Disk Encryption Manager
Volume level disk encryption protects your customers' data due to theft or accidental loss, by rendering information on hard drives unreadable to unauthorized users. Disk encryption is ideally suited where data is a critical asset or governed by compliance regulations such as GDPR, PII, PCI DSS and there is a risk of data loss.
Using disk encryption, data cannot be accessed and information cannot be stolen. The encryption keys are connected to the hardware the disk is installed on to ensure that simply removing a disk does not provide access to the data. Even if the disk drive is removed from the computer, the information remains encrypted and cannot be recovered without the associated Recovery Keys.
The security offered by disk encryption provides peace of mind, particularly when enabled on those at-risk devices, including laptops, that may leave the building. Disk Encryption is integrated into Managed Antivirus Bitdefender (MAV-BD) and deployed through MAV-BD Protection Policies.
You can even enable Disk Encryption Manager on devices already encrypted by Bitlocker. Disk Encryption Manager is deployed as if no encryption is in place, and it will take over control of Bitlocker management on the device, updating Bitlocker's settings to match the Protection Policy for disk encryption, with the already set pre-boot credential retained.
If the device has been encrypted at the disk level with any other encryption product, it will need to be unencrypted and the product removed from the devices, otherwise Disk Encryption Manager will not recognize the current encryption, and the Disk Encryption Manager install will fail giving an error.
Security options
There are three security options (Key Protector Strengths) available when using MAV-BD Disk Encryption Manager:
- Trusted Platform Module (TPM) - This is a hardware level security available on most new PCs. When enabled, the user does not need to enter a password when starting their computer. They are presented with the Windows login screen. No password is required
- Trusted Platform Module and PIN - With TPM and PIN, the user must enter a PIN to unlock the disk and proceed to the login screen. This is the most secure method of encrypting and protecting data. Microsoft recommends this security option with disk encryption
- Password - The password option is the default security mechanism when a device does not include TPM, or TPM is has been disabled on the device. When the user logs into their computer, they must enter a password to unlock the disk and proceed to the Windows login screen
If you delete your devices from N-sight RMM, the last known Recovery Key will be retained in the Recovery Key Report for 90 days only.
If you remove Disk Encryption Manager from devices, and they remain in N-sight RMM, you still have access to the Recovery Key Report which has the history of the last known Recovery Key before the device returned the control to the end user. Be aware, the end-user may have re-encrypted which would change the Recovery Key from what N-sight RMM last had on record.
In these scenarios, we highly recommended running the Recovery Key Report and storing it in a safe location before performing any other actions. Otherwise, you will not be able to access the Recovery Keys from N-sight RMM or Technical Support.
What do you want to do?
- Review Disk Encryption Manager Prerequisites
- Set permissions for Disk Encryption Manager
- Enable Disk Encryption Manager by Device Type, Client or Site
- Enable Disk Encryption Manager at the Individual Device Level
- View the Disk Encryption End-user Experience
- Monitoring Disk Encryption
- View Disk Encryption Manager Reporting
- Provide a Recovery Key for an End-user
- View the Removing Disk Encryption Manager with or without Decrypting Devices process
- View the Removing Devices with Disk Encryption Manager from the N-sight RMM Dashboard process
- View the Frequently Asked Questions