HOWTO: Encrypt a Windows Drive with Symantec Encryption Desktop

book

Article ID: 178547

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption

Issue/Introduction

 

Resolution

Once Symantec Encryption Desktop has been installed, and licensed, the system is then ready to be encrypted using the Drive Encryption feature.  For more information on installation and licensing Symantec Encryption Desktop, please see article HOWTO101895 for a complete walk-through.

For a listing of System Requirements for Symantec Encryption Desktop, please see article TECH224415.

TIP: It is highly recommended to create a full system backup before attempting to encrypt the system.

This article will provide a walk-through of all the steps needed in order to encrypt a system with Symantec Encryption Desktop.

 

 

Steps-by-Step Instructions

Step 1. Once the software has been installed, a “lock” icon will appear in the bottom right-hand corner of the screen:

NOTE: On Windows 8 systems, if this lock icon does not appear on the bottom-right corner of the screen, on the keyboard, press the Windows icon + S.  This will bring up the search field.  Type “Symantec Encryption Desktop” in the search field, and press enter.  This will open the Symantec Encryption Desktop software.

Click on the lock icon, and select “Open Symantec Encryption Desktop”, which will open the Symantec Encryption Desktop client:

Step 2. Next, click on PGP Disk on the left pane, and then Encrypt Disk or Partition on the right pane of Symantec Encryption Desktop:

Step 3. This will bring up the available disk(s) to encrypt.  In this example, the main drive available shows up with a plus sign to the left labeled “C:Boot 15GB Fixed Disk”.

Symantec Drive encryption has the ability to encrypt an entire system disk, or a partition.  Sometimes system disks may contain recovery partitions, or other system partitions.  Because of this, it is recommended to encrypt the main Boot\Windows partition on the disk.  To do so, click the plus sign next to the top-level disk as seen in the screenshot labeled, “C:(Boot) 15GB Fixed Disk”:

The Partitions on the disk will then be displayed.  In this example, it is called “C: Partition”:

Step 4. In this example, the C: Partition will be encrypted.  Click on the disk partition labeled “C: Partition” so that it is highlighted.  Next, click on “New Passphrase User…” on the right side of this window.  This will bring up the "Add User" dialog window.  Click Add, to start the wizard:

Step 5. The “New User” wizard appears.  Two options are available, “Use Windows Password”, and “Create New Passphrase”.

 

NOTE: Once encrypted, before a system will boot up, the “BootGuard” screen will appear, which is Symantec Drive Encryption’s Pre-Boot authentication screen, and will prompt the user to enter a passphrase.  Unless the correct passphrase is entered, the system will not boot.

 Option 1: When using “Use Windows Password”, the following applies:

*This option is recommended for ease of use and is the default option during the New User Wizard.

*After a user enters his/her passphrase at BootGuard, the user is automatically logged in to the user’s Windows profile, so only one passphrase is needed to boot a system.

*Every time the user’s passphrase is changed in Windows during a logon event, the passphrase is automatically synchronized to Symantec Drive Encryption so the Windows password and the Drive Encryption passphrase are always the same.

*The option “Use Windows Password” is also referred to as Single Sign-On (SSO), as the same passphrase is entered at bootup in order for a user to unlock an encrypted machine, as well as login to windows.

 

Option 2: When using “Create New Passphrase” the following applies:

*The Windows password and the Drive Encryption passphrase are not synchronized and if a new passphrase is needed for the Symantec Drive Encryption user, the user must change the passphrase manually.

*After entering the passphrase at BootGuard, the system will boot as normal, however the Windows boot process will stop and ask the user to login to the Windows profile separately.

*This option is recommended if the user does not wish to synchronize the Windows Passphrase with the Drive Encryption Passphrase or if auto-login is not needed.

*Using this option is also useful as a “backup” user in order to boot the system up, but not automatically login to the user’s Windows profile.  TIP: This type of user can be added after adding a Windows Password user, or SSO User and before encryption.


Both options will be covered in this article.  The first option, “Use Windows Password” (or SSO) will be discussed first.  Select “Use Windows Password” and click Next:

Step 6. The “Two-Factor Authentication” screen will appear.  This option is used only if a supported Smartcard, or Token is inserted into the system for authentication.  For a list of supported Smartcards and Tokens for Symantec Drive Encryption, please see article TECH149099.  In this example, no Smartcards or Tokens are available, and this option is typically not used.

Caution: Generic USB Flash Device is not supported, and should not be attempted.

Select the option “Proceed with passphrase authentication only”, and click Next:

 

 

Step 7. The user is then presented with three fields.  The Username field is pre-populated with the Windows profile currently being used.  The domain field is typically left blank.  Enter the current Windows password, and click Next:

 

If the Windows password does not match the currently logged in user, the following message will appear:

 

Click No, and re-enter the Windows password.  Be sure the correct username and password has been entered until this message is no longer displayed, and click Next.  The user is then added and the Username is displayed in the User Access list:

 

Step 8. ***If a Single Sign-On user is all that is needed, then skip to Step 11*** 

The next few steps will review how to add a regular passphrase user.

If a regular passphrase user is needed (non-SSO user), choose “Create New Passphrase”, and click Next.

 

The “Two-Factor Authentication” screen will appear.  This option is used only if a supported Smartcard, or Token is inserted into the system for authentication.  For a list of supported Smartcards and Tokens for Symantec Drive Encryption, please see article TECH149099.  In this example, no Smartcards or Tokens are available, and this option is typically not used.

Caution: Generic USB Flash Device is not supported, and should not be attempted.

Select the option “Proceed with passphrase authentication only”, and click Next:

 

Step 9. Three fields appear: The Username field, and two passphrase fields.  The Username field will be pre-populated with the current Windows profile account.  NOTE: If a username already exists, an error will appear stating the user has already been added.  If this appears, change the username slightly, and click Next.

 

Step 10. Click Finish and the user will then be added to the disk:

 

Step 11.  If the user is a Single Sign-On user, hovering over the User icon will indicate the user is a Single Sign On User, with the Username, and Domain (if applicable) populated.

 

Step 12. If the user is a Non-SSO user, “Passphrase User” will be displayed when hovering over the user icon:

 

Step 13. Once the user is added, click the Encrypt button on the top-right screen of Symantec Encryption Desktop.

TIP: If the Encrypt button is grayed out, click on the top drive, and then back on the “C:Partition” to enable the button, then click Encrypt.  The following window will appear confirming the disk should be encrypted.  Click Yes to start the encryption process:

 

The following screen will appear listing a Whole Disk Recovery Token.  This token can be used to unlock the system at BootGuard in case the passphrase for an existing Drive Encryption user is forgotten.  As the message states, keep this in a safe and secure place if needed.  Caution: Once OK is clicked, this Recovery Token is never displayed again and cannot be retrieved again:

 

TIP: You can press "Ctrl+C" to copy the recovery key into a clipboard and paste into a text file to save in a secure location.


Once the encryption process starts, the progress can be observed listing the percentage of the encryption status:

 

The encryption process can be paused at any point during the encryption.  To pause the encryption, click Stop on the top-right, and select Pause.  Once ready to encrypt again, click on Resume, and the system will continue encrypting.

NOTE: It is typically necessary to pause the encryption only if CPU-intensive operations need to take place on the system which may cause the system to slow down during normal use, although this is typically not seen.  Unless this is the case, pausing is typically not needed.

If a system needs to be shutdown, or rebooted, it is okay to do so. The encryption process will safely stop the encryption process during a normal reboot or shut down of the system.  Upon logging back in to the Windows profile, the encryption process will resume from where it left off.

Once the encryption process has completed, the encryption status goes away, and the disk is shown with the users added to the drive.  At this point, the system can then be used as normal.

After the system has been encrypted, the BootGuard screen will appear, which is the pre-boot authentication screen. 

BootGuard Screen 1 (MBR):  If the system is using a standard MBR partition scheme, the following BootGuard screen appears (Enter the passphrase and press the enter key to successfully boot the system.): 

BootGuard Screen 2 (UEFI):

If the system is using a GPT partition scheme for UEFI systems, the following will appear (Enter the passphrase and press the enter key to successfully boot the system.):

 

Attachments