Windows Remote Encryption
With DriveStrike’s Windows BitLocker integration deploying and enabling whole drive encryption has never been easier. DriveStrike provides added data security at no additional cost while easing the deployment and management of encryption keys. DriveStrike supports BitLocker deployment and encryption for Trusted Platform Module (TPM) devices as well as older non-compliant hardware.
Windows Remote Encryption Pre-requisites
Windows 7, 8, or 10 with a valid BitLocker license. BitLocker is available on Windows Pro, Ultimate, or Enterprise editions and in some cases available on Windows Home editions.
DriveStrike will confirm BitLocker availability upon device registration and display (Enable) in the DriveStrike Device Details page for supported devices.
Enabling BitLocker – What to Expect
Selecting Enable on the DriveStrike Device Details page encrypts all your physical internal hard drives and escrows a recovery start up key file that can be used to boot the machine and access the encrypted data. DriveStrike reports the progress of drive encryption in the Details section of the Device Details page. Devices that are encrypted will be noted in the Dashboard with the following icon
TPM machines
If your machine supports TPM (most newer hardware does) you will not be asked to enter a passcode or provide an external key to boot the machine. Essentially, the Windows user login and general experience remains unchanged but the data is secure and protected from unauthorized access. Enabling BitLocker encryption through DriveStrike enables additional security DriveStrike features (see additional DriveStrike features for Windows encrypted devices). If you want to learn more about TPM and how the TPM security model was built to minimize user annoyance while improving security please visit Windows Trusted Platform Module Technology Overview.
Non-TPM machines
If your machine doesn’t support TPM DriveStrike will require that you provide a passphrase that will be used to encrypt the data on the machine. This passphrase is required to boot the machine from this point forward until BitLocker is diabaled.
Additional features for Windows encrypted devices
- Escrowed Recovery Key – DriveStrike retains a copy of the recovery key file for all machines that have BitLocker enabled through DriveStrike. This ensures that administrators have an encryption key to unlock encrypted data when needed. A link to download the recovery key for each encrypted drive is displayed in the Device Details section within DriveStrike.
- Stored Pass Phrase – When a pass phrase is used to encrypt data, DriveStrike stores and displays the pass phrase next to the associated drive within the Device Details section.
- Additional Lock Option – Administrators can optionally force recovery mode through DriveStrike Remote Lock. Forced recovery mode removes the TPM key and requires a pass phrase or an external key file to boot the machine and access the encrypted data. Downloading the DriveStrike escrowed key to the root of a USB drive prepares the USB to be used at boot for the machine to unlock the machine.
- Change Encryption Key – Administrators can change the pass phrase or recovery key for any drive. This allows Administrators to securely lock out insiders while retaining access to the data on the machine assuming the physical hardware is not destroyed.
- Disable Encryption – Administrators can remotely disable encryption for the physical drives on the machine.