Symantec Drive Encryption (formerly known as PGP Whole Disk Encryption) behavior with Fixed Disks versus External Disks when encrypting a Primary Fixed Disk

book

Article ID: 157070

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

Symantec Drive Encryption behavior with Fixed Disks versus External Disks when encrypting a Primary Fixed Disk

Resolution

Symantec Drive Encryption has the ability to encrypt both Fixed disks and External disks.  The behavior can differ between the two types of disks, namely what happens when encrypting a primary disk.

Fixed disks include disks that are connected directly to the motherboard as well as disks that can be used in place of a CD/DVD drive bay.

External disks consist of USB drives and the like that are connected via USB, Firewire ports, etc.

Encryption Process:

If a Primary Fixed disk is encrypted with Symantec Drive Encryption, as part of this encryption process, the secondary Fixed disk will not be instrumented with Symantec Drive Encryption, and Drive Encryption users are added only to the Primary Disk currently being encrypted.  The secondary Fixed disk, and any external drives are not encrypted and should be encrypted manually once the Primary Fixed disk encryption has completed. 

When the Secondary Fixed disk is subsequently encrypted (always recommended to encrypt the Primary Fixed disk before secondary), Symantec Drive Encryption uses the same WDE Group as the Primary Fixed disk, which means all users from the Primary Fixed disk will be copied to the Secondary Fixed disk.  These two disks are now linked in the same group.  This means that when authenticating the Pre-Boot Authentication screen for the Primary Fixed disk, the Secondary Fixed disk will also be authenticated. When this happens, upon logging in to Windows, the Secondary Fixed disk will be automatically unlocked, and no further passphrase is needed.

NOTE: There may be configurations where a Secondary Fixed disk may not be detected properly.  In these cases, the fixed disk may show up as a removable disk and would prevent the disk from being part of the same WDE Group.  If all disk drivers are installed, this is typically not an issue.

Any Drive Encryption Administrator Passwords, or ADKs are not added to external drives, such as USB drives, this policy only applies to Fixed Disks (either primary or secondary fixed disks).  If Secondary Fixed disks are encrypted, the users on the Primary Fixed disks will be the same as those on the Secondary Fixed disks.

 

The exception to the above behavior is when enabling the policy "Enable automatic encryption or locking of removable devices", which will force users to encrypt the External drives in question.  When using this feature, the Symantec Encryption Administrator can allow users to use the devices as Read-Only devices, or force the external drives to be encrypted after 30 seconds, 1, 2, or 5 Minutes, or Immediately upon inserting into the machine.