1.1 Disk Encryption

ZENworks Full Disk Encryption provides software-based encryption for standard hard disks and supports hardware-based encryption used with self-encrypting hard disks.

1.1.1 Standard Hard Disks

Standard hard disks are any 3.5 or 2.5 inch IDE, SATA, or PATA disks that do not include a hardware encryption chip.

With standard hard disks, ZENworks Full Disk Encryption provides sector-based encryption of the entire disk or selected volumes (partitions). All files on a volume are encrypted, including any temporary files, swap files, or operating system files. Because all files are encrypted, the data cannot be accessed when booting the computer from external media such as a CD-ROM, floppy disk, or USB drive.

You can choose the industry-standard encryption algorithm (AES, Blowfish, DES, or DESX) and key length that best meets your organizations requirements.

NOTE:The cryptographic module used in ZENworks Full Disk Encryption to encrypt standard hard drives is not Federal Information Processing Standard (FIPS) 140-2 certified. However, the cryptographic module implements standards consistent with FIPS 140-2 Level 1 certification.

1.1.2 Self-Encrypting Hard Disks

Self-encrypting hard disks are disks that perform their own encryption via a hardware encryption chip.

ZENworks Full Disk Encryption supports self-encrypting hard disks that are compliant with the Trusted Computing Group OPAL 2.0 specification. The two modes of support are:

  • Pre-boot authentication with software-based encryption: This is supported on ALL OPAL 2.0 compliant drives.

    Pre-boot authentication is the process of authenticating a user to a device before the device boots to the primary operating system. Using ZENworks pre-boot authentication (ZENworks PBA) in conjunction with Windows login greatly enhances drive security. Software-based encryption adds a second layer of encryption to the drive’s native hardware encryption.

    For more information about ZENworks pre-boot authentication, see Pre-Boot Authentication.

  • Pre-boot authentication with drive locking: ZENworks supports drive locking on SOME OPAL 2.0 compliant drives. The support is limited because of variations in the way drive manufacturers implement the OPAL 2.0 specification related to drive locking.

    When using this mode, drive locking is initiated during ZENworks PBA initialization. After user authentication occurs through the ZENworks PBA, the drive is unlocked until it is powered off. Only the native hardware encryption is used; ZENworks does not apply software-based encryption in this mode.

    For a list of known drive-locking compatible and incompatible drives, see ZENworks Full Disk Encryption Self-Encrypting Drive Support. For information about how to test a drive for drive-locking compatibility, see ZENworks Full Disk Encryption Self-Encrypting Drive Compatibility Testing.

NOTE:When upgrading a device with an OPAL drive from a ZENworks 11.3.x to an 11.4.x or later version, any existing Full Disk Encryption policies on the device and the Full Disk Encryption Agent must be temporarily removed prior to the upgrade. See “Full Disk Encryption policy fails on Opal devices during version upgrade” in ZENworks 2017 Troubleshooting Full Disk Encryption for more information.