Full disk encryption using Kaspersky Disk Encryption technology

Prior to starting full disk encryption, you are advised to make sure that the computer is not infected. To do so, start the Full Scan or Critical Areas Scan task. Performing full disk encryption on a computer that is infected by a rootkit may cause the computer to become inoperable.

To perform full disk encryption using Kaspersky Disk Encryption technology:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
  3. In the workspace, select the Policies tab.
  4. Select the necessary policy and double-click to open the policy properties.
  5. In the policy window, select Data EncryptionFull Disk Encryption.
  6. In the Encryption technology drop-down list, select Kaspersky Disk Encryption.

    Kaspersky Disk Encryption technology cannot be used if the computer has hard drives that were encrypted by BitLocker.

  7. In the Encryption mode drop-down list, select Encrypt all hard drives.

    If the computer has several operating systems installed, after encrypting all hard drives you will be able to load only the operating system that has the application installed.

    If you need to exclude some of the hard drives from encryption, create a list of such hard drives.

  8. Configure rules for adding Authentication Agent accounts during disk encryption. The Agent allows a user to complete authentication for access to encrypted drives and to load the operating system. To automatically add Authentication Agent accounts, configure the following settings:
    • Automatically create Authentication Agent accounts for users during encryption. If this check box is selected, the application creates Authentication Agent accounts based on the list of Windows user accounts on the computer. By default, Kaspersky Endpoint Security uses all local and domain accounts with which the user logged in to the operating system over the past 30 days.
    • Automatically create Authentication Agent accounts for all users of this computer upon sign-in. If this check box is selected, the application checks information about Windows user accounts on the computer before starting Authentication Agent. If Kaspersky Endpoint Security detects a Windows user account that has no Authentication Agent account, the application will create a new account for accessing encrypted drives. The new Authentication Agent account will have the following default settings: password-protected sign-on only, and password change on first authentication. Therefore, you do not need to manually add Authentication Agent accounts using the Manage Authentication Agent accounts task for computers with already encrypted drives.

    If you disabled automatic creation of Authentication Agent accounts, you can manually add Authentication Agent accounts by using the Manage accounts task. You can also use this task to change the settings of Authentication Agent accounts that were created automatically.

  9. For user convenience, you can save the user name to Authentication Agent memory so that the user only has to enter a password the next time they sign in to the system. To do so, select the Save user name entered in Authentication Agent check box.
  10. Select one of the following encryption methods:
    • If you want to apply encryption only to those hard drive sectors that are occupied by files, select the Encrypt used disk space only (reduces encryption time) check box.

      If you are applying encryption on a drive that is already in use, it is recommended to encrypt the entire drive. This ensures that all data is protected – even deleted data that might still contain retrievable information. The Encrypt used disk space only function is recommended for new drives that have not been previously used.

    • If you want to apply encryption to the entire hard drive, clear the Encrypt used disk space only (reduces encryption time) check box.

      If a device was previously encrypted using the Encrypt used disk space only (reduces encryption time) option, after applying a policy in Encrypt all hard drives mode, sectors that are not occupied by files remain unencrypted.

  11. If a hardware incompatibility problem occurs during computer encryption, you can select the Use Legacy USB Support (not recommended) check box.

    Legacy USB Support is a BIOS/UEFI function that allows you to use USB devices (such as a security token) during the computer's boot phase before starting the operating system (BIOS mode). Legacy USB Support does not affect support for USB devices after the operating system is started.

    When the Legacy USB Support function is enabled, the Authentication Agent in BIOS mode does not support working with tokens via USB. It is recommended to use this option only when there is a hardware compatibility issue and only for those computers on which the problem occurred.

  12. Save your changes.

You can use the Encryption Monitor tool to control the disk encryption or decryption process on a user's computer. You can run the Encryption Monitor tool from the main application window.

If system hard drives are encrypted, the Authentication Agent loads before startup of the operating system. Use the Authentication Agent to complete authentication for obtaining access to encrypted system hard drives and load the operating system. After successful completion of the authentication procedure, the operating system loads. The authentication process is repeated every time the operating system restarts.

Page top