryption. If the check box is selected, only portions of the hard drive that are occupied by files are encrypted. Kaspersky Endpoint Security automatically encrypts new data as it is added. If the check box is cleared, the entire hard drive is encrypted, including residual fragments of previously deleted and modified files. This option is recommended for new hard drives whose data has not been modified or deleted. If you are applying encryption on a hard drive that is already in use, it is recommended to encrypt the entire hard drive. This ensures protection of all data, even deleted data that is potentially recoverable. This check box is cleared by default. |
Use Legacy USB Support |
This check box enables/disables the Legacy USB Support function. Legacy USB Support is a BIOS/UEFI function that allows you to use USB devices (such as a security token) during the computer's boot phase before starting the operating system (BIOS mode). Legacy USB Support does not affect support for USB devices after the operating system is started. If the check box is selected, support for USB devices during initial startup of the computer will be enabled. When the Legacy USB Support function is enabled, the Authentication Agent in BIOS mode does not support working with tokens via USB. It is recommended to use this option only when there is a hardware compatibility issue and only for those computers on which the problem occurred. |
Password settings |
Authentication Agent account password strength settings. You can also enable the use of Single Sign-On (SSO) technology. SSO technology makes it possible to use the same account credentials to access encrypted hard drives and to sign in to the operating system. If the check box is selected, you must enter the account credentials for accessing encrypted hard drives and then automatically logging in to the operating system. If the check box is cleared, to access encrypted hard drives and subsequently log into the operating system you must separately enter the credentials for accessing encrypted hard drives and the operating system user account credentials. |
Help texts |
Authentication. Help text that appears in the Authentication Agent window when entering account credentials. Change password. Help text that appears in the Authentication Agent window when changing the password for the Authentication Agent account. Recover password. Help text that appears in the Authentication Agent window when recovering the password for the Authentication Agent account. |
BitLocker Drive Encryption component settings
Parameter |
Description |
|---|---|
Encryption mode |
Encrypt all hard drives. If this item is selected, the application encrypts all hard drives when the policy is applied. If the computer has several operating systems installed, after encryption you will be able to load only the operating system that has the application installed. Decrypt all hard drives. If this item is selected, the application decrypts all previously encrypted hard drives when the policy is applied. Leave unchanged. If this item is selected, the application leaves drives in their previous state when the policy is applied. If the drive was encrypted, it remains encrypted. If the drive was decrypted, it remains decrypted. This item is selected by default. |
Enable use of BitLocker authentication requiring preboot keyboard input on slates |
This check box enables / disables the use of authentication requiring data input in a preboot environment, even if the platform does not have the capability for preboot input (for example, with touchscreen keyboards on tablets). If the check box is selected, use of authentication requiring preboot input is allowed. It is recommended to use this setting only for devices that have alternative data input tools in a preboot environment, such as a USB keyboard in addition to touchscreen keyboards. |
Use hardware encryption |
If the check box is selected, the application applies hardware encryption. This lets you increase the speed of encryption and use less computer resources. |
Encrypt used disk space only |
This check box enables / disables the option that limits the encryption area to only occupied hard drive sectors. This limit lets you reduce encryption time. After encryption started, enabling / disabling the Encrypt used disk space only function will not change this setting until the hard drives are decrypted. You must select or clear the check box before starting encryption. If the check box is selected, only portions of the hard drive that are occupied by files are encrypted. Kaspersky Endpoint Security automatically encrypts new data as it is added. If the check box is cleared, the entire hard drive is encrypted, including residual fragments of previously deleted and modified files. This option is recommended for new hard drives whose data has not been modified or deleted. If you are applying encryption on a hard drive that is already in use, it is recommended to encrypt the entire hard drive. This ensures protection of all data, even deleted data that is potentially recoverable. This check box is cleared by default. |
Authentication settings |
Use Trusted Platform Module (TPM). If this option is selected, BitLocker uses a Trusted Platform Module (TPM). A Trusted Platform Module (TPM) is a microchip developed to provide basic functions related to security (for example, to store encryption keys). A Trusted Platform Module is usually installed on the computer motherboard and interacts with all other system components via the hardware bus. A device equipped with a Trusted Platform Module can create encryption keys that can be decrypted only with the device. A Trusted Platform Module encrypts encryption keys with its own root storage key. The root storage key is stored within the Trusted Platform Module. This provides an additional level of protection against attempts to hack encryption keys. This action is selected by default. You can configure the settings for accessing the encryption key:
|