CLOUD SOLUTIONS

Configuration

To manage endpoint encryption in Control Center, select the Encryption Management check box. As long as this setting is enabled, the endpoint users cannot manage encryption locally and all their actions will be canceled or reverted.

Note

Disabling this setting will leave the endpoint volumes in their current state (encrypted or unencrypted) and the users will be able to manage encryption on their machines.

Note

This topic covers the Full Disk Encryption settings from the GravityZone console perspective. For details on encryption and decryption flows on endpoints, best practices and use cases, refer to GravityZone Full Disk Encryption FAQ. See also the requirements section for Full Disk Encryption.

policies-full_disk_encryption.png

To manage the encryption and decryption processes, two options are available:

  • Decrypt – decrypts volumes and keeps them unencrypted when the policy is active on the endpoints.

  • Encrypt – encrypts volumes and keeps them encrypted when the policy is active on the endpoints.

    Under the Encrypt option, you can select the check box If Trusted Platform Module (TPM) is active, do not ask for password to encrypt. This setting provides encryption on Windows endpoints with TPM, without requiring an encryption password from users.

GravityZone supports the Advanced Encryption Standard (AES) method with 128 and 256-bit keys on Windows and macOS. The actual encryption algorithm used depends on each operating system configuration.

Note

GravityZone detects and manages volumes manually encrypted with BitLocker, FileVault and diskutil. To start managing these volumes, the security agent will prompt the endpoint users to change their recovery keys. In case of using other encryption solutions, the volumes must be decrypted before applying a GravityZone policy.

Encrypting volumes

To encrypt volumes:

  1. Select the Encryption Management check box.

  2. Choose the Encrypt option.

The encryption process begins after the policy becomes active on the endpoints, with some particularities on Windows and Mac.

  • On Windows

    By default, the security agent will prompt the users to configure a password to start encryption. If the machine has a functional TPM, the security agent will prompt the users to configure a personal identification number (PIN) to start encryption.

    The users have to enter the password or PIN configured at this stage every time the endpoint starts, in a pre-boot authentication screen.

    Note

    The security agent allows you to configure the PIN complexity requirements and the users’ privileges to change their PIN through BitLocker Group Policy (GPO) settings.

    To start encryption without requiring a password from the endpoint users, enable the check box If Trusted Platform Module (TPM) is active, do not ask for pre-boot password. This setting is compatible with Windows endpoints having TPM and UEFI.

    When the check box If Trusted Platform Module (TPM) is active, do not ask for pre-boot password is enabled:

    • On unencrypted endpoint:

      • The encryption proceeds without requiring a password.

      • The pre-boot authentication screen does not appear when starting the machine.

    • On endpoint encrypted with password:

      • The password is removed.

      • The volumes remain encrypted.

    • On encrypted or unencrypted endpoint without TPM or with TPM not detected or not functioning:

      • The user is prompted to enter a password for encryption.

      • The pre-boot authentication screen appears when starting the machine.

    When the check box If Trusted Platform Module (TPM) is active, do not ask for pre-boot password is disabled:

    • The user must enter a password for encryption.

    • The volumes remain encrypted.

  • On Mac

    To start encryption on boot volumes, the security agent will prompt the users to enter their system credentials.

    To start encryption on non-boot volumes, the security agent will prompt the users to configure an encryption password. This password will be required to unlock the non-boot volume every time the computer starts. If the computer has more than one non-boot volume, the users must configure an encryption password for each one of them.

Decrypting volumes

To decrypt volumes on the endpoints:

  1. Select the Encryption Management check box.

  2. Choose the Decrypt option.

The decryption process begins after the policy becomes active on the endpoints, with some particularities on Windows and Mac.

  • On Windows

    The volumes are decrypted with no interaction from users.

  • On Mac

    For boot volumes, the users must enter their system credentials. For non-boot volumes, the users must enter the password configured during the encryption process.

In case the endpoint users forget their encryption passwords, they need recovery keys to unlock their machines. For details about retrieving the recovery keys, refer to Using Recovery manager for encrypted volumes.

Excluding partitions

You can create a list of exclusions from encryption by adding specific drive letters, partition labels and names, and partition GUID. You cannot exclude from encryption the partition where the operating system is installed.

To create a rule to exclude partitions from encryption:

  1. Select the Exclusions check box.

  2. Click Type and choose a drive type from the drop-down menu.

  3. Enter a drive value in the Excluded items field and consider the following conditions:

    • For a Drive Letter enter D:, or your drive letter followed by a colon.

    • For a Label/Name you can enter any label, such as Work.

    • For a GUID partition enter a value as follows: \\?\Volume{6a2d53fe-c79a-11e1-b189-806e6f6e6963}\.

  4. Click Add add.png to add the exclusion to the list.

    To delete an exclusion, choose and item and click Delete delete.png.