Print Download PDF Send Feedback

Previous

Next

Full Disk Encryption Installation and Deployment

After a package that includes Full Disk Encryption is successfully installed on a client, many requirements must be met before the Full Disk Encryption policy can be enforced. Before these requirements are met, the Pre-boot does not open. The period of time between the installation and when the policy can be enforced is called the Full Disk Encryption Deployment Phase.

To move from Deployment phase to Full Disk Encryption policy enforcement, these requirements must be met:

If there is communication between the client and server and the client meets the Client requirements, all of the requirements are completed automatically. However, if these requirements are not met, Full Disk Encryption cannot protect the computer and the Pre-boot cannot open.

Client Requirements for Full Disk Encryption Deployment

Note - Not all the Full Disk Encryption (FDE) requirements are shown here. For the complete FDE requirements, see the Release Notes for your Endpoint Security client version.

Clients must have:

Note - During deployment of the Full Disk Encryption component on the client, the Full Disk Encryption service automatically defragments the volume to create the 32MB of continuous free space, and suspends the Windows hibernation feature while the disk is encrypted.

Clients must not have:

Other Requirements:

Completing Full Disk Encryption Deployment on a Client

Users will have to reboot their computers twice while Full Disk Encryption deploys. One time to make sure the Pre-boot is running before Full Disk Encryption encrypts the hard drive, and one time to validate the authentication credentials.

Stages of the Deployment Phase

You will see the status of the Deployment phase in:

These are the statuses as shown in the Client Endpoint Security Main Page:

Primary Full Disk Encryption Components

Component Name

File Name

Description

Full Disk Encryption service

FDE_srv.exe

The Full Disk Encryption service contains the current configuration data and initiates background encryption or decryption. By exchanging volume boot records, the Full Disk Encryption service identifies volumes that are targeted for encryption.

Crypto core

ccore32.bin

The Crypto core contains the encryption algorithms.

Filter driver

Prot_2k.sys

The Full Disk Encryption driver for encryption. The File Allocation Table (FAT) provides the driver with the location of sectors where data is stored. Full Disk Encryption encrypts every byte of the selected disk. Background encryption starts from the first sector of the selected volume and moves in sequence to the last sector. The entire operating system is encrypted.