Kaspersky Endpoint Security 12.1 for Windows

Kaspersky Disk Encryption

Kaspersky Disk Encryption is available only for computers running a Windows operating system for workstations. For computers running a Windows operating system for servers, use BitLocker Drive Encryption technology.

Kaspersky Endpoint Security supports full disk encryption in FAT32, NTFS and exFat file systems.

Before starting full disk encryption, the application runs a series of checks to determine if the device can be encrypted, which includes checking the system hard drive for compatibility with Authentication Agent or with BitLocker encryption components. To check for compatibility, the computer must be restarted. After the computer has been rebooted, the application performs all the necessary checks automatically. If the compatibility check is successful, full disk encryption starts after the operating system has loaded and the application has started. If the system hard drive is found to be incompatible with Authentication Agent or with BitLocker encryption components, the computer must be restarted by pressing the Reset hardware button. Kaspersky Endpoint Security logs information about the incompatibility. Based on this information, the application does not start full disk encryption at operating system startup. Information about this event is logged in Kaspersky Security Center reports.

If the hardware configuration of the computer has changed, the incompatibility information logged by the application during the previous check should be deleted in order to check the system hard drive for compatibility with Authentication Agent and BitLocker encryption components. To do so, prior to full disk encryption, type avp pbatestreset in the command line. If the operating system fails to load after the system hard drive has been checked for compatibility with Authentication Agent, you must remove the objects and data remaining after test operation of Authentication Agent by using the Restore Utility and then start Kaspersky Endpoint Security and execute the avp pbatestreset command again.

After full disk encryption has started, Kaspersky Endpoint Security encrypts all data that is written to hard drives.

If the user shuts down or restarts the computer during full disk encryption, Authentication Agent is loaded before the next startup of the operating system. Kaspersky Endpoint Security resumes full disk encryption after successful authentication in Authentication Agent and operating system startup.

If the operating system switches to hibernation mode during full disk encryption, Authentication Agent is loaded when the operating system switches back from hibernation mode. Kaspersky Endpoint Security resumes full disk encryption after successful authentication in Authentication Agent and operating system startup.

If the operating system goes into sleep mode during full disk encryption, Kaspersky Endpoint Security resumes full disk encryption when the operating system comes out of sleep mode without loading Authentication Agent.

User authentication in the Authentication Agent can be performed in two ways:

  • Enter the name and password of the Authentication Agent account created by the LAN administrator using Kaspersky Security Center tools.
  • Enter the password of a token or smart card connected to the computer.

    Use of a token or smart card is available only if the computer hard drives were encrypted using the AES256 encryption algorithm. If the computer hard drives were encrypted using the AES56 encryption algorithm, addition of the electronic certificate file to the command will be denied.

The authentication agent supports keyboard layouts for the following languages:

  • English (UK)
  • English (USA)
  • Arabic (Algeria, Morocco, Tunis; AZERTY layout)
  • Spanish (Latin America)
  • Italian
  • German (Germany and Austria)
  • German (Switzerland)
  • Portuguese (Brazil, ABNT2 layout)
  • Russian (for 105-key IBM / Windows keyboards with the QWERTY layout)
  • Turkish (QWERTY layout)
  • French (France)
  • French (Switzerland)
  • French (Belgium, AZERTY layout)
  • Japanese (for 106-key keyboards with the QWERTY layout)

A keyboard layout becomes available in the Authentication Agent if this layout has been added in the language and regional standards settings of the operating system and has become available on the welcome screen of Microsoft Windows.

If the Authentication Agent account name contains symbols that cannot be entered using keyboard layouts available in the Authentication Agent, encrypted hard drives can be accessed only after they are restored using the Restore Utility or after the Authentication Agent account name and password are restored.

In this section

Special features of SSD drive encryption

Starting Kaspersky Disk Encryption

Creating a list of hard drives excluded from encryption

Exporting and importing a list of hard drives excluded from encryption

Enabling Single Sign-On (SSO) technology

Managing Authentication Agent accounts

Using a token and smart card with Authentication Agent

Hard drive decryption

Restoring access to a drive protected by Kaspersky Disk Encryption technology

Signing in with the Authentication Agent service account

Updating the operating system

Eliminating errors of encryption functionality update

Selecting the Authentication Agent tracing level

Editing Authentication Agent help texts

Removing leftover objects and data after testing the operation of Authentication Agent