Encrypting hard drives using BitLocker Drive Encryption technology
Before encrypting hard drives on a computer, we recommend making sure that the computer is not infected. To do so, start the Full Scan or Critical Areas Scan task. Encrypting the hard drive of a computer that is infected by a rootkit may lead to its inoperability.
The use of BitLocker Drive Encryption technology on computers with a server operating system may require installation of the BitLocker Drive Encryption component using the Add roles and components wizard.
To encrypt hard drives using BitLocker Drive Encryption technology:
- Open the Administration Console of Kaspersky Security Center.
- In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group for which you want to configure encryption of hard drives.
- In the workspace, select the Policies tab.
- Select the necessary policy.
- Open the Properties: <Policy name> window by using one of the following methods:
- In the context menu of the policy, select Properties.
- Click the Configure policy link located in the right part of the Administration Console workspace.
- In the Data Encryption section, select the Encryption of hard drives subsection.
- In the Encryption technology drop-down list, select the BitLocker Drive Encryption option.
- In the Encryption mode drop-down list, select the Encrypt all hard drives option.
- If you want to use a touchscreen keyboard to enter information in a preboot environment, select the Allow use of authentication requiring preboot keyboard input on tablets check box.
It is recommended to use this setting only for devices that have alternative data input tools such as a USB keyboard in a preboot environment.
- Select one of the following types of encryption:
- If you want to use hardware encryption, select the Use hardware encryption check box.
- If you want to use software encryption, clear the Use hardware encryption check box.
- Select one of the following encryption methods:
- If you want to apply encryption only to those hard drive sectors that are occupied by files, select the Encrypt used disk space only check box.
- If you want to apply encryption to the entire hard drive, clear the Encrypt used disk space only check box.
This function is applicable only to unencrypted devices. If a device was previously encrypted using the Encrypt used disk space only function, after applying a policy in Encrypt all hard drives mode, sectors that are not occupied by files will still not be encrypted.
- Select a method for accessing hard drives that were encrypted with BitLocker.
- If you want to use a Trusted Platform Module (TPM) to store encryption keys, select the Use Trusted Platform Module (TPM) option.
- If you are not using a Trusted Platform Module (TPM) for encryption of hard drives, select the Use password option, and specify the minimum number of characters that a password must contain in the Minimum password length field.
The availability of a Trusted Platform Module (TPM) is mandatory for the Windows 7 and Windows 2008 R2 operating systems, as well as for earlier versions.
- If you selected the Use Trusted Platform Module (TPM) option during the previous step:
- If you want to set a PIN code that will be requested when the user attempts to access an encryption key, select the Use PIN check box and in the Minimum PIN length field, specify the minimum number of digits that a PIN code must contain.
- If you would like access to encrypted hard drives without a trusted platform module on the computer using a password, select the Use password if Trusted Platform Module (TPM) is unavailable check box, and in the Minimum password length field indicate the minimum number of characters the password should contain.
In this event, access to encryption keys will occur using the given password just like if the Use password check box is selected.
If the Use password if Trusted Platform Module (TPM) is unavailable check box is not selected and the trusted platform module is not available, then hard drive encryption will not start.
- Click OK to save changes.
- Apply the policy.
View the Kaspersky Security Center Administrator's Guide for details on applying the Kaspersky Security Center policy.
After applying the policy on the client computer with Kaspersky Endpoint Security installed, the following queries will be made:
- If the encryption policy is applied to a system hard drive, then the PIN code window will appear if the trusted platform module is in use, or otherwise the password request window will appear for preload authorization.
- If the computer's operating system has Federal Information Processing standard compatibility mode turned on, then in Windows 8 and higher the operating system will display a USB device connection request window to save the recovery key file.
If there is no access to encryption keys, the user may request that the local network administrator provide a recovery key (should the recovery key not have been saved earlier on the USB device or have been lost).