13.0 Full Disk Encryption

ZENworks 11 Full Disk Encryption protects a device’s data from unauthorized access when the device is powered off or in hibernation mode. To do this, it uses a combination of disk encryption and pre-boot authentication.

Full Disk Encryption provides sector-based encryption for standard IDE, SATA, and PATA hard disks. All disk volumes (or selected disk volumes) are encrypted, including any temporary files, swap files, and operating system files on the volumes. The data cannot be accessed until a valid user successfully logs in, and the data can never be accessed by booting the device from media such as a CD/DVD, floppy disk, or USB drive. For an authenticated user, accessing data on the encrypted disk is no different than accessing data on an unencrypted disk.

Full Disk Encryption provides optional pre-boot authentication for both standard hard disks and self-encrypting hard disks, such as the Seagate Momentus FDE.x series, that utilize a built-in chip for encryption. The ZENworks Pre-Boot Authentication (PBA) component is installed as a small Linux partition on the hard disk. Login occurs through the ZENworks PBA, which is protected from alteration through the use of MDT checksums and password extraction by the use of strong encryption for the keys.

The ZENworks PBA supports single-sign on with the Windows login, enabling users to enter only one set of credentials (ether user/password or smart card) to log in to both the ZENworks PBA and Windows operating system.