Primary Full Disk Encryption Components

Component Name	File Name	Description
Full Disk Encryption service	FDE_srv.exe	The Full Disk Encryption service contains the current configuration data and initiates background encryption or decryption. By exchanging volume boot records, the Full Disk Encryption service identifies volumes that are targeted for encryption.
Crypto core	ccore32.bin	The Crypto core contains the encryption algorithms.
Filter driver	Prot_2k.sys	The Full Disk Encryption driver for encryption. The File Allocation Table (FAT) provides the driver with the location of sectors where data is stored. Full Disk Encryption encrypts every byte of the selected disk. Background encryption starts from the first sector of the selected volume and moves in sequence to the last sector. The entire operating system is encrypted.

Full Disk Encryption Recovery

If system failure prevents the operating system from starting on a client computer, Full Disk Encryption has these options:

• Full recovery with recovery media - Decrypts the failed disk. This takes more time than Full Disk Encryption Drive Slaving Utility and Dynamic Mount Utility that let you access data quickly
• Full Disk Encryption Drive Slaving Utility - Use this to access specified files and folders on the failed, encrypted disk that is connected through a USB cable from a different "host" system.
• Dynamic Mount Utility - Use this to access specified files and folders on the failed, encrypted disk. You create a WinPE CD/DVD media that contains the Dynamic Mount Utility application. Boot the WinPE CD/DVD media on the failed, encrypted computer. When users authenticate through the Dynamic Mount Utility they can extract files and folders from the encrypted system.

Full Recovery with Recovery Media

If system failure prevents the operating system from starting on a client computer, you can use Full Disk Encryption Recovery Media to decrypt the computer and recover the data. Client computers send recovery files to the Endpoint Security Management Server one time during the initial deployment so that you can create recovery media if necessary. After the recovery, the files are restored as decrypted, like they were before the Full Disk Encryption installation, and the operating system can run without the Pre-boot.

After the recovery, you must install Full Disk Encryption on the computer.

Recovery Media:

• Is a snapshot of a subset of the Full Disk Encryption database on the client.
• Contains only the data required to do the recovery.
• Updates if more volumes are encrypted or decrypted.
• Removes only encryption from the disk and boot protection.
• Does not remove Windows components.
• Restores the original boot record.

Users must authenticate to the recovery media with a username and password. There are the options for which credentials to use:

• Users that are assigned to the computer and have the Allow use of recovery media permission (in User Authentication (OneCheck) rule > Advanced > Default logon settings) can authenticate with their regular username and password.
• When you create the recovery media, you can create a temporary user who can authenticate to it. A user who has the credentials can authenticate to that recovery media. Users do not require Allow use of recovery media permission to use the recovery media. Smart Card users must use this option for recovery.

Creating Data Recovery Media

You can create Full Disk Encryption recovery media that can run on a failed computer to decrypt it. Create the recovery media on the server or with an external tool.

The media can be on a CD/DVD, USB device, or REC file.

Note - Creating a recovery media on a USB flash disk formats the device and removes all previous content.

To create recovery media from the Endpoint Security Management Server:

1. In SmartEndpoint, select Tools > Encryption Recovery Media.

   The Full Disk Encryption Recovery Media Tool window opens.

2. Double-click a folder from the navigation tree to see the users and computers that it contains.
3. Right-click the computer to restore and then select Encryption Recovery Media.

   The target retrieves the last known recovery data that was uploaded to the server by the client.

4. Users who have permission to use recovery media for the computer show in the Users Allowed to Recover area.
   • If the user who will do the recovery shows on the list, continue to the next step.
   • If the user who will do the recovery is not on the list:
     1. Click Add to create a temporary user who can use the recovery media.
     2. In the window that opens add a username and password that the user will use to access the file.
5. Select a destination for the Recovery Media:
   • For a bootable CD/DVD, enter a path to a directory for the ISO file
   • For an REC file, enter a path to a directory for the file.
   • For a USB device, select the target drive from the list.
6. Click Write Media.
7. Give the Recovery Media file or device to the user who will do the recovery.
8. Make sure the user knows:
   • Which username and password to use.
   • How to boot the computer: with a CD or USB device.

To create recovery media from the external recovery media tool on R77.20 and higher Management:

1. On an Endpoint Security Management Server, go to folder: C:\Program Files\CheckPoint\Endpoint Security\Full Disk Encryption\
2. Right-click UseRec.exe and select Run as > Administrator.
3. Follow directions in the tool to create recovery media.

Using Data Recovery Media

Use the newly created Full Disk Encryption recovery media to decrypt the failed computer.

To recover an encrypted computer:

1. On the failed computer, run the recovery media from a CD/DVD or bootable USB device.
2. When the Recovery Console Login windows shows, enter the name and password of a user on the recovery media.

   The disk decrypts using partition keys contained in the Recovery Media.

Note - During the decryption process, the client cannot run other programs.

Using Drive Slaving Utility

Full Disk Encryption Drive Slaving Utility lets you access Full Disk Encryption protected disk drives that become corrupted as a result of an Operating System failure . The Drive Slaving Utility is hardware independent, and can access hard disks connected through USB ports.

Full Disk Encryption Dive Slaving Utility replaces older versions of Full Disk Encryption drive slaving functionality, and supports R73 and all E80.x versions. You can use the Full Disk Encryption Drive Slaving Utility instead of disk recovery.

The utility is supported in E80.51 clients and higher on R77.20 and higher management.

Notes - On an E80.x client computer with 2 hard disk drives, the Full Disk Encryption database can be on a second drive. In this case, you must have a recovery file to unlock the drive without the database. Remote Help is available only for hard disk authentication. It is not available for recovery file authentication.

Before You Use the Drive Slaving Utility

Before you run the Full Disk Encryption Drive Slaving Utility, make sure to do these:

• Authenticate the Full Disk Encryption encrypted disk
• On systems with active Pre-boot Bypass, you must authenticate with Full Disk Encryption account credentials

We recommend that you use a recovery file when you are not sure if the hard disk drive or the Full Disk Encryption internal database on your system are corrupted.

Using the Drive Slaving Utility

To use the Full Disk Encryption Drive Slaving Utility:

1. On a computer with Check Point Full Disk Encryption installed, run this command to start the Full Disk Encryption Drive Slaving Utility: <x:>\Program files(x86)\CheckPoint\Endpoint Security\Full Disk Encryption\fde_drive_slaving.exe

   Note - To unlock a protected USB connected hard disk drive, you must first start the Drive Slaving Utility, and then connect the disk drive.

   The Full Disk Encryption - Drive Slaving window opens.

2. Select an Full Disk Encryption protected disk to unlock.

   Unlock volume(s) authentication window opens.

3. Enter User account name and Password.
4. Click OK.

After successful authentication, use Windows explorer to access the disk drive. If you fail to access the locked disk drive, use the Full Disk Encryption Recovery file, then run the Drive Slaving Utility again.

Note - To prevent data corruption, shut down the system or use a safe removal utility before you disconnect the USB connected drive.