7.2 Configure Disk Encryption - Volumes, Algorithm, and Emergency Recovery

ZENworks Full Disk Encryption supports encryption of IDE, SATA, and PATA hard disks. Encryption of SCSI hard disks is not supported; encrypting a SCSI drive can cause the device to become unbootable.

The information in this section assumes that you are on the Configure Disk Encryption - Volumes, Alogorithm and Emergency Recovery page of the Create New Disk Encryption Policy wizard. If you are not, see Creating a Policy for instructions about how to get there.

The Volumes, Alogorithm and Emergency Recovery page lets you specify which disk volumes on a device to encrypt and the algorithm to use for the encryption. In addition, you can choose whether or not to allow users to create Emergency Recovery Information (ERI) files that can be used to regain access to encrypted volumes if a problem occurs with the device.

7.2.1 Local Fixed Volumes

Any of a device’s local fixed disk volumes can be encrypted. Removable disks, such as thumb drives, cannot be encrypted. Neither can non-local disks, such as network drives.

  • Encrypt all local fixed volumes: Select this option to encrypt all volumes.

  • Encrypt specific local fixed volumes: Select this option to limit encryption to specific volumes. To specify a volume, click Add, then select the drive letter assigned to the volume. If a volume that you specify does not exist on a device to which the policy is assigned, or the specified volume is not a local fixed volume, no encryption of the specified volume takes place.

After the policy is applied, encryption of the target volumes is performed sequentially, one volume at a time. A maximum of 10 volumes are encrypted, even if the device has more than 10.

7.2.2 Encryption Settings

Encryption is the process of converting plain-text data into cipher text that can then be decrypted back into its original plain text. An encryption algorithm, also known as a cipher, is a set of steps that determines how an encryption key is applied to the plain-text data to encrypt and decrypt the text.

The following settings determine the algorithm that is used to encrypt the selected fixed volumes, and the length of the encryption key that is used in the encryption process.

  • Algorithm: Select one of the following encryption algorithms:

    • AES: The AES (Advanced Encryption Standard) algorithm is a symmetric-key encryption standard adopted by the U.S. government. AES has a 128-bit block size with key lengths of 128, 192, and 256 bits.

      AES provides the highest security coupled with fast encryption speed. This algorithm is the optimal choice for most users.

    • Blowfish: The Blowfish algorithm is a symmetric-key block cipher. It has a 64-bit block size with key lengths of 32 to 448 bits. It is a strong, fast, and compact algorithm.

    • DES: The DES (Data Encryption Standard) algorithm is a symmetric-key encryption standard that uses a 56-bit key.

      Because of its 56-bit key size, DES is not as secure as AES or Blowfish. DES keys have been broken in less than 24 hours.

    • DESX: The DESX algorithm is a variant of the DES algorithm. It uses a 128-bit key.

  • Key Length: Select a key length. Key lengths vary depending on the encryption algorithm you select. We recommend that you choose the maximum key length for the algorithm. Doing so provides the highest security with no significant performance loss.

  • Encrypt only the used sectors of the drive: During initial encryption of a fixed disk volume, all of the sectors are encrypted unless you select this option. If you select this option, only the sectors that contain data are encrypted. Additional sectors are encrypted as they are used.

    Encrypting all sectors (used and unused) greatly increases the initial encryption time. You should only encrypt unused sectors if you are concerned about unauthorized users possibly recovering previously deleted files from the unused (and unencrypted) sectors.

  • Block 1394 (FireWire) port: The 1394 interface provides direct memory access, or DMA. Direct access to system memory can compromise security by providing read and write access to stored sensitive data, including encryption and authentication data used by ZENworks Full Disk Encryption. Select this option to prevent direct access to memory through the 1394 port.

  • Enable software encryption of Opal compliant self-encrypting drives: When enabled, this option does the following to OPAL 2.0 compliant self-encrypting drives:

    • Prevents the ZENworks Pre-Boot Authentication (PBA) mechanism from initiating the drive’s locking feature. This allows the ZENworks PBA to work with ALL OPAL 2.0 compliant self-encrypting drives, not just the drives that are known to be drive-locking compatible with ZENworks Full Disk Encryption.

    • Applies software encryption to the drive, adding a second layer of encryption to the drive’s already hardware-encrypted contents.

      NOTE:This setting is automatically applied to enforced encryption policies when upgrading from ZENworks 11.3.x to 11.4.x versions. However, you must remove the policy and Full Disk Encryption Agent during the upgrade process. For more information, see Full Disk Encryption policy fails on Opal devices during version upgrade.

7.2.3 Emergency Recovery Information (ERI) Settings

An Emergency Recovery Information (ERI) file is required to regain access to encrypted volumes if a problem occurs with the device. When the policy is applied to a device, or the policy changes, an ERI file is automatically created and uploaded to the ZENworks Server. You can also enable users to manually create ERI files and store them locally.

  • Allow user to create ERI files: Select this option to enable users to create ERI files. This is done through the ZENworks Full Disk Encryption Agent’s About box.

  • Require user to provide a strong password when creating an ERI file: The ERI file is password-protected to ensure that no unauthorized users can use it to gain access to the encrypted device. The user enters the password when creating the file. Select this option to force the user to provide a password for the file that meets the following requirements:

    • Seven or more characters

    • At least one of each of the four types of characters:

      • uppercase letters from A to Z

      • lowercase letters from a to z

      • numbers from 0 to 9

      • at least one special character ~ ! @ # $ % ^ & * ( ) + { } [ ] : ; < > ? , . / - = | \ ”

    For example: qZG@3b!