How to add computers and drives to the Opal whitelist in Symantec Endpoint Encryption (SEE)

How to add computers and drives to the Opal whitelist in Symantec Endpoint Encryption (SEE)

book

Article ID: 163518

calendar_today

Updated On:

Products

Endpoint Encryption PGP SDK PGP Key Mgmt Client Access and CLI API PGP Key Management Server PGP Encryption Suite PGP Command Line Desktop Email Encryption Drive Encryption Encryption Management Server File Share Encryption Gateway Email Encryption

Issue/Introduction

Symantec Endpoint Encryption Drive Encryption supports certain self-encrypting Opal v2-compliant drives. 

Drive Encryption software uses registry entries to identify which drives are whitelisted.

When Symantec releases a new version of Endpoint Encryption, Symantec updates the whitelist and populates the registry entries as part of the release. If Symantec tests and approves Opal drives between releases, Symantec updates the whitelist but you must populate the new registry entries. You only need to do this if you are interested in using one or more of those drives. You will know when Symantec updates the whitelist by subscribing to the KB article referenced in the link.

This article describes how you create the registry entries that identify an Opal drive as whitelisted.

Resolution

How to add laptop models and Opal drives for whitelisting

Introduction

Registry entries identify whitelisted Opal drives to the Drive Encryption software. To create these registry entries, follow the procedures below. Registry entries specify the OEM vendor, computer model, disk vendor, and drive model. Note that for Dell and Lenovo computers, all models are supported; therefore, two procedures are shown.

Pre-requisites

To add an Opal drive to the whitelist, certain elements must exist as prerequisites.

Element Requirement
Prerequisites
Computer Fresh operating system installed
Software Symantec Endpoint Encryption v 11.1.0 or greater installed, with the Drive Encryption feature selected for disk encryption
Disk Factory reset state
Protocols supported ATA_Passthru and/or Secure Storage

Best Practices

This article is intended for customers who have recently bought and provisioned an Opal drive and freshly installed the Symantec Endpoint Encryption software. If you have installed multiple operating systems over time and/or frequently reformatted the disk, you are more likely to experience unexpected errors, such as “Disk not detected” or “Unable to format disk.” To avoid these error states, a fresh OS and disk in a factory reset state are highly recommended.

System scenarios

If you have done an initial installation of Symantec Endpoint Encryption v 11.1.0 or greater on a system with an Opal drive:

  1. To whitelist the appropriate laptop models and drives, if they are not already present, add the registry entries.
  2. To enable the registry entries, restart the computer.

If you already have Symantec Endpoint Encryption v 11.1.0 or greater on a computer that has a pre-encrypted (software encrypted) Opal drive:

  1. Decrypt the drive.
  2. To whitelist the appropriate laptop models and drives, if they are not already present, add the registry entries.
  3. Make sure you have enabled the Drive Encryption Self-Encrypting Drives policy.
  4. Re-encrypt the drive.

If a computer has Symantec Endpoint Encryption v 11.0.1 or earlier installed, with a pre-encrypted (software encrypted) Opal drive:

  1. Upgrade to Symantec Endpoint Encryption v 11.1.0 or greater.
  2. Decrypt the drive.
  3. To whitelist the appropriate laptop models and drives, if they are not already present, add the registry entries.
  4. Make sure you have enabled the Drive Encryption Self-Encrypting Drives policy.
  5. Re-encrypt the drive.

Note:

  • OS upgrades for Symantec Endpoint Encryption 11.0.1 MP1 and greater are not supported. For more information see the article below:

179265 - How to automatically upgrade Windows 10/11 systems encrypted with SEE (Symantec Endpoint Encryption) 11.x

  • If laptop models and drives are already present in the whitelist, you do not need to update the registry. Check the supported hardware matrix in this TECH note:

172490 - Compatible Opal v2-compliant drives for Symantec Endpoint Encryption (SEE) Drive Encryption

Adding laptop models and Opal drives to the whitelist (except Dell and Lenovo)

To add computers and drives to a client registry, follow the steps below.

Note: The steps use this example:

Hardware: HP EliteBook Folio 1040 G2
Disk drive: Sandisk_SD7TB3Q-256G-100X218

  1. If this computer has Symantec Endpoint Encryption v 11.1.0 or greater newly installed, do not restart the computer.
  2. In the registry, go to
    HKLM ->SOFTWARE ->Encryption Anywhere ->Hard Disk ->NonEDrive List ->WhiteList
  3. To add the Hardware Model, create a folder (shown in bold below) under Hewlett-Packard, in the following registry location:
    HKLM ->SOFTWARE ->Encryption Anywhere ->Hard Disk ->NonEDrive List ->WhiteList ->Hewlett-Packard ->HP EliteBook Folio 1040 G2
  4. To add the Disk Vendor, create a folder with the vendor's name ("Sandisk") under the newly created model folder.
  5. To add the Disk Model, under the Sandisk folder, create another folder naming the model. In this example, the model number is "SD7TB3Q-256G-100."
    To find the model number:
    1. From the Control Panel, click Device Manager.
    2. Expand Disk drives.
    3. Right-click on the drive (in this example, Sandisk) and select Properties.
    4. Select the Details tab; select Property as Hardware Ids.
    5. When the value displays, do not use the Disk Model or the last four characters:
      Displayed: SCSI\Sandisk_SD7TB3Q-256G-100X218
      Used: SD7TB3Q-256G-100
  6. To add the Disk Firmware, under the Disk Model folder add a folder that uses the last four digits of the Id that you left behind in Step 5e. (Follow the same steps a-e to locate the Hardware Id.)

    The final registry directory structure looks like this:

    WhiteList
       Hewlett-Packard
          EliteBook Folio 1040 G2
             Sandisk
                SD7TB3Q-256G-100
                   X218
  7. [Optional] To assist Support with identifying errors, should they occur, go to:
    HKLM ->SOFTWARE ->Encryption Anywhere ->Framework ->LoggerConfig and change the value of LogLevel from "WARNING" to "DEBUG."
  8. Restart the computer. Log on with your Symantec Endpoint Encryption credentials to check the status of the drive.
    • If you log on as a registered user, from the SEE Management Agent UI, select the Drives tab.
    • If you log on as a client administrator, from the SEE Client Administrator UI, select the Internal Drives tab.
  9. The status is one of two values:
    • If self-encryption succeeded, the status is Hardware Encrypted.
    • If self-encryption did not succeed, the drive is software-encrypted. The status changes from Encrypting to Encrypted once software encryption finishes. Note that hardware encryption (self-encryption) can fail for reasons other than a whitelist error.

Adding Dell and Lenovo computer models to the whitelist

All Dell and Lenovo models are supported; therefore, only an asterisk (*) is required for the hardware model. Reference the steps under "Adding laptop models and Opal drives to the whitelist (except Dell and Lenovo)" for the registry directory structure instructions, but substitute this (asterisk) action for Step 3. The resulting directory structure in the registry will look similar to these examples:

WhiteList
   Dell
      *
         Sandisk
            SD7TB3Q-256G-100
               X218

or this:

WhiteList
   Lenovo
      *
         Sandisk
            SD7TB3Q-256G-100
               X218

 

Additional Information