PARTNERS

Using encryption

The Encryption module provides full disk encryption on your Mac through policies applied by your security administrator. The security agent operates FileVault to encrypt the Mac’s boot drive and the diskutil command-line utility to encrypt any non-boot drive. Removable drives are not encrypted.

Encrypting volumes

When an encryption policy is applied on your Mac:

  • For boot drives:

    1. A dialog window prompts you to enter your system username and password.

      encryption_filevault.png
    2. Click the OK button. The encryption process starts immediately.

      If you click the Not now option, the encryption process is postponed, but the dialog window will appear after a time. The dialog window will continue appear as long as the encryption policy is active on Mac.

    3. This is what happens after the Encrypt with FileVault window closes:

      • If you have a Mac running an operating system version older than macOSCatalina (10.15), the encryption process starts immediately.

      • If you have a Mac running macOS Catalina (10.15), Endpoint Security forMac ("fdesetup") will require, in an additional window, your approval forenabling FileVault. Click the OK button to start encryption. If clickingDon't Allow, Endpoint Security for Mac will not start encryption and it willask you for approval every couple of minutes.

      Note

      In case of dual-boot systems, the other boot volume will not be encrypted.

  • For non-boot drives:

    1. A dialog window prompts you to configure a dedicated password to encrypt each drive. This password is only necessary to unlock a specific non-boot drive.

    2. Click the Save button. The encryption process starts immediately.

      If you click the Dismiss option, the encryption process is postponed. The dialog window will appear after a time and it will continue appear as long as the encryption policy is active on Mac.

    encryption_diskutil.png

If the Mac has more than one drive, the dialog windows for encryption for all drives will appear at the same time.

Decrypting volumes

When a decryption policy is applied on your Mac:

  • For boot drives:

    1. A dialog window prompts you to enter your system username and password.

    2. Click the OK button. The decryption process starts immediately.

  • For non-boot drives:

    1. A dialog window prompts you to enter the encryption password.

    2. Click the Save button. The decryption process start immediately.

      If you click the Dismiss option, the decryption process is postponed. The dialog window will appear after a time and it will continue appear as long as the encryption policy is active on Mac.

If the Mac has more than one drive, the dialog windows for decryption for all drives will appear at the same time.

Changing the recovery key

After the encryption process starts, Endpoint Security for Mac sends a recovery key to the security administrator's management console. The recovery key is useful for your security administrator in case you forget your login credentials or the encryption passwords and you are unable to unlock the drives, or in case the Mac has another user who cannot access one of the drives.

You can change the recovery key for the boot drive without needing to change your login credentials.

To change the encryption recovery key for the boot drive:

  1. Click the encrypted boot drive in the main window of Endpoint Security for Mac.

  2. Click the Change recovery key option.

  3. Enter your system username and password.

  4. Click the Save button.

    encryption_change_recovery_key.png

The option to change the recovery key is only available if an encryption policy is applied to your Mac.

In case you change the system password, the encrypted boot drive remains as it is, with no action from you required.

Changing the encryption password

You can change the encryption password for non-boot drives from the Endpoint Security for Mac user interface. After changing the password, Endpoint Security for Mac will send a new recovery key to the security administrator’s management console.

How to change the encryption password for a non-boot drive:

  1. Click the encrypted disk name in the main window of Endpoint Security for Mac.

  2. Click the Change password option.

  3. In the Change encryption password window, configure the new password.

  4. Click the Save option.

    encryption_change_password.png

The option to change the encryption password is only available if an encryption policy is applied to your Mac.