2.3 Decrypting Drives

You can use the Full Disk Encryption Agent to decrypt any of the device’s encrypted drives. The drive remains decrypted unless a new Disk Encryption policy is applied that causes the drive to be encrypted again.

  1. Make sure you know the FDE Admin password for the policy that is assigned to the device.

    To decrypt a drive, you must know the FDE Admin password for the policy assigned to the device, or you must know the ZENworks Agent override password or key. For more information about passwords, see Section B.0, Administrator Passwords.

  2. Open the Full Disk Encryption agent on the managed device. See Accessing the Full Disk Encryption Agent.

  3. Click the Commands button.

  4. Supply the password, then click OK to display the Commands dialog box.

  5. Click the Decrypt Drive button.

  6. Select the drive to decrypt, then click OK.

  7. In the confirmation dialog box that is displayed, click Yes to proceed.

WARNING:When decrypting a drive, ensure that the decryption process is not interrupted prematurely with a power change on the device; otherwise, all data on the disk can be lost due to disk corruption. You can check the decryption status on the device by accessing Full Disk Encryption > About in the ZENworks Agent.

Disk corruption due to power change has only been noted on secondary drives, but it may also be applicable to primary drives. For this reason, the following precautions are strongly recommended before decrypting a device drive:

  • Pre-configure device drives that will be decrypted so that power options are set to never automatically shut off, hibernate, or sleep.

  • Inform all device users of the need to keep the device(s) running during the decryption process, to include avoiding Sleep and Hibernation options.

    This precaution is for user actions that are not a part of the reboot process that is required for decryption.