To encrypt your Opal v2-compliant drives using hardware encryption rather than software encryption, consider the following conditions:
- Is your Opal drive compliant?
Your Opal drive must appear in the v 11.1.0 System Requirements. Under “Hardware requirements for Microsoft Windows clients” are two sections: “Supported Opal v2-compliant drives for Drive Encryption” and “Compatible Microsoft eDrive-support Opal v2-compliant drives for Drive Encryption.”
The most current list of these supported Opal v2-compliant drives appears in Symantec Knowledge Base article TECH226779 (https://www.symantec.com/docs/TECH226779).
- Microsoft eDrive support – Opal v2-compliant drives only: Did you properly configure the drive?
You must satisfy the requirements below, or the drive is software-encrypted:
- The default partitions are created during a Microsoft Windows default installation.
- Alternatively, if an administrator manually creates the drive partitions following a default Windows installation, the administrator must use the Microsoft Disk Manager tool or the Diskpart command-line utility. When multiple partitions exist, the number of ranges must be properly mapped with the number of partitions.
- Did you upgrade to Symantec Endpoint Encryption 11.0.1 or later after the drive on the client computer was software encrypted?
If yes, you must 1) use a command to decrypt the drive, 2) enable and deploy the Drive Encryption – Self-Encrypting Drives policy (GPO or native), and then 3) use a command to encrypt the drive. Opal v2-compliant drives are not automatically converted from being software-encrypted to hardware-encrypted during an upgrade.
Note: An administrator can run the decrypt and encrypt commands from the Management Server using the Symantec Endpoint Encryption Server Commands snap-in. A client administrator also can run the decrypt and encrypt commands on the client using the Drive Encryption Administrator Command Line.
- Is the Self-Encrypting Drives policy enabled with the Use hardware encryption for compatible Opal-compliant drives policy option?
To determine the policies on a client computer, check the policy settings in your Drive Encryption log. If you did not enable this policy during installation, you can enable it using a policy update.
- Is the Opal v2-compliant drive a secondary drive?
Secondary drives are not hardware-encrypted; they are software-encrypted.
To determine the encryption status of an Opal drive
From the Management Console, use the Symantec Endpoint Encryption Reports snap-in:
- To view the ‘Computers with Self-Encrypted Opal Drives’ report. The report should display the following information:
- The Encryption column lists the drive letter of the encrypted drive.
- The Encryption Type column lists “Hardware Encrypted.”
- To add the Self-Encrypted Opal Drive extended column to other reports.
On the client computer:
- As a user, access the Management Agent. Go to the Internal Drives tab, and then click Drives. View the encryption status of the disks and partitions.
- As a client administrator, access the Client Administrator Console. Go to the Internal Drives tab and view the encryption status of a selected drive.
- On both the Management Agent and the Client Administrator Console, the disk status appears as follows:
- The Drive Type column lists either “eDrive” or shows no designation
- The status displays as “Hardware Encrypted” or “Software Encrypted”
- As a client administrator, use the Administrator Command Line to run the --status command for the drive. If the drive is hardware-encrypted:
- For an Opal v2-compliant drive, the whole disk appears encrypted.
- For a Microsoft eDrive-support Opal v2-compliant drive, only the boot drive appears encrypted.
Understanding the behavior of Opal v2-compliant drives in the Symantec Endpoint Encryption environment
- When a drive is hardware encrypted, Symantec Endpoint Encryption still manages the drive. It can require the drive to check in with the Management Server periodically, prompt registered users to authenticate with valid credentials at a preboot login, and provide management reports.
- When a drive is hardware encrypted, the following settings on the Drive Encryption – Encryption policy are ignored:
- AES encryption strength
- The choice of encryption of the boot disk only or the encryption of all disks
- The inclusion or exclusion of unused disk space
- The option to double-write sectors