A.1 Disk Encryption

ZENworks Full Disk Encryption supports encryption of hard disks that have the IDE, SATA, or PATA disk interface. Encryption of SCSI and RAID hard disks is not supported.

The Disk Encryption page in the policy Details shows the fixed disk volumes that are encrypted and the algorithm to use for the encryption. In addition, you can choose whether or not to allow users to create Emergency Recovery Information (ERI) files that can be used to regain access to encrypted volumes if a problem occurs with the device.

A.1.1 Local Fixed Volumes

Displays the fixed disk volumes that are encrypted when the policy is applied to a device. You cannot change these settings for an existing policy.

Any of a device’s local fixed disk volumes can be encrypted. Removable disks, such as thumb drives, cannot be encrypted. Neither can non-local disks, such as network drives.

  • Encrypt all local fixed volumes: Select this option to encrypt all volumes.

  • Encrypt specific local fixed volumes: Select this option to limit encryption to specific volumes. To specify a volume, click Add, then select the drive letter assigned to the volume. If a volume that you specify does not exist on a device to which the policy is assigned, or the specified volume is not a local fixed volume, no encryption of the specified volume takes place.

After the policy is applied, encryption of the target volumes is performed sequentially, one volume at a time. A maximum of 10 volumes are encrypted for disks using MBR, even if the device has more than 10. Disks equipped and enabled for GPT can encrypt up to 128 volumes per disk.

A.1.2 Encryption Settings

Displays the encryption settings to be applied to the device. The only setting you can change is the Block 1394 (FireWire) port setting:

Encryption is the process of converting plain-text data into cipher text that can then be decrypted back into its original plain text. An encryption algorithm, also known as a cipher, is a set of steps that determines how an encryption key is applied to the plain-text data to encrypt and decrypt the text.

The following settings determine the algorithm that is used to encrypt the selected fixed volumes, and the length of the encryption key that is used in the encryption process.

IMPORTANT:In ZENworks Full Disk Encryption, UEFI-enabled devices only use AES 256. If you apply a Disk Encryption policy to a UEFI-enabled device using a different algorithm/key length, the policy settings will automatically be reconfigured to AES 256 when the policy is enforced.

  • Algorithm: Select one of the following encryption algorithms:

    • AES: The AES (Advanced Encryption Standard) algorithm is a symmetric-key encryption standard adopted by the U.S. government. AES has a 128-bit block size with key lengths of 128, 192, and 256 bits.

      AES provides the highest security coupled with fast encryption speed. This algorithm is the optimal choice for most users.

    • Blowfish: The Blowfish algorithm is a symmetric-key block cipher. It has a 64-bit block size with key lengths of 32 to 448 bits. It is a strong, fast, and compact algorithm.

    • DES: The DES (Data Encryption Standard) algorithm is a symmetric-key encryption standard that uses a 56-bit key.

      Because of its 56-bit key size, DES is not as secure as AES or Blowfish. DES keys have been broken in less than 24 hours.

    • DESX: The DESX algorithm is a variant of the DES algorithm. It uses a 128-bit key.

  • Key Length: Select a key length. Key lengths vary depending on the encryption algorithm you select. We recommend that you choose the maximum key length for the algorithm. Doing so provides the highest security with no significant performance loss.

  • Encrypt only the used sectors of the drive: During initial encryption of a fixed disk volume, all of the sectors are encrypted unless you select this option. If you select this option, only the sectors that contain data are encrypted. Additional sectors are encrypted as they are used.

    Encrypting all sectors (used and unused) greatly increases the initial encryption time. You should only encrypt unused sectors if you are concerned about unauthorized users possibly recovering previously deleted files from the unused (and unencrypted) sectors.

  • Block 1394 (FireWire) port: The 1394 interface provides direct memory access, or DMA. Direct access to system memory can compromise security by providing read and write access to stored sensitive data, including encryption and authentication data used by ZENworks Full Disk Encryption. Select this option to prevent direct access to memory through the 1394 port.

  • Enable software encryption of Opal compliant self-encrypting drives: Effective in ZENworks 2017 Update 1, this setting is preconfigured and cannot be disabled. It causes software encryption to be applied to self-encrypting drives, adding a second layer of encryption to the drives' hardware encryption.

A.1.3 Emergency Recovery Information (ERI) Settings

An Emergency Recovery Information (ERI) file is required to regain access to encrypted volumes if a problem occurs with the device. When the policy is applied to a device, or the policy changes, an ERI file is automatically created and uploaded to the ZENworks Server. You can also enable users to manually create ERI files and store them locally.

  • Allow user to create ERI files: Select this option to enable users to create ERI files. This is done through the ZENworks Full Disk Encryption Agent’s About box.

  • Require user to provide a strong password when creating an ERI file: The ERI file is password-protected to ensure that no unauthorized users can use it to gain access to the encrypted device. The user enters the password when creating the file. Select this option to force the user to provide a password for the file that meets the following requirements:

    • Seven or more characters

    • At least one of each of the four types of characters:

      • uppercase letters from A to Z

      • lowercase letters from a to z

      • numbers from 0 to 9

      • at least one special character ~ ! @ # $ % ^ & * ( ) + { } [ ] : ; < > ? , . / - = | \ ”

    For example: qZG@3b!

  • Use common password for system-generated ERI files: When this option is selected, all system-generated ERI files will use the password that is specified in this setting.