Best Practices: Symantec Drive Encryption Products - Symantec Endpoint Encryption (SEE) and PGP Encryption Desktop (PGP)

search cancel

Best Practices: Symantec Drive Encryption Products - Symantec Endpoint Encryption (SEE) and PGP Encryption Desktop (PGP)

book

Article ID: 153530

calendar_today

Updated On: 03-27-2025

Products

Drive Encryption Symantec Endpoint Encryption Encryption Management Server Desktop Email Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK PGP SDK PGP Encryption Suite

Issue/Introduction

This article details the best practices to use prior to encrypting with PGP Encryption Desktop (PGP) and Symantec Endpoint Encryption (SEE)

Best Practices ensure best success when using Drive Encryption products for both PGP and SEE product lines.

Resolution

Section 1 of 6 : Review Security Software on Systems
Section 2 of 6: System Requirements and Drive General Guidelines
Section 3 of 6: Windows Updates Process and Decrypting Drives
Section 4 of 6: Windows Updates Process and Decrypting Drives
Section 5 of 6: Installation of Symantec Drive Encryption products
Section 6 of 6: Miscellaneous Items

The following best practices are recommended for preparing to encrypt your disk with Symantec Drive Encryption products (SEE and PGP) and maximize success in your deployment.

Security Best Practices

Security is always top priority for Symantec. Symantec Encryption products are a critical component that adds to the overall security of the enterprise.
In addition to an aggressive patching strategy and a layered approach to network defense, Symantec recommends using security products, such as Symantec Endpoint Protection (SEP) to lower the attack surface of unprivileged malware in general within the enterprise. Additionally, Symantec recommends the following measures to reduce risk of attack:

• Restrict access to administrative or management systems to authorized privileged users.
• Restrict remote access to trusted/authorized systems only.
• Keep all operating systems and applications current with vendor patches.
• Deploy network-based and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Secure Boot: Enabling Secure boot on UEFI systems is recommended. Secure Boot is a security feature within Windows that will validate signed drivers.
Disabling Secure Boot may be needed in order to perform testing with unsigned software, but once testing has been performed, re-enabling Secure Boot is recommended.

Important Note: Having Secure Boot enabled is not a substitute for endpoint security software such as Symantec Endpoint Protection, which provides a deep line of defense on systems.
Encryption is another line of defense for data at rest as well as data in motion and should be used for systems and data containing sensitive information.

Symantec Encryption Development follows best practices in all Development Life Cycles. See the following article for more information on this topic:
225968 - Symantec Encryption Products Secure Development Lifecycle Best Practices

Section 1 of 6 : Review Security Software on Systems

Ensure system is not already encrypted

To be able to successfully encrypt with Symantec Endpoint Encryption (SEE) or PGP Drive Encryption, it is a good idea to ensure the systems are not encrypted with other encryption solutions.
If bitlocker is enabled on the system, first disable and fully decrypt before attempting to install Symantec Encryption software. Even the act of installing Symantec Encryption on systems already encrypted could cause significant issues, that could lead to data loss.

To prevent systems from encrypting with Bitlocker, add in a registry value to ensure systems don't automatically get encrypted:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker

Set the "PreventDeviceEncryption" REG_DWORD" value to "1".

Allow Symantec Encryption Products
(Prevent from being blocked)

To ensure all your security software has allowed the Symantec Endpoint Encryption (SEE) or Symantec Encryption Desktop (PGP) services, see our "exclusion/safelist/allowed listing" in the following article:

200696 - Symantec Encryption Services - Add Symantec Encryption programs to safe list or exclusions in security software

This is an important step in the deployment of Encryption software to allow full operation to occur successfully.

^Back to Top

Section 2 of 6: System Requirements and Drive General Guidelines

Drives Supported	Generally, Symantec Drive Encryption products are agnostic to most hardware scenarios. The only scenarios that are not supported, are SCSI disks, and "Dynamic Disks". Although rare, Dynamic Disks are typically reserved for server-class systems where special drive configurations are applied that are not compatible. SCSI/SAS Drives are also typically used on Server-class systems and not used in typical endpoint systems. Also very rare for end-user deployments are "Logical Partitions", which are not supported with Symantec Encryption products (Etrack 4220167). Other than these few requirements, generally Drive Encryption can encrypt all other drive types.
EFI Partitions	The EFI partition is modified when a system is encrypted. Symantec Encryption products require 40MBs of free space. If provisioning systems uses up a portion of the EFI partition, ensure there is enough space to then encrypt the machine. Operations such as flashing/upgrading the BIOS before encryption can also use up some of this free space because a backup of the BIOS is commonly made inside of the EFI partition, which will reduce the overall free space. Making the EFI partition 500MBs will ensure this partition will always have enough space. A symptom of this being an issue is the system does not auto-encrypt and even manually encrypting will not start the encryption. Etrack: 4268459
Operating System Support	The following documentation can be reviewed to further validate your setup in a much more detailed level, but most systems will work out of the box: *Confirm Operating System support PGP Encryption Desktop System Requirements, Release Notes, User Guides (Symantec Encryption Desktop) Symantec Endpoint Encryption (SEE) System Requirements, Release Notes, User Guides CD-RW/DVD-RWs are not supported using Drive Encryption, but they can be encrypted with SEE Removable Media Encryption.
Quick Boot and Fast Startup	In Windows, there is a Power Management setting called "Fast Startup": This setting can affect how a system boots and could cause some unexpected behavior, such as keyboards not working properly at preboot, SSO not automatically logging in to Windows or other potential scenarios. Disable this setting (uncheck) for best performance with Symantec Drive Encryption (Both SEE and PGP). Check also the BIOS for any Fastboot/Quickstart/Quickboot settings. Fast/Quick Boot/startup does not allow all peripherals to be loaded during the boot process and can sometimes prevent external keyboards from working. It could also cause login failures, especially if USB 3.0 ports are being used. Fast startup does not offer a noticeable increase in speed during the boot process and so disabling these will not cause any performance issues in most cases. It may be necessary to disable both of these settings for benefits to be observed. Note: Different BIOS vendors, such as Lenovo, Dell, or HP will call these boot settings differently. For Dells as an example, disabling Fast Boot is sometimes called "Thorough". HP BIOS:
Fixed Disks, Secondary Fixed Disks, Filesystems and RAID	If you have a system that has multiple drives, Symantec Endpoint Encryption will automatically encrypt all of those drives as long as policy has allowed it. If there are multiple drives configured as fixed drives, only one drive should be designated as the OS/Boot drive. The other drive should not have any system partitions on them at all, which could cause the initial encryption to not start. Opal Drives are supported, but Symantec recommends using the Symantec Encryption products as they offer much more flexibility and management capabilities that surpas opal functionality. Hardware RAID is supported in certain circumstances and software RAID disks are not. Typical filesystems such as NTFS are supported, but the less common exFAT are not. Some external hard drives are now coming with "exFAT" file systems for Drive Encryption. SEE RME can encrypt content on exFAT USB drives.
VMware Virtual Machines (.vmx)	It is always recommended to encrypt physical systems, but if you are testing with virtual machines and you find the fixed disks for the systems are not showing up for Drive Encryption, you may need to add the following to your .vmx configuration file: ahci.port.hotplug.enabled = "FALSE" devices.hotPlug = "FALSE" If the above are not added, SEE may not automatically encrypt because it can't detect a proper drive. Other unusual behavior may occur.
Bad Sectors	If Symantec Drive Encryption products encounters a hard drive or partition with bad sectors, the encryption process will pause. This pause allows you to remedy the problem before continuing with the encryption process, thus avoiding potential disk corruption and lost data. In Symantec Encryption Management Server or Symantec Endpoint Encryption Management Server managed environments, if a hard drive or partition with bad sectors is encountered, an event is added in the server logs. Note: If a bad sector appears on any disk, it is best to replace the disk for best reliability as bad sectors can be a sign of other issues with the drive itself.
Keyboard Layouts	Be sure that you are using a keyboard with one of the supported languages. For a list of the supported languages, see the following links for your operating system: 153623 - Drive Encryption Supported Keyboards - Symantec Encryption Desktop for Windows
AC Power	Because encryption is a CPU-intensive process, encryption cannot begin on a laptop computer that is running on battery power. Do not remove the power cord from the system before the encryption process is over. If loss of power during encryption is a possibility or if you do not have an uninterruptible power supply for your computer consider choosing the Power Failure Safety option.
TIPS	TIP: If a drive is being repurposed that has previously been used for testing, ensure all the partitions have been completely removed using a cleanup tool such as Diskpart "clean" utilities. This also goes for systems that previously had an operating system installed on it, and has been reformatted, Remnant partitions left on drives, especially if the drive was previously encrypted can cause issues when being repurposed for encryption. As a good security practice, it is recommended to test Symantec Drive Encryption products on a small group of computers to ensure that are not any conflicts with any software. This is particularly useful in environments that use a corporate/standardized Corporate Operating Environment (COE) image.

^Back to top

Section 3 of 6: Windows Updates Process and Decrypting Drives

Question: Is it required to decrypt drives before upgrading Windows, such as Win10 to Win11?

Answer: No, it is not required to decrypt the drives first. Not only it is okay to leave the drives encrypted, there is a process driver that will help the upgrade go through seamlessly during a "Live Update".

For upgrading Windows using deployment methods, see the following articles for PGP or SEE:
179265 - How to automatically upgrade Windows 10/11 systems encrypted with Symantec Endpoint Encryption 11.x (SEE)

179262 - How to automatically upgrade Windows 10/11 systems encrypted with Symantec Encryption Desktop 10 (PGP Desktop)

Section 4 of 6: Windows Updates Process and Decrypting Drives

Backups	Before you encrypt your disk, it is recommended to have a current backup of the data.
Drive Enclosures	Symantec Endpoint Encryption (SEE) and PGP Drive Encryption (PGP) operate differently when it comes to attaching drives via drive enclosures. PGP Drive Encryption is able to accept encrypted boot drives on other systems with PGP Drive Encryption installed using a drive enclosure to be able to authenticate the drive. As an example, a boot drive encrypted with PGP could be removed from the machine and connected to another machine with PGP installed and can be prompted to enter the passphrase. Connecting boot drives via USB drive enclosures is fully supported and is a nice way to copy data from a drive that may not be otherwise booting. Symantec Endpoint Encryption (SEE) requires you to connect the drive (via USB Enclosure) and authenticating the disk via the command lien manually using the eedadmincli.exe utility to authenticate the drive will work in most cases. For information on command Line operations, see the following guides: PGPwde.exe Command Line Utility for PGP EEDAdminCLI.exe Command Line Utility for SEE
WinPE Recovery Disks	While the chances are extremely low that a master boot record could become corrupt on a boot disk or partition protected by Symantec Drive Encryption or Symantec Endpoint Encryption, it is possible. Before you encrypt a boot disk or partition using Drive Encryption, create a recovery disk. See the following articles for Recovery using WinPE: 161041 - Windows PE Recovery Tools for Symantec Endpoint Encryption (SEE) 247508 - Windows PE Recovery Tools for Drive Encryption 10.5 (PGP Desktop) IMPORTANT TIP: Reach out to Symantec Encryption Support for a handy tool to help you automatically create your WinPE disk with ease!
Attempt Recovery instead of Disk Decryption	Where possible, as a best practice, if you need to perform any disk recovery activities on a disk protected with Drive Encryption, it is recommended that you first authenticate the disk (rather than attempt to fully decrypt). Once the disk is authenticated, proceed with your recovery activities. It is recommended to avoid decrypting the drive in most cases because once the drive starts decrypting, it is an irreversible operation. If a disk is already having issues, decryption could cause further unexpected issues, so first, only attempt to authenticate (unlock) the disk. Once the disk is unlocked, you can then attempt to recovery the data. Decryption is a last-resort in all situations, so first authenticate the disk only. WinPE is a useful tool to help you authenticate the disk if the system is no longer booting up. Important tip: For highly critical disks it is always recommended to take a bit-for-bit (sector-by-sector clone) backup of the disk and then perform the decryption\recovery on the copy of the disk. This is because if something fails during the recovery process, you can always take another clone of the drive and try recovery steps again. For data recovery solutions by a professional data recovery vendor, we recommend Kroll Ontrack who is familiar with the encryption process. Let them know Symantec/Broadcom Encryption Support referred you to them.

^Back to Top

Section 5 of 6: Installation of Symantec Drive Encryption products

Installation Help and Debug Logging

For general information on how Symantec Endpoint Encryption should be installed, see the following article:

252118 - Installing the Symantec Endpoint Encryption Client

161042 - Enabling Debug Logging in Symantec Endpoint Encryption (SEE)

Rebooting Systems

Symantec Endpoint Encryption includes a reboot-detection feature so if a Windows Update pending reboot status is encountered, the SEE installation will halt. It is a good idea to reboot a system to clear out this pending state for best success during an upgrade.
There is a method to disable this feature so that even if pending reboots are detected, the SEE install will continue. For more information on this, see the following article:

214719 - Symantec Endpoint Encryption Pending Reboot Feature

Delaying rebooting can cause some unexpected behavior in certain scenarios, such as installing Symantec Endpoint Encryption, delaying the reboot, then another update occurs, and delay a reboot, and then update Windows. It is always best to reboot when applications require it. Symantec Encryption products require a reboot after installation.

It is also recommended that systems be rebooted just prior to the install/upgrade of Symantec Endpoint Encryption 11 to ensure the best success as pending reboots can cause the install/upgrade process to fail.

^Back to Top

Section 6 of 6: Miscellaneous Items

Decrypting systems with multiple fixed disk configurations	When it is necessary to decrypt the Primary/Boot drive and the other secondary drives are also encrypted, it is recommended to first decrypt the secondary disks, and then decrypt the primary/boot disk last. For example, if a system has 3 disks, the Primary/Boot disk will typically be labeled Disk 0, the next disk in line would be Disk 1, and the third disk would be labeled Disk 2. In this scenario, you would decrypt Disk 2 first, then Disk 1, and then Disk 0 last. In configurations where an NVMe disk is being used, and the secondary disks are SSDs, the boot disk may be labeled as Disk 1, and the secondary disk may be labeled as Disk 0--take this into consideration when decrypting. In this scenario, Disk 0 (secondary disk) is decrypted first, then Disk 1 (Primary/Boot) is decrypted last.
File Share Encryption	As you would expect, keeping files encrypted is a critical component to securing your data. If you have any shares that are encrypted, it's best to use Group Keys. Decrypting shares is not recommended. Instead, we recommend creating a new folder, encrypting the new folder to the new keys, and moving the data to the new share. Then you can leave the present data as it is, and not modify the current data. Then you can start using the new data. For any further guidance, please , reach out to Symantec Encryption Support for further guidance.
Memory allocated to PGP Encryption Management Server (Symantec Encryption Management Server)	PGP Encryption Server (Symantec Encryption Management Server) has many capabilities, including Symantec Web Email Protection (Secure Email Delivery), PGP Client management\enrollment, Key Management, and much more. Depending on how busy the PGP Encryption Server's database is, more memory should be allocated. PGP Encryption Server 11 and above require 16GBs minimum, and may require up to 64GBs for more busy environments. See the System Requirements for specific details. See also 150915 - PGP Encryption Server Benefits and Considerations for upgrading (Symantec Encryption Management Server) For Virtual Machine recommendations, see the following article: 156207 - Best Practices for creating a Virtual Machine for PGP Encryption Server (Symantec Encryption Management Server)
Application Testing before deployment	Before deploying software, it's always a good idea to test on the base image where Encryption software will be installed. This will help you review whether exclusions need to be made, or if there is any potential for blue screen due to collisions or other scenarios. If you do run into conflicts with software, narrowing down which applications are related is useful. Sometimes trial-and-error techniques can be used to see where applications are conflicting.
Beta Software	Symantec Encryption Products commonly hold Beta programs so you can have a chance to try out new functionality, and features. For all Beta Encryption Products, these are for non-production use and should never be installed on production systems for actual production work. These beta binaries are provided with no warranty, are always kept within your own testing environment and beta feedback can be provided directly to Broadcom through approved methods. If you are interested to participate with the Beta Programs, reach out to Symantec Encryption Support for further guidance.

^Back to Top

Feedback

thumb_up Yes

thumb_down No