Introduction
Encryption is, by nature, a double-edged sword. One side of it helps you protect your data from being exposed, while the other will prevent you from accessing it yourself, if it is not handled correctly.
Full Disk Encryption solutions encrypt the whole computer, including the operating system itself. This approach is favoured over other, simpler, techniques as it leaves no one in doubt of what was protected and what was not.
This is crucial in order to not break the law and to avoid embarrassing press coverage if data loss – involving unencrypted laptops or USB sticks – is uncovered. You also need be able to show proof of encryption in case your computer is lost or stolen.
For the encryption to be effective, you are required to have a password to access the computer. This is often synchronized with the password you already have for logging in to Windows or Mac, but it can also be configured to be two separate passwords – to raise the security level even more.
Some companies might have resisted laptop encryption in the past on the grounds of complexity or performance degradation. But improvements in both hardware and software have resulted in encryption now being much easier to manage, and has no perceptible effect on system performance.
Below are a couple of lists with pre-deployment checks and installation advice we recommend you to look through if you are new to full disk encryption.
Please, note that we are not able to give installation advice for specific systems. Please, refer to the admin guides and release notes that come with each system.
PRE-DEPLOYMENT CHECKS
The minimum
- Choose an encryption product with a minimum of 128-bit encryption.
- Check that your O/S is supported by the encryption provider
- Take a backup of your data before you install
- Make sure you have local admin rights on the machine
- Run a Defrag to make sure your disk is in good shape
- Set a password on your account
Additional checks to reduce the risk of issues.
Software
- Bios Settings – even though not normally an issue, it is recommended that the bios is updated to the latest version. This can be acquired via the manufacturer’s website.
- Most encryption vendors need the disk mode to be ACHI. This is normally the case, but DELL Latitude laptops are often configured with RAID.
- Secure Boot – needs to be disabled
- TPM (Trusted Platform Module) – Check if your encryption solution requires this and if your computer is fitted with one.
- Boot Type
- Check if your solution recommends UEFI or Legacy.
- Some Lenovo machines are known to use “Hybrid Boot System”, which can create issues during start up
Hardware
There are normally no restrictions on the hardware brand, but there are some commonly known issues.
- SSD (Solid State Drives) – most encryption vendors support SSD out of the box, please refer to your supplier
- SED (Self Encrypted Drives) – if you have this on your machine, please refer to the manual to initialize it, so that it is correctly used. HP laptops are known not to be initialized as standard.
- DELL Latitude computers – many of these are configured to RAID. This is a technique that no encryption vendor can support as it is not seen as a continuous disk. You will need to change it is ACHI.
INSTALLATION & BEYOND
The basic installation process
The installation process of the encryption software is no different from any other software you like to install. You will need to have authority to install software on your computer and there are some additional steps that you will notice, compared to installing other software.
- First of all, you will have to reboot the machine during the installation process. Some software require two reboots, and it will often take up to 30 minutes between them. However, you do not have to sit and look at it as it is doing the tasks in the background.
- If you have read the instructions or looked in the “pre-deployment checks”, you will now know that you will have to have an account with a password, or you may be forced to create one during installation – all dependent on the solution your are using.
- Once the initial software installation, and the reboot(s) are done, the encryption starts. This is a background process so you can carry on with your work as normal. You can even turn the computer off, it will continue the encryption process once you boot up again. The time for the encryption process to finish is directly related to the
- Size of the disk
- Processor speed
- Write speed to disk
- How many other software processes that is running at the same time.
It will typically take between 4-12 hours, so if you can leave it on over night you will have an encrypted machine when you wake up again.
If you are going to experience issues, they are most likely going to happen when you either install the software or during the encryption. Issues during the installation are easily solved as the encryption has not yet started and all incompatibilities are likely to show up at this stage.
If you have a lot of corrupt sectors on the hard disk, the encryption may get interrupted during the process. If this happens, you will need to reverse the encryption through a recovery. Refer to the admin guides or contact your service provider to do this.
Ongoing MAINTENANCE
Once installed, the benefit with Full Disk Encryption is that there is nothing you need to do, other than login to the machine at boot.
If you forget your password, you will need to do a password reset. Depending on installation, you will either:
- Have to dig out the encryption key you saved somewhere at installation.
- Contact your IT administrator that will be able to help if you installed a corporate product.
- Contact our service provider that has PW reset included in the service as standard.
Another real benefit from having a computer encrypted is the fact that you are able to dispose of the device safely without having to spend money or effort to erase the information. By just reformatting the disk you will have securely erased all data on the machine.