Symantec Endpoint Encryption Drive Encryption Getting Started Guide

Getting Started
About Symantec Endpoint If you are using Microsoft
Encryption
Windows Server 2008
Symantec™ Endpoint Encryption is comprised of the Drive
Encryption functionality, the Removable Media Encryption
functionality, and a Management Agent.
■
■
■
Drive Encryption
The Drive Encryption functionality ensures only
authorized access to the data that is stored on hard disks.
This functionality helps safeguard enterprises from data
loss or breach in case of theft or accidental damage to
laptops or PCs.
Removable Media Encryption
The Removable Media Encryption functionality protects
data available on standard, off-the-shelf removable
storage devices. As part of Symantec Endpoint
Encryption, Removable Media Encryption helps prevent
the unauthorized physical or logical access that
jeopardizes the confidentiality of the data on a removable
storage device. Removable Media Encryption provides
file-based encryption using passwords or certificates and
supports external hard drives, USB flash drives, and
portable devices. An Access Utility to enable access to
encrypted files on unmanaged systems (Microsoft
Windows or Mac OS X) is also provided.
Management Agent
Management Agent includes all of the functionalities
that are used across Symantec Endpoint Encryption, such
as authentication methods and settings, registering users
and setting up client administrator accounts and
information.
For Symantec Endpoint Encryption Management Agent to
appear properly on Windows Server 2008 R2, you must
install the Aero Desktop theme.
Note: You must have administrator privilege to install the
Aero Desktop theme.
To know how to install the Aero Desktop theme, see the
Microsoft documentation.
Working with Drive
Encryption
Symantec Endpoint Encryption client software provides an
interface to:
■
View the encryption status of your hard disk partitions.
■
Determine if the check-in enforcement policy is enabled
for your computer.
■
Verify the last time your computer had checked in with
Symantec Endpoint Encryption Management Server, if
at all.
■
Force your computer to check in with Symantec Endpoint
Encryption Management Server.
In addition to these, you can do the following:
■
View the product version information.
■
View the Symantec Endpoint Encryption functionalities
that are installed on your computer.
■
View the legal notice of the Symantec Endpoint
Encryption functionalities.
Viewing the encryption status of your
disk
Drive Encryption protects the data that are stored on your
hard disk by encrypting it. Encryption is the process by
which an algorithm renders data unreadable. Only those
who possess the “key” can decrypt the data, thereby
rendering it intelligible again.
The disk of your computer is configured to get encrypted
automatically after you install the Drive Encryption
functionality and restart your computer. Disk encryption
does not even require any user registration and starts even
before you log on to Windows. You can continue to work
normally during and after the encryption of your hard disk.
All partitions should be encrypted, especially the Windows
system partition.
To view the encryption status of your disk
1
On the Start menu, click All Programs > Symantec
Endpoint Encryption > SEE Management Agent.
2
On the Internal Drives tab, click Drives.
3
View the encryption status of your disk. The status can
be one of the following:
■
Encrypting
Indicates that the encryption of the disk is not yet
complete. Along with this status, the page also
displays the percentage of the disk already
encrypted.
functionality and restart your computer. For disk encryption,
a client computer does not require any user registration.
Drive Encryption silently registers you when you successfully
log in to the computer using Windows credentials after
installation. Drive Encryption uses your Windows password
or token to register you to preboot authentication. Every
time a user logs in to your computer with different Windows
credentials, Drive Encryption automatically registers the
new user.
Note: Preboot authentication does not support certain ALT
characters such as ALT+155. These are special characters
that appear when you press the ALT key and your number
pads. Ensure that you do not use any ALT characters in your
user name or password to avoid any issues during preboot
authentication.
During the silent registration of a client user, Drive
Encryption also enables Single sign-on. When the Single
sign-on is enabled, you can authenticate at preboot and can
directly access your computer without authenticating at
Windows login screen.
Note: Single sign-on is enabled only for client users and not
for client administrators. When a client administrator
authenticates at preboot, the Windows login screen appears.
When you are a registered user, you can use one of the
following options to authenticate and access data on your
computer.
■
Encrypted with a lock icon
Indicates that the disk or partition is fully encrypted.
■
Use Windows credentials at the preboot authentication
screen.
■
Decrypting
Indicates that the decryption of the disk is not yet
complete. Along with this status, the page also
displays the percentage of decryption remaining for
the disk.
■
Use your Token PIN at the token login screen.
■
Not Encrypted
Indicates that the disk is not encrypted. This status
appears for a disk or partition that was encrypted
previously but now is fully decrypted.
See “Authenticating at preboot to access your encrypted
computer” on page 2.
See “Communicating with Symantec Endpoint Encryption
Management Server” on page 3.
Authenticating at preboot to access
your encrypted computer
The disk of your computer is configured to get encrypted
automatically after you install the Drive Encryption
Note: Symantec Endpoint Encryption does not support
smart cards on UEFI systems.
■
Request your client administrator to authenticate with
admin login credentials in case you lost your password.
Note: The preboot authentication screen may not be
displayed if Autologon is in effect.
To authenticate at preboot using your password
1
On the preboot authentication screen, do the following:
■
In the User Name box, type your Windows user
name.
You can use the TAB key to navigate to another text
box.
■
In the Password box, type your Windows password.
You can press F3 to hide or show the password
characters.
■
2
In the Domain box, use the arrow keys to select a
domain name.
Press Enter.
■
A lockout enforcement policy is in effect and lockout is
imminent.
■
You are running your computer on a VPN, and your
computer communicates intermittently with Symantec
Endpoint Encryption Management Server.
■
Your administrator instructs you to click the Check-in
button.
To authenticate at preboot using your token PIN
1
On the preboot authentication screen, press F7.
2
Type your PIN in the Token PIN box.
3
Press Enter.
See “Recovering from a communication lockout” on page 7.
See “Recovering your computer using Help Desk Recovery”
on page 6.
See “Using Drive Encryption Self-Recovery when you forget
your password” on page 5.
Selecting a keyboard layout for preboot
authentication
Different keyboard layouts can have different mappings
between characters, potentially causing problems when you
enter your passphrase to authenticate. Select the keyboard
layout that most closely maps to the keyboard you are using.
Ensure that you to use the same layout each time you
authenticate.
When you click the Check-in button, your client computer
attempts to connect to Symantec Endpoint Encryption
Management Server. When the communication is successful,
the Last check-in field gets updated by your current date
and time. If the lockout policy is enabled for your computer,
the Next check-in due by field value also gets extended by
a period that your policy specifies. Any potential lockout is
prevented.
If your client computer fails to check-in with Symantec
Endpoint Encryption Management Server after you click the
Check-in button, you must contact your client administrator
immediately. Your client administrator can extend the
communication due date if the lockout policy is enabled and
can also resolve the issue preventing the communication.
To view the check-in information
1
On the Start menu, click All Programs > Symantec
Endpoint Encryption > SEE Management Agent.
To select a keyboard layout
1
On the preboot authentication screen, press F2.
2
On the Internal Drives tab, click the Status.
2
From the list of keyboard layouts, select a keyboard
layout using the up and down arrow keys.
3
View the following information:
3
Press Enter.
4
Verify the keyboard layout you selected at the bottom
of the screen.
5
Press ESC to return to the preboot authentication
screen.
See “Authenticating at preboot to access your encrypted
computer” on page 2.
Communicating with Symantec
Endpoint Encryption Management
Server
For security reasons, your policy administrator may have
configured check-in enforcement for your computer. This
enforcement locks out all users except the client
administrator when your computer is lost or stolen and,
therefore, fails to check-in within a prescribed schedule.
Use the Check-in button when:
■
Next Check-in due by
Provides the information about the next
communication due date. A value for this field also
indicates that the check-in policy is active for your
client computer.
■
Last check-in
Provides the information about the last
communication of the client computer with
Symantec Endpoint Encryption Management Server.
To establish communication with the server
1
On the Internal Drives tab, click Status.
2
Click Check-in.
See “About the communication lockout” on page 7.
Recovering your system at
preboot
of security questions that are predefined and require only
the answers to complete the configuration. Your policy
administrator can also let you customize your questions and
provide answers for them.
Drive Encryption protects the data on a hard disk by
prompting a user of the computer to authenticate before the
Windows operating system starts. When you provide your
credentials to Drive Encryption, it derives the “key”
necessary to render the data on the hard disk intelligible
again.
Security questions are configured after installation of the
Drive Encryption functionality. If you skip configuration
after you log in the first time, Drive Encryption notifies you
to configure Drive Encryption Self-Recovery every time you
log in to your system. Drive Encryption also notifies you to
configure security questions if Drive Encryption
Self-Recovery was enabled after registration through a policy
deployment.
After encryption of the boot disk is initiated, Drive
Encryption displays a preboot authentication screen every
time you start your computer. This screen requires a set of
credentials before it lets you access protected data on the
disk.
Drive Encryption restricts you from accessing your data on
your computer under the following circumstances:
■
When you forget your password (Windows credentials)
or token.
■
When your client computer fails to communicate with
Symantec Endpoint Encryption Management Server
within the schedule that the policy administrator
prescribes.
When you fail to authenticate at preboot, press F4 to use the
recovery options that are configured for your computer as
per the administrative policies. These recovery options help
you bypass the preboot authentication screen once so that
you can reconfigure your authentication credentials.
Based on the administrative policies that are enabled for
your computer, you can have the following recovery options:
■
Drive Encryption Self-Recovery
■
Help Desk Recovery
Additionally, you can also contact your client administrator
to gain access to your computer.
About Drive Encryption Self-Recovery
When you forget your password, Drive Encryption
Self-Recovery assists you to gain access to your computer
without any help desk assistance. You can bypass the preboot
authentication step by answering predefined security
questions correctly.
Drive Encryption Self-Recovery is enabled or disabled for a
user by the administrative policies of Symantec Endpoint
Encryption Management Server. Your policy administrator
can enable Drive Encryption Self-Recovery, in which case
you need to configure a maximum of three security
questions. Your policy administrator can specify the number
When you forget your password, you can select Drive
Encryption Self-Recovery and answer the security questions
to gain access to your computer. After bypassing preboot
authentication, you can contact your local administrator to
reset your Windows login credentials.
Security questions once configured can be used whenever
you need to bypass preboot authentication. In case your
administrator disables Drive Encryption Self-Recovery and
re-enables it, the same security questions can be used to
bypass preboot authentication.
Note: For improved protection, Symantec recommends that
you configure Drive Encryption Self-Recovery the first time
you receive the Drive Encryption Self-Recovery setup after
installation.
See “Configuring Drive Encryption Self-Recovery security
questions” on page 4.
See “Using Drive Encryption Self-Recovery when you forget
your password” on page 5.
Configuring Drive Encryption
Self-Recovery security questions
You can configure security questions after the Drive
Encryption functionality is installed and you log in to your
computer as a new user the first time. You can skip the
configuration process, in which case Symantec Endpoint
Encryption notifies you to configure Drive Encryption
Self-Recovery every time you log in to your system.
Note: For improved protection, Symantec recommends that
you configure Drive Encryption Self-Recovery the first time
the Drive Encryption Self-Recovery setup appears.
You must consider the following before configuring your
security questions:
■
Think of the security questions that should relate to
something very personal to you. The answer to these
questions should be unique and easy to remember and
should not be ambiguous.
■
Provide only answers to the questions that your policy
administrator has already predefined. These predefined
questions are not customizable.
■
Provide both question and answer when the security
question is customizable and are not predefined.
■
Create answers within the limited characters. Ensure
that you provide the answers that are case-sensitive.
Drive Encryption Self-Recovery supports the following
character set:
■
Uppercase: A-Z
■
Lowercase: a-z
■
Digits: 0-9
■
All punctuation symbols on a standard US language
keyboard
To configure Drive Encryption Self-Recovery security
questions
1
Log in to your system.
2
When the Self Recovery Setup dialog box appears, do
one of the following:
3
■
To proceed with the configuration of security
questions, click Continue.
■
To skip the configuration of security questions and
close the Self Recovery Setup dialog box, click
Remind me Later.
In the screen that appears, do the following:
■
■
For the questions that your policy administrator
predefines, provide only the answers.
For the questions that you must define, type the
question in the Question box and provide the answer
in the respective Answer box.
4
Click Save.
5
In the confirmation dialog box, click Finish.
See “Using Drive Encryption Self-Recovery when you forget
your password” on page 5.
Using Drive Encryption Self-Recovery
when you forget your password
When you forget your password, you can press F4, use the
Drive Encryption Self-Recovery feature, and bypass preboot
authentication without any assistance from the help desk.
Drive Encryption Self-Recovery requires you to answer
preconfigured security questions for authentication. You
can configure these questions when you log in the first time
after installation as a new user to the Drive Encryption
functionality. When the answers are correct, Drive
Encryption Self-Recovery provides access to your computer
so that you can reset your Windows password.
Note: The Drive Encryption Self-Recovery option appears
only after your administrator enables the Drive Encryption
Self-Recovery feature for your computer and at least one
user is registered on the computer.
To use Drive Encryption Self-Recovery and bypass preboot
authentication
1
At the preboot authentication screen, press F4.
2
In the screen that appears, select Self Recovery.
3
Press Enter.
4
Answer the first security question displayed. Type the
answer and press Enter.
5
Continue to answer the questions.
You must answer all questions correctly to bypass
preboot authentication.
6
When you have answered the questions correctly, the
Windows operating system starts. Enter your new
Windows credentials that you have received from your
local administrator.
Drive Encryption registers you with the new Windows
credentials. You can use the new credentials for preboot
authentication the next time you start your computer.
See “About Drive Encryption Self-Recovery” on page 4.
See “Configuring Drive Encryption Self-Recovery security
questions” on page 4.
About Help Desk Recovery
With Help Desk Recovery, you can access your encrypted
computer if you lose your password or if there is a lockout
state at preboot. This recovery feature is enabled or disabled
for a computer by the administrative policies of Symantec
Endpoint Encryption Management Server. All you need is
to provide your computer information to the help desk,
receive a Response Key, and then use the Response Key to
access your computer.
A Response Key (also known as One-Time Password) that
the Help Desk Recovery provides is associated with an
encrypted computer, not a user. Each computer has a unique
Response Key that unlocks the encrypted disk on that
computer.
Based on the connectivity of the client with Symantec
Endpoint Encryption Management Server, Help Desk
Recovery offers two types of recovery mode:
■
■
Online Recovery
Online Recovery is possible when the client establishes
a connection with Symantec Endpoint Encryption
Management Server after installation. The server receives
data about the client that it requires to generate a
Response Key in the future. Help Desk Recovery requires
minimum authentication for the computer and does not
involve a Challenge Key.
Offline Recovery
Offline Recovery is required when the client has never
communicated with Symantec Endpoint Encryption
Management Server after installation. The server does
not find any data about the client that it requires to
generate Response Key. Help Desk Recovery requires a
Challenge Key for authentication.
Note: When you recover from a forgotten password, you are
prompted to enter a new password when the Windows
operating system starts. Contact your local administrator
to get your new Windows credentials.
See “Recovering your computer using Help Desk Recovery”
on page 6.
See “Recovering from a communication lockout” on page 7.
Recovering your computer using Help
Desk Recovery
You can use Help Desk Recovery in case of a preboot lockout
or if you forget your user credentials. This recovery feature
requires you to call the help desk, provide your computer
information, receive the Response Key, and use the Response
Key to access your computer.
■
Based on the availability of the recovery information on the
server, preboot authentication displays one of the following
screens when you use Help Desk Recovery:
■
The Help Desk Recovery screen appears when the
recovery information is available on the server and
displays only the computer identity and the Sequence
Number.
■
The Advance Help Desk Recovery screen appears when
the recovery information is not available on the server.
This screen displays the computer identity, the Sequence
Number, and the Challenge Key.
The Response Key box appears on both the screens and
requires you to enter the information that your help desk
administrator provides.
Note: You can press F5 on the Help Desk Recovery screen to
switch to Advance Help Desk Recovery screen. Alternatively,
you can press Esc on the Advance Help Desk Recovery screen
to switch back to Help Desk Recovery.
To recover your computer using Help Desk Recovery
1
On the preboot authentication screen, press F4.
2
In the screen that appears, select Help Desk Recovery,
and press Enter.
This intermediate screen lets you select a recovery
option and appears when Drive Encryption
Self-Recovery is enabled and configured for at least one
user on your computer.
For authentication, the following details are required:
■
■
■
Computer
The name of your computer with the domain name. Help
Desk Recovery requires this information to verify the
computer record in the server database.
Sequence Number
A four-digit number that is used to synchronize a client
with the server. Help Desk Recovery requires this
information for generation of a Response Key.
Challenge Key
The public key that the client generates using the public
key of the server. Help Desk Recovery requires this
information to authenticate a client that has never
communicated with the server.
Checksum
A two-character checksum that appears for the Response
Key and the Challenge Key. Checksum helps to verify
that the Challenge Key has been communicated correctly
to the help desk or the Response Key to the user. A
matching checksum confirms that the Challenge Key on
the server side or the Response Key on the client side
have been entered correctly.
3
Call your Symantec Endpoint Encryption Management
Server help desk administrator.
4
From the Help Desk Recovery screen or the Advance
Help Desk Recovery screen, provide the following
information to the help desk administrator:
■
Computer
■
Sequence Number
■
Challenge Key (in case of Advance Help Desk
Recovery)
5
Type the response key that the help desk administrator
provides in the Response Key box, and then press Enter.
If required, provide the checksum to the help desk
administrator to confirm that you have entered the
response key correctly. When the recovery is successful,
contact your local administrator to get new Windows
credentials.
6
Use your Windows credentials to access your computer.
Drive Encryption uses your new Windows credentials
to register you to the preboot authentication.
See “About Help Desk Recovery” on page 5.
See “About the communication lockout” on page 7.
See “Recovering from a communication lockout” on page 7.
About the communication lockout
Client computers communicate with Symantec Endpoint
Encryption Management Server to send status and recovery
information to the server. For security reasons, your policy
administrator might enforce a check-in policy to monitor
your client computer through periodic contact with the
server. When your client computer fails to communicate
with the server within the prescribed schedule, the computer
is locked out at preboot. When the lockout occurs, the
computer remains in a pre-Windows state after restart. No
registered user can log on to the computer without the
assistance from the help desk or until a client administrator
unlocks the system. The lockout, thereby, protects the data
on your computer if the computer is lost or stolen.
The administrative policies of Symantec Endpoint
Encryption Management Server control the client check-in
enforcement. Your policy administrator might enable
communication lockout and specify a minimum contact
period within which the client must check in to establish
connection with Symantec Endpoint Encryption
Management Server. The administrator can also specify a
warning period during which Drive Encryption should notify
you to communicate with the server. If you do not check in
the client computer within the specified periods, the client
goes into a communication lockout state after next restart.
Based on the policies that are enabled for your computer,
you can use one of the following options to recover from a
communication lockout state:
■
Help desk assistance
You can contact your help desk administrator and request
for a Response Key for your computer.
■
Client administrator assistance
You can contact your Client Administrator. The client
administrator authenticates at the preboot and provides
access to the computer.
After the computer recovers from a communication lockout,
the check-in due date gets extended by the same minimum
contact period and warning period as previous.
See “Recovering from a communication lockout” on page 7.
See “Recovering your computer using Help Desk Recovery”
on page 6.
Recovering from a communication
lockout
When a communication lockout occurs, your client computer
remains in a pre-Windows state after restart. Drive
Encryption displays a dialog box with options to recover
from the lockout state.
Based on the policies that are enabled for your computer,
you can recover your client computer in one of the following
ways:
■
Help desk assistance
The administrative policies of Symantec Endpoint
Encryption Management Server manage this recovery
assistance.
■
Client Administrator assistance
The administrative policies do not manage this recovery
assistance. Your Client Administrator uses this recovery
method if you fail to get assistance from the help desk.
To recover from a communication lockout using Help Desk
Recovery
1
On the dialog box listing the recovery options, select
Help Desk Recovery.
2
Call your Symantec Endpoint Encryption Management
Server help desk administrator.
3
From the Help Desk Recovery screen or the Advance
Help Desk Recovery screen, provide the following
information to the help desk administrator.
■
Computer name with domain
■
Sequence Number
■
Challenge Key (in case of Advance Help Desk
Recovery)
4
Type the Response Key that the help desk administrator
provides in the Response Key box, and then press Enter.
If required, provide the checksum to the help desk
administrator to confirm that you have entered the
Response Key correctly.
5
To authenticate using admin login credentials
1
On the preboot authentication screen, press F5.
2
On the Administrator login screen, do the following:
When the recovery is successful, the check-in due date
gets extended by the same number of days as specified
by your policy administrator.
■
Type the account name of the Client Administrator
in the Admin Name box.
■
Type the password of the account in the Password
box.
Press Enter.
See “About the communication lockout” on page 7.
3
See “About Help Desk Recovery” on page 5.
See “Authenticating at preboot to access your encrypted
computer” on page 2.
About the Client Administrator roles
As a Client Administrator, you provide local support to
Symantec Endpoint Encryption client software users. Client
Administrator accounts are created and maintained through
Symantec Endpoint Encryption Management Server.
■
The administrative privileges are independent of any
operating system or a directory service that lets you
support a wide range of users.
■
Client Administrator credentials are managed from
Symantec Endpoint Encryption Management Server and
cannot be changed at the client computer. This
single-source credential management lets you remember
only one set of credentials as you move among many
client computers.
■
Client Administrator credentials can always be used to
authenticate to client computers. This privilege lets you
authenticate and provide access to the client users when
they forget their password or experience a
communication lockout. This privilege is independent of
the administrative policies of Symantec Endpoint
Encryption Management Server.
As a Client Administrator, you can access the Drive
Encryption functions from the command line to script Drive
Encryption functions and troubleshoot problems. For more
information on the Client Administrator commands, see the
Drive Encryption Administrator Command Line User Guide.
Recovering from a communication lockout
using the administrator login
Communication lockout occurs when a client computer fails
to communicate with the server within the schedule that
the Symantec Endpoint Encryption Management Server
policy administrator prescribes. When a communication
lockout occurs, the client computer remains in a
pre-Windows state after restart.
As a Client Administrator, you can use your administrator
login credentials to provide access to an encrypted computer.
A client user needs your assistance during a communication
lockout when:
■
The policy administrator has disabled Help Desk
Recovery for the client computer, and the only option
available is to get the Client Administrator assistance.
■
The help desk recommends that the client computer
should be authenticated using the administrator login
credentials.
To recover from a communication lockout using the
administrator login
1
On the dialog box listing the recovery options at the
preboot, select Administrator Password using the
arrow keys.
2
Do the following:
See “About the communication lockout” on page 7.
Authenticating at preboot using admin
login credentials
As a Client Administrator, you can use your admin login
credentials to authenticate at preboot. Your admin login
credentials lets you provide recovery support to the client
users when they forget their password or experience a
communication lockout.
■
Type your administrator account name in the Admin
Name box.
Use the TAB key to navigate to another text box.
■
Type the password of your account name in the
Password box.
3
Press Enter.
4
When the recovery is successful, verify that the check-in
due date gets extended by the same number of days as
specified by the policy administrator.
Getting Technical Support
For additional assistance using Symantec Endpoint
Encryption Drive Encryption functionality, contact the help
desk or the local administrator of your organization.
Legal Notice
Copyright © 2014 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, the Checkmark Logo, PGP,
and Pretty Good Privacy are trademarks or registered
trademarks of Symantec Corporation or its affiliates in the
U.S. and other countries. Other names may be trademarks
of their respective owners.
The product described in this document is distributed under
licenses restricting its use, copying, distribution, and
decompilation/reverse engineering. No part of this document
may be reproduced in any form by any means without prior
written authorization of Symantec Corporation and its
licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL
EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS
AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED,
EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE
HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION
SHALL NOT BE LIABLE FOR INCIDENTAL OR
CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE
FURNISHING, PERFORMANCE, OR USE OF THIS
DOCUMENTATION. THE INFORMATION CONTAINED IN
THIS DOCUMENTATION IS SUBJECT TO CHANGE
WITHOUT NOTICE.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com