Full disk encryption using BitLocker Drive Encryption technology
Prior to starting full disk encryption on a computer, you are advised to make sure that the computer is not infected. To do so, start the Full Scan or Critical Areas Scan task. Performing full disk encryption on a computer that is infected by a rootkit may cause the computer to become inoperable.
The use of BitLocker Drive Encryption technology on computers with a server operating system may require installation of the BitLocker Drive Encryption component using the Add roles and components wizard.
To perform full disk encryption using BitLocker Drive Encryption technology:
- Open the Kaspersky Security Center Administration Console.
- In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group for which you want to configure full disk encryption.
- In the workspace, select the Policies tab.
- Select the necessary policy.
- Open the Properties: <Policy name> window by using one of the following methods:
- In the context menu of the policy, select Properties.
- Click the Configure policy link located in the right part of the Administration Console workspace.
- In the Data encryption section, select Full Disk Encryption.
- In the Encryption technology drop-down list, select the BitLocker Drive Encryption option.
- In the Encryption mode drop-down list, select the Encrypt all hard drives option.
If the computer has several operating systems installed, after encryption you will be able to load only the operating system in which the encryption was performed.
- If you want to use a touchscreen keyboard to enter information in a preboot environment, select the Allow use of authentication requiring preboot keyboard input on tablets check box.
It is recommended to use this setting only for devices that have alternative data input tools such as a USB keyboard in a preboot environment.
- Select one of the following types of encryption:
- If you want to use hardware encryption, select the Use hardware encryption check box.
- If you want to use software encryption, clear the Use hardware encryption check box.
- Select one of the following encryption methods:
- If you want to apply encryption only to those hard drive sectors that are occupied by files, select the Encrypt used disk space only check box.
- If you want to apply encryption to the entire hard drive, clear the Encrypt used disk space only check box.
This function is applicable only to unencrypted devices. If a device was previously encrypted using the Encrypt used disk space only function, after applying a policy in Encrypt all hard drives mode, sectors that are not occupied by files will still not be encrypted.
- Select a method for accessing hard drives that were encrypted with BitLocker.
- If you want to use a Trusted Platform Module (TPM) to store encryption keys, select the Use Trusted Platform Module (TPM) option.
- If you are not using a Trusted Platform Module (TPM) for full disk encryption, select the Use password option and specify the minimum number of characters that a password must contain in the Minimum password length field.
The availability of a Trusted Platform Module (TPM) is mandatory for the Windows 7 and Windows 2008 R2 operating systems, as well as for earlier versions.
- If you selected the Use Trusted Platform Module (TPM) option during the previous step:
- If you want to set a PIN code that will be requested when the user attempts to access an encryption key, select the Use PIN check box and in the Minimum PIN length field, specify the minimum number of digits that a PIN code must contain.
- If you would like access to encrypted hard drives without a trusted platform module on the computer using a password, select the Use password if Trusted Platform Module (TPM) is unavailable check box, and in the Minimum password length field indicate the minimum number of characters the password should contain.
In this event, access to encryption keys will occur using the given password just like if the Use password check box is selected.
If the Use password if Trusted Platform Module (TPM) is unavailable check box is cleared and the trusted platform module is not available, full disk encryption will not start.
- Click OK to save changes.
- Apply the policy.
For details on applying a Kaspersky Security Center policy, please refer to the Kaspersky Security Center Help Guide.
After applying the policy on the client computer with Kaspersky Endpoint Security installed, the following queries will be made:
- If the Kaspersky Security Center policy is configured to encrypt the system hard drive, the PIN code prompt window will appear if the Trusted Platform Module is in use, or otherwise the password request window will appear for preboot authentication.
- If the computer's operating system has Federal Information Processing standard compatibility mode turned on, then in Windows 8 and older the operating system will display a USB device connection request window to save the recovery key file.
If there is no access to encryption keys, the user may request that the local network administrator provide a recovery key (should the recovery key not have been saved earlier on the USB device or have been lost).