Applies To: WatchGuard Full Encryption
WatchGuard Full Encryption (available in WatchGuard EPDR, WatchGuard EDR, and WatchGuard EPP) encrypts and decrypts computer drives and removable storage devices, without any impact to users. Full Encryption monitors the encryption status of network computers and also manages recovery keys for managed drives.
To help minimize the exposure of corporate data in the event of data loss or theft, Full Encryption takes advantage of hardware resources, such as a Trusted Platform Module (TPM) chip and Microsoft BitLocker technology, to encrypt and decrypt drives. It also supports authentication methods for different computer configurations.
You can use Full Encryption to:
When you apply Full Encryption settings to manage a computer, the computer might need user interaction to continue. For more information, see Full Encryption and Computer User Interactions.
Encryption of Unencrypted Drives
Encryption begins when the WatchGuard endpoint agent, installed on a computer, downloads encryption settings. A wizard on the endpoint device guides the user through the encryption process and encrypts all hard disks found on the computers. Any previously encrypted drive receives the encryption settings specified by Full Encryption.
The number of encryption steps to take depends on the type of authentication chosen by the network administrator and the previous status of the computer.
If you create a new drive entry after the encryption process is complete, Full Encryption encrypts the drive immediately and according to the encryption settings.
You cannot use Full Encryption to encrypt computers from a remote desktop session. You must restart the computer and enter a password before you can install Full Encryption.
When Previous Encryption Exists
To manage a computer with Full Encryption, the computer must successfully receive settings from WatchGuard Endpoint Security at least once. The settings establish the encryption of drives.
If a computer already has encrypted drives, but Full Encryption does not send the computer settings to encrypt the drives, Full Encryption does not manage the computer. This means that the computer administrator cannot access recovery keys or monitor the status of the computer. However, if Full Encryption does send settings to encrypt drives, regardless of any previous drive status (encrypted or not), Full Encryption manages the computer.
When you attempt to encrypt a previously encrypted drive, consider these points:
- After Full Encryption successfully encrypts a computer, Full Encryption is able to manage it.
- If a computer user selects an authentication method that differs from the method specified in Full Encryption, a prompt shows on the user's computer that asks for passwords or other hardware resources.
- If it is not possible to use an authentication method compatible with the operating system, and specified by the network administrator, the existing encryption method remains in place. Full Encryption does not manage the computer.
- If the encryption algorithm is not AES-256, Full Encryption makes no encryption changes to the computer drive. Full Encryption manages the computer.
- If both encrypted and unencrypted drives exist, Full Encryption uses the same authentication method to encrypt all drives.
- To unify authentication methods, if a previous authentication method requires a password, and the method is compatible with the authentication methods supported by Full Encryption, a prompt shows on the user's computer that requests the password.
- If computer user encryption settings differ from those reflected in the Full Encryption dashboard, to minimize the encryption process, Full Encryption does not make any encryption changes.
- When you manage a drive with Full Encryption, at the end of the process, Full Encryption generates a recovery key and sends it to the WatchGuard server.
For information about how to encrypt drives from the Full Encryption web UI, see Encryption Settings.
When Full Encryption applies encryption settings, a user might have to interact with managed computers to address these issues.
- If a computer does not have BitLocker installed, Full Encryption downloads and installs the tool. The computer user must restart the computer to complete the install.
- If a computer has no previous encryption, Full Encryption creates a system partition. The computer user must restart the computer to complete the creation of the partition.
- If a group policy exists that conflicts with the settings in Full Encryption, an error message shows and the process stops. Encryption does not start until the error is corrected by the computer user.
- If a computer has a TPM chip installed, the computer user might have to enable the TPM chip from the BIOS for the computer. The computer must restart for the user to access the BIOS.
- If a computer uses a USB device for authentication, the computer user must insert the USB device when the computer boots.
- If a computer uses a PIN or password for authentication, the computer user must type the PIN or password.
- If a computer fails the boot process hardware test, the computer does not start encryption until the error is corrected by the computer user.
If a system partition does not exist, Full Encryption automatically creates a system partition on a hard drive. A system partition is a small, unencrypted area of the drive (approximately 1.5 GB). The computer uses this required area to complete the boot process.
When Full Encryption encrypts a USB drive, it does not create a system partition.
For information about how to decrypt drives from the Full Encryption web UI, see Decrypt Devices.