Full Disk Encryption

You can select an encryption technology: Kaspersky Disk Encryption or BitLocker Drive Encryption (hereinafter also referred to as simply "BitLocker").

Kaspersky Disk Encryption

After the system hard drives have been encrypted, at the next computer startup the user must complete authentication using the Authentication Agent before the hard drives can be accessed and the operating system is loaded. This requires entering the password of the token or smart card connected to the computer, or the user name and password of the Authentication Agent account created by the local area network administrator using the Manage Authentication Agent accounts task. These accounts are based on Microsoft Windows accounts under which users log into the operating system. You can also use Single Sign-On (SSO) technology, which lets you automatically log in to the operating system using the user name and password of the Authentication Agent account.

User authentication in the Authentication Agent can be performed in two ways:

BitLocker Drive Encryption

BitLocker is an encryption technology built into Windows operating systems. Kaspersky Endpoint Security allows you to control and manage Bitlocker using Kaspersky Security Center. BitLocker encrypts logical volumes. BitLocker cannot be used for encryption of removable drives. For more details on BitLocker, refer to the Microsoft documentation.

BitLocker provides secure storage of access keys using a trusted platform module. A Trusted Platform Module (TPM) is a microchip developed to provide basic functions related to security (for example, to store encryption keys). A Trusted Platform Module is usually installed on the computer motherboard and interacts with all other system components via the hardware bus. Using TPM is the safest way to store BitLocker access keys, since TPM provides pre-startup system integrity verification. You can still encrypt drives on a computer without a TPM. In this case, the access key will be encrypted with a password. BitLocker uses the following authentication methods:

After encrypting a drive, BitLocker creates a master key. Kaspersky Endpoint Security sends the master key to Kaspersky Security Center so that you can restore access to the disk, for example, if a user has forgotten the password.

If a user encrypts a disk using BitLocker, Kaspersky Endpoint Security will send information about disk encryption to Kaspersky Security Center. However, Kaspersky Endpoint Security will not send the master key to Kaspersky Security Center, so it will be impossible to restore access to the disk using Kaspersky Security Center. For BitLocker to work correctly with Kaspersky Security Center, decrypt the drive and re-encrypt the drive using a policy. You can decrypt a drive locally or using a policy.

After encrypting the system hard drive, the user needs to go through BitLocker authentication to boot the operating system. After the authentication procedure, BitLocker will allow for users to log in. BitLocker does not support single sign-on technology (SSO).

If you are using Windows group policies, turn off BitLocker management in the policy settings. Windows policy settings may conflict with Kaspersky Endpoint Security policy settings. When encrypting a drive, errors may occur.

Kaspersky Disk Encryption component settings

Parameter

Description

Encryption mode

Encrypt all hard drives. If this item is selected, the application encrypts all hard drives when the policy is applied.

If the computer has several operating systems installed, after encryption you will be able to load only the operating system that has the application installed.

Decrypt all hard drives. If this item is selected, the application decrypts all previously encrypted hard drives when the policy is applied.

Leave unchanged. If this item is selected, the application leaves drives in their previous state when the policy is applied. If the drive was encrypted, it remains encrypted. If the drive was decrypted, it remains decrypted. This item is selected by default.

During encryption, automatically create Authentication Agent accounts for Windows users

If this check box is selected, the application creates Authentication Agent accounts based on the list of Windows user accounts on the computer. By default, Kaspersky Endpoint Security uses all local and domain accounts with which the user logged in to the operating system over the past 30 days.

Authentication Agent account creation settings

All accounts on the computer. All accounts on the computer that have been active at any time.

All domain accounts on the computer. All accounts on the computer that belong to some domain and that have been active at any time.

All local accounts on the computer. All local accounts on the computer that have been active at any time.

Service account with a one-time password. The service account is necessary to gain access to the computer, for example, when the user forgets the password. You can also use the service account as a reserve account. You must enter the name of the account (by default, ServiceAccount). Kaspersky Endpoint Security creates a password automatically. You can find the password in the Kaspersky Security Center console.

Local administrator. Kaspersky Endpoint Security creates an Authentication Agent user account for the local administrator of the computer.

Computer manager. Kaspersky Endpoint Security creates an Authentication Agent user account for the account of the computer manager. You can see which account has the computer manager role in computer properties in Active Directory. By default, the computer manager role is not defined, that is, it does not correspond to any account.

Active account. Kaspersky Endpoint Security automatically creates an Authentication Agent account for the account that is active at the time of disk encryption.

Automatically create Authentication Agent accounts for all users of this computer upon sign-in

If this check box is selected, the application checks information about Windows user accounts on the computer before starting Authentication Agent. If Kaspersky Endpoint Security detects a Windows user account that has no Authentication Agent account, the application will create a new account for accessing encrypted drives. The new Authentication Agent account will have the following default settings: password-protected sign-on only, and password change on first authentication. Therefore, you do not need to manually add Authentication Agent accounts using the Manage Authentication Agent accounts task for computers with already encrypted drives.

Save user name entered in Authentication Agent

If the check box is selected, the application saves the name of the Authentication Agent account. You will not be required to enter the account name the next time you attempt to complete authorization in the Authentication Agent under the same account.

Encrypt used disk space only (reduces encryption time)

This check box enables / disables the option that limits the encryption area to only occupied hard drive sectors. This limit lets you reduce encryption time.

Enabling or disabling the Encrypt used disk space only (reduces encryption time) feature after starting encryption does not modify this setting until the hard drives are decrypted. You must select or clear the check box before starting encryption.

If the check box is selected, only portions of the hard drive that are occupied by files are encrypted. Kaspersky Endpoint Security automatically encrypts new data as it is added.

If the check box is cleared, the entire hard drive is encrypted, including residual fragments of previously deleted and modified files.

This option is recommended for new hard drives whose data has not been modified or deleted. If you are applying encryption on a hard drive that is already in use, it is recommended to encrypt the entire hard drive. This ensures protection of all data, even deleted data that is potentially recoverable.

This check box is cleared by default.

Use Legacy USB Support (not recommended)

This check box enables/disables the Legacy USB Support function. Legacy USB Support is a BIOS/UEFI function that allows you to use USB devices (such as a security token) during the computer's boot phase before starting the operating system (BIOS mode). Legacy USB Support does not affect support for USB devices after the operating system is started.

If the check box is selected, support for USB devices during initial startup of the computer will be enabled.

When the Legacy USB Support function is enabled, the Authentication Agent in BIOS mode does not support working with tokens via USB. It is recommended to use this option only when there is a hardware compatibility issue and only for those computers on which the problem occurred.

Password settings

Authentication Agent account password strength settings. When using Single Sign-on technology, the Authentication Agent ignores the password strength requirements specified in Kaspersky Security Center. You can set the password strength requirements in the operating system settings.

Use Single Sign-On (SSO) technology

SSO technology makes it possible to use the same account credentials to access encrypted hard drives and to sign in to the operating system.

If the check box is selected, you must enter the account credentials for accessing encrypted hard drives and then automatically logging in to the operating system.

If the check box is cleared, to access encrypted hard drives and subsequently log into the operating system you must separately enter the credentials for accessing encrypted hard drives and the operating system user account credentials.

Wrap third-party credential providers

Kaspersky Endpoint Security supports the third-party credential provider ADSelfService Plus.

When working with third-party credential providers, Authentication Agent intercepts the password before the operating system is loaded. This means that a user needs to enter a password only once when signing in to Windows. After signing in to Windows, the user can utilize the capabilities of a third-party credential provider for authentication in corporate services, for example. Third-party credential providers also allow users to independently reset their own password. In this case, Kaspersky Endpoint Security will automatically update the password for Authentication Agent.

If you are using a third-party credential provider that is not supported by the application, you may encounter some limitations in Single Sign-On technology operation.

Help

Authentication. Help text that appears in the Authentication Agent window when entering account credentials.

Change password. Help text that appears in the Authentication Agent window when changing the password for the Authentication Agent account.

Recover password. Help text that appears in the Authentication Agent window when recovering the password for the Authentication Agent account.

BitLocker Drive Encryption component settings

Parameter

Description

Encryption mode

Encrypt all hard drives. If this item is selected, the application encrypts all hard drives when the policy is applied.

If the computer has several operating systems installed, after encryption you will be able to load only the operating system that has the application installed.

Decrypt all hard drives. If this item is selected, the application decrypts all previously encrypted hard drives when the policy is applied.

Leave unchanged. If this item is selected, the application leaves drives in their previous state when the policy is applied. If the drive was encrypted, it remains encrypted. If the drive was decrypted, it remains decrypted. This item is selected by default.

Enable use of BitLocker authentication requiring pre-boot keyboard input on tablets

This check box enables / disables the use of authentication requiring data input in a preboot environment, even if the platform does not have the capability for preboot input (for example, with touchscreen keyboards on tablets).

The touchscreen of tablet computers is not available in the preboot environment. To complete BitLocker authentication on tablet computers, the user must connect a USB keyboard, for example.

If the check box is selected, use of authentication requiring preboot input is allowed. It is recommended to use this setting only for devices that have alternative data input tools in a preboot environment, such as a USB keyboard in addition to touchscreen keyboards.

If the check box is cleared, BitLocker Drive Encryption is not possible on tablets.

Use hardware encryption (Windows 8 and later versions)

If the check box is selected, the application applies hardware encryption. This lets you increase the speed of encryption and use less computer resources.

Encrypt used disk space only (Windows 8 and later versions)

This check box enables / disables the option that limits the encryption area to only occupied hard drive sectors. This limit lets you reduce encryption time.

Enabling or disabling the Encrypt used disk space only (reduces encryption time) feature after starting encryption does not modify this setting until the hard drives are decrypted. You must select or clear the check box before starting encryption.

If the check box is selected, only portions of the hard drive that are occupied by files are encrypted. Kaspersky Endpoint Security automatically encrypts new data as it is added.

If the check box is cleared, the entire hard drive is encrypted, including residual fragments of previously deleted and modified files.

This option is recommended for new hard drives whose data has not been modified or deleted. If you are applying encryption on a hard drive that is already in use, it is recommended to encrypt the entire hard drive. This ensures protection of all data, even deleted data that is potentially recoverable.

This check box is cleared by default.

Authentication method

Only password (Windows 8 and later versions)

If this option is selected, Kaspersky Endpoint Security prompts the user for a password when the user attempts to access an encrypted drive.

This option can be selected when a Trusted Platform Module (TPM) is not being used.

Trusted platform module (TPM)

If this option is selected, BitLocker uses a Trusted Platform Module (TPM).

A Trusted Platform Module (TPM) is a microchip developed to provide basic functions related to security (for example, to store encryption keys). A Trusted Platform Module is usually installed on the computer motherboard and interacts with all other system components via the hardware bus.

For computers running Windows 7 or Windows Server 2008 R2, only encryption using a TPM module is available. If a TPM module is not installed, BitLocker encryption is not possible. Use of a password on these computers is not supported.

A device equipped with a Trusted Platform Module can create encryption keys that can be decrypted only with the device. A Trusted Platform Module encrypts encryption keys with its own root storage key. The root storage key is stored within the Trusted Platform Module. This provides an additional level of protection against attempts to hack encryption keys.

This action is selected by default.

You can set an additional layer of protection for access to the encryption key, and encrypt the key with a password or a PIN:

  • Use PIN for TPM. If this check box is selected, a user can use of a PIN code to obtain access to an encryption key that is stored in a Trusted Platform Module (TPM).

    If this check box is cleared, users are prohibited from using PIN codes. To access the encryption key, a user must enter the password.

  • Trusted platform module (TPM), or password if TPM is unavailable. If the check box is selected, the user can use a password to obtain access to encryption keys when a Trusted Platform Module (TPM) is not available.

    If the check box is cleared and the TPM is not available, full disk encryption will not start.

    The selected authentication method must be configured by specifying password or PIN requirements:

  • Minimum PIN length (characters).
  • Minimum password length (characters).
  • Limit password / PIN validity period for TPM (days).
  • Use enhanced PIN (letters and numbers). Enhanced PIN allows using other characters in addition to numerical characters: uppercase and lowercase Latin letters, special characters, and spaces.

Automatically recreate recovery key (days)

Automatically update the password to restore access to a drive protected by BitLocker. If the check box is selected, specify the validity period of the recovery key password. This helps prevent recovery key password reuse.

See also: About managing the application via the Kaspersky Security Center Administration Console

Starting Kaspersky Disk Encryption

Starting BitLocker Drive Encryption

Creating a list of hard drives excluded from encryption

Hard drive decryption

Updating the operating system

Eliminating errors of encryption functionality update

Page top