Safetica BitLocker disks Process




BitLocker Drive Encryption serves for physical encryption of system and non-system disks in computers. It is a Microsoft tool. More information on BitLocker is available at https://technet.microsoft.com/en-us/library/cc732774(v=ws.11).aspx.

Note: Bitlocker Drive Encryption can only be used at end workstations with Windows 7 Ultimate, Windows 7 Enterprise, Windows 8 Pro and Windows 8 Enterprise, Windows 10 Pro and newer Windows operating systems including server versions. Bitlocker is not compatible with dynamic disks.

BitLocker management

Encryption policy

Here you can set the BitLocker policy The selected policy will be applied and implemented in computers listed below if they support the selected policy. Alternatives can be chosen for those that do not support it. The following policies are available:

·
Decrypt – decrypts the system disk and all data disks.
·
Encrypt all disks – encrypts the system disk using the selected method (described below) and encrypts the data disk using randomly generated keys. Data disks will be unlocked automatically after unlocking the system disk.
·
Encrypt data disks – only data disks are encrypted.

Edit one of the following options based on the selected policy:

·
System disk – setting the manner of unlocking the system disk:
o
Password – when starting the PC, the user is prompted to enter the password set by the user when applying the policy.
o
TPM – the system disk is unlocked automatically in the start. The password is stored in a TPM security chip (https://en.wikipedia.org/wiki/Trusted_Platform_Module).
o
TPM+Pin – the password is stored in a PIN-protected TPM security chip. When starting the PC, the user is prompted to enter a PIN set by the user when applying the policy.
·
Password as an alternative – a password will be set as an alternative method of unlocking the system disk. This can be set only when selecting the TPM and TPM+Pin unlock methods.

Note: This option is available only on computers running Windows 8 and later versions of the system.

·
USB key as an alternative – a key stored on a USB drive will be set as an alternative method of unlocking the system disk.

Note: This option is available only on computers running Windows Vista and 7 and later versions of the system.

·
Takeover – Safetica takes over management to disks previously encrypted directly by BitLocker without using Safetica. Old login and recovery keys will be deleted and replaced by new ones, compatible with the set policy. If this setting is inactive, some encryption attempts may end with an error.

List of computers

The list includes all computers that have Safetica installed and contain groups tagged in the user tree. Detailed information on the current status of BitLocker in the relevant computer is indicated for every computer. For example, which particular BitLocker security options the computer supports and whether it is encrypted.

An exception can be set for every computer:

·
Ignore – the encryption policy will not apply to the relevant computer.
·
Decrypt – all disks in the relevant computer will be encrypted.

You can set an exception using the switch in the column of the same name.

Safetica BitLocker recovery information backup

In this section you can set the backup of recovery information in Active Directory or export the information directly into a selected folder. Backup into Active Directory must be enabled from https://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx#BKMK_1.

Note: If the data required for recovery have been exported into the root folder of the connected USB disk, the disk can be used for restoring access to an encrypted disk.