Self-encrypting hard disks are disks that perform their own encryption via a hardware encryption chip.
ZENworks Full Disk Encryption supports self-encrypting hard disks that are compliant with the Trusted Computing Group OPAL 2.0 specification. The two modes of support are:
Pre-boot authentication with software-based encryption: This is supported on ALL OPAL 2.0 compliant drives.
Pre-boot authentication is the process of authenticating a user to a device before the device boots to the primary operating system. Using ZENworks pre-boot authentication (ZENworks PBA) in conjunction with Windows login greatly enhances drive security. Software-based encryption adds a second layer of encryption to the drive’s native hardware encryption.
For more information about ZENworks pre-boot authentication, see Section 2.0, Pre-Boot Authentication.
Pre-boot authentication with drive locking: ZENworks supports drive locking on SOME OPAL 2.0 compliant drives. The support is limited because of variations in the way drive manufacturers implement the OPAL 2.0 specification related to drive locking.
When using this mode, drive locking is initiated during ZENworks PBA initialization. After user authentication occurs through the ZENworks PBA, the drive is unlocked until it is powered off. Only the native hardware encryption is used; ZENworks does not apply software-based encryption in this mode.
For a list of known drive-locking compatible and incompatible drives, see ZENworks 11 SP4 Full Disk Encryption Self-Encrypting Drive Support. For information about how to test a drive for drive-locking compatibility, see ZENworks 11 SP4 Full Disk Encryption Self-Encrypting Drive Compatibility Testing.
NOTE:When upgrading a device with an OPAL drive from a ZENworks 11.3.x to an 11.4.x or later version, any existing Full Disk Encryption policies on the device and the Full Disk Encryption Agent must be temporarily removed prior to the upgrade. See Full Disk Encryption policy fails on Opal devices during version upgrade for more information.