GravityZone Full Disk Encryption Frequently Asked Questions (FAQ)
GravityZone Full Disk Encryption is a solution delivered by Bitdefender that helps companies comply with data regulations and prevent the loss of sensitive information in case devices get stolen.
GravityZone Full Disk Encryption gives you simple remote management of encryption keys. The new solution provides centralized management for both Windows BitLocker and Mac FileVault, taking advantage of the native device encryption and ensuring optimal compatibility and performance.
This article addresses some of the most frequent questions about the functionality and features of GravityZone Full Disk Encryption.
- How do I know that a computer supports GravityZone Full Disk Encryption?
- Does this feature work only with machines that have BitLocker capability/TPM chip?
- What kind of disks GravityZone encrypts?
- How do I set the encryption password?
- Does GravityZone support pre-boot authentication?
- Is GravityZone Full Disk Encryption FIPS compliant?
- Does GravityZone provide reporting of full disk encryption already performed by BitLocker?
- Does GravityZone provide the ability of recovering password automatically to the end user?
- What customers must do if they already encrypted data using other solutions?
- What is the average time to perform full disk encryption? Can end users work during that time?
- Does GravityZone Full Disk Encryption require prerequisites like installing and enabling BitLocker manually?
- Is it single sign-on to Windows or do you need two passwords: one for Full Disk Encryption and another for Windows?
- Is Full Disk Encryption light-weight and fast enough to be imperceptible by the user and not hard on computer’s resources?
- How many different users can access an encrypted computer?
- Does Full Disk Encryption come as an add-on to the existing GravityZone license?
- How do I get a trial?
- Can you change the boot password for encryption from GravityZone Control Center?
- Can you disable Full Disk Encryption from Control Center?
- Do you have to enter the boot encryption password when the computer comes out of hibernation or sleep?
- Can I encrypt without being asked for a password when the computer starts/reboots?
GravityZone Full Disk Encryption is available for the most Windows machines and Macs that can run BitLocker, respectively FileVault. That means, for Windows space, that this feature is not accessible for users with "Home" editions of the OS.
Supported Windows operating systems (BitLocker is used for encryption):
- Windows 7 Enterprise (with TPM)
- Windows 7 Ultimate (with TPM)
- Windows 8 Pro
- Windows 8 Enterprise
- Windows 8.1 Pro
- Windows 8.1 Enterprise
- Windows 10 Pro
- Windows 10 Enterprise
- Windows 10 Education
- Windows Server 2008 R2 (with TPM)
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
Supported macOS editions (FileVault is used for encryption):
- OS X Mavericks (10.9)
- OS X Yosemite (10.10)
- OS X El Capitan (10.11)
- macOS Sierra (10.12)
- macOS High Sierra (10.13)
Full Disk Encryption works with both systems with or without TPM (Trusted Platform Module – a dedicated chip on the motherboard that helps enabling full disk encryption). For most of the systems TPM is optional, except for Windows 7 and Windows Server 2008 R2, where TPM is required. TPM must be version 1.2 or higher.
GravityZone encrypts boot and non-boot volumes, on fixed disks, on desktop computers and laptops. Removable drives are not encrypted.
When a security policy with Encrypt is applying on the endpoint, the user must configure a password that starts the encryption process.
As GravityZone manages encryption through BitLocker and FileVault, the workflow and the limitations of password configuration are related to these tools.
The following paragraphs explain what you should know about configuring the encryption password on Windows machines, following BitLocker specifications.
The encryption password format for machines with TPM is different from the password format for machines without TPM:
- On machines with TPM (such as newer laptops), the user must enter a personal identification number (PIN) as encryption password. The PIN must contain:
- At least 6 characters.
- Only alphanumeric characters.
- Less than 21 characters.
The user does not need to enter a password when the GravityZone policy has the option If Trusted Platform Module (TPM) is active, do not ask for pre-boot password enabled. For details, refer to this specific topic.
- On machines without TPM (such as virtual machines), the encryption password must contain:
- At least 8 characters.
- Capital and small letters.
- One or more digits.
The password with this format is also required when the TPM is not functional or not detected by GravityZone.
The encryption password is used to boot the operating system. In this context, BIOS or Unified Firmware Interface (UEFI) may only support an EN-US keyboard layout, while the BIOS-based systems are limited to 7-bit ASCII input. Therefore, the password entry may fail when using non-English characters or keys that differ in position from the EN-US layout, such as QWERTZ or AZERTY keyboards.
The users are recommended to set their keyboards to EN-US during the password configuration to avoid possible issues in the pre-boot environment.
These characters are not supported by system firmware:
- Roman characters on keyboards with a non-EN-US layout, such as "Z" and "Y" on German keyboards and "Q" and "A" on French keyboards.
- Characters that are not available in 7-bit ASCII, such as characters with umlauts ("Ä"), grave accents ("È") and tildes ("Ñ").
- Symbols that are not available in 7-bit ASCII, such as square superscript, fractions, copyright (©) and international currencies symbols ($, £, € etc.).
For more information on setting the encryption password on Windows, refer to this KB article provided by Microsoft.
On Mac, the user is required to enter a password that must contain:
- Between 8 and 30 characters.
- Capital and small letters.
- One or more digits.
When a security policy with Decrypt is applying on the endpoint:
- On Windows, the decryption process starts automatically. The user is not required to enter any password.
- On Mac, the decryption process requires a password for each volume to be decrypted.
GravityZone Full Disk Encryption supports pre-boot authentication. When configuring the encryption password, make sure you met the conditions at the previous step to avoid password entry failure in the pre-boot environment, if you use a non-EN-US keyboard layout.
No, GravityZone Full Disk Encryption is not compliant with Federal Information Processing Standard (FIPS).
If a volume has already been encrypted with BitLocker, when enabling encryption on the endpoint through GravityZone, the security agent will generate a new recovery key for that volume and will send it to Control Center.
In the other cases, the volumes must be decrypted before applying a GravityZone encryption policy.
No, but Bitdefender has plans to support it in the future.
They first must decrypt data using their current solution, then they can safely use GravityZone Full Disk Encryption.
The average time for encryption depends on multiple factors: disk type and size, the CPU speed, the number of processes and applications running at that time. However, this does not impact the end user because the encryption occurs in the background, while he can work as usual on his computer.
Does GravityZone Full Disk Encryption require prerequisites like installing and enabling BitLocker manually?
Full Disk Encryption requires BitLocker to be installed on the computer and, in most cases, it is. Only Windows Server systems don’t have BitLocker by default, so the administrator must add it.
Is it single sign-on to Windows or do you need two passwords: one for Full Disk Encryption and another one for Windows?
On Windows, the users need first to enter the encryption password in the pre-boot environment, then their user account password to log in to OS.
Is Full Disk Encryption light-weight and fast enough to be imperceptible by the user and not hard on computer’s resources?
Encryption occurs in the background and the user can continue his work as usual. There are chances that he would not even notice that the process is going on because GravityZone only manages native BitLocker and FileVault, without supplementary burden on the system. However, if you encrypt very large drives it is better to set this process when you are not using them.
The access on a computer is not limited by the number of users. On multi-user computers, the user that is logged in when the encryption policy is applied is the one who sets the encryption password.
Yes. Full Disk Encryption is available as an add-on for all GravityZone cloud and on-premises editions and out-of-the-box for MSP. Find out here the availability of Full Disk Encryption across the GravityZone editions.
To get a free trial, create an account here: https://www.bitdefender.com/business/free-trials/2760/. If you already have a GravityZone Cloud account, use another email address to set up a trial account.
The encryption password can be changed by the user only from the Bitdefender agent GUI.
Yes, the encryption management can be disabled from Control Center to allow local control of BitLocker or FileVault. Also, you can decrypt data by applying a GravityZone policy.
Do you have to enter the boot encryption password when the computer comes out of hibernation or sleep?
Yes, that is the standard behavior on Windows machines: the encryption password, then the user's account password. On macOS, you just have to enter your user's account password because that is required for encryption.
Yes, but only on Windows systems with a Trusted Platform Module (TPM) chip. In GravityZone Control Center, go to the Policies > Encryption and select the check box If Trusted Platform Module (TPM) is active, do not ask for pre-boot password.
This way, the endpoints will be encrypted without a password and the users will not need to enter it every time the computers start, before their account password.
This option is supported only on machines with TPM and Unified Extensible Firmware Interface (UEFI).
A user will still have to provide a password, whether the check box is selected or not, when:
- The machine does not have TPM.
- The TPM is not functional or not detected by GravityZone.
- The machine is not UEFI-based.
- The machine is a Mac.
For more details, refer to GravityZone Administrator’s Guide > Security Policies > Encryption.