Symantec Endpoint Encryption Drive Encryption supports certain self-encrypting Opal v2-compliant drives. The drives that Symantec has tested and supports are provided in this Support Center article: https://www.symantec.com/docs/TECH251592
Drive Encryption software uses registry entries to identify which drives are whitelisted.
When Symantec releases a new version of Endpoint Encryption, Symantec updates the whitelist and populates the registry entries as part of the release. If Symantec tests and approves Opal drives between releases, Symantec updates the whitelist but you must populate the new registry entries. You only need to do this if you are interested in using one or more of those drives. You will know when Symantec updates the whitelist by subscribing to the KB article referenced in the link.
This article describes how you create the registry entries that identify an Opal drive as whitelisted.
Registry entries identify whitelisted Opal drives to the Drive Encryption software. To create these registry entries, follow the procedures below. Registry entries specify the OEM vendor, computer model, disk vendor, and drive model. Note that for Dell and Lenovo computers, all models are supported; therefore, two procedures are shown.
To add an Opal drive to the whitelist, certain elements must exist as prerequisites.
|Computer||Fresh operating system installed|
|Software||Symantec Endpoint Encryption v 11.1.0 or greater installed, with the Drive Encryption feature selected for disk encryption|
|Disk||Factory reset state|
|Protocols supported||ATA_Passthru and/or Secure Storage|
This article is intended for customers who have recently bought and provisioned an Opal drive and freshly installed the Symantec Endpoint Encryption software. If you have installed multiple operating systems over time and/or frequently reformatted the disk, you are more likely to experience unexpected errors, such as “Disk not detected” or “Unable to format disk.” To avoid these error states, a fresh OS and disk in a factory reset state are highly recommended.
If you have done an initial installation of Symantec Endpoint Encryption v 11.1.0 or greater on a system with an Opal drive:
If you already have Symantec Endpoint Encryption v 11.1.0 or greater on a computer that has a pre-encrypted (software encrypted) Opal drive:
If a computer has Symantec Endpoint Encryption v 11.0.1 or earlier installed, with a pre-encrypted (software encrypted) Opal drive:
To add computers and drives to a client registry, follow the steps below.
Note: The steps use this example:
Hardware: HP EliteBook Folio 1040 G2
Disk drive: Sandisk_SD7TB3Q-256G-100X218
HKLM ->SOFTWARE ->Encryption Anywhere ->Hard Disk ->NonEDrive List ->WhiteList
HKLM ->SOFTWARE ->Encryption Anywhere ->Hard Disk ->NonEDrive List ->WhiteList ->Hewlett-Packard ->HP EliteBook Folio 1040 G2
HKLM ->SOFTWARE ->Encryption Anywhere ->Framework ->LoggerConfigand change the value of
LogLevelfrom "WARNING" to "DEBUG."
All Dell and Lenovo models are supported; therefore, only an asterisk (*) is required for the hardware model. Reference the steps under "Adding laptop models and Opal drives to the whitelist (except Dell and Lenovo)" for the registry directory structure instructions, but substitute this (asterisk) action for Step 3. The resulting directory structure in the registry will look similar to these examples: