Have a
representative
contact me

Data protection is of the utmost importance, but companies often don't give it the attention it deserves. High profile data breaches like the recent Nationwide example have brought data protection to the boardroom.

Alex Kwiatkowski, lead analyst at Datamonitor.

Hard Disk Encryption Frequently Asked Questions

This page contains answers to the most commonly asked questions about Hard Disk Encryption

Disk Encryption

Enterprise Manageability

User Authentication

End User Experience

Integration with Network Environment

Key Management

Reporting

How Does GuardianEdge Compare?

Disk Encryption

1) What is a pre-boot operating system, and why is it important?

A pre-boot operating system is a small, fast, secure environment that hosts user authentication for GuardianEdge Hard Disk Encryption endpoints. This pre-boot operating system is hardened to protect against security exploits, with entry points rigidly defined to create a very small attack surface relative to the endpoint’s main operating system. It provides a highly secure environment for user authentication with features like automatic delay after a pre-defined number of incorrect password attempts, and supports user productivity with features like single sign-on to Windows.

2) What is AES Encryption and how is it used?

During installation of the GuardianEdge Hard Disk Encryption endpoint client, a unique workstation encryption key is created and securely stored on the drive. The GuardianEdge Hard Disk Encryption driver intercepts all drive read and write requests from the operating system, and uses the workstation encryption key in combination with the Advanced Encryption Standard (AES) algorithm to encrypt every block of data when Windows writes a file to the drive, and decrypt every block of data into memory when Windows reads a file from the drive. Data stored on the drive is always encrypted. GuardianEdge Hard Disk Encryption decrypts data into memory – never onto the drive! – As Windows reads a file.

3) What parts of the disk are encrypted?

By default, GuardianEdge Hard Disk Encryption encrypts every sector on the drive or partition; in other words, the entire drive. This includes temporary, swap, and hibernation files written by the operating system.

4) Can more than one disk partition be encrypted?

GuardianEdge Hard Disk Encryption can encrypt up to 26 (twenty-six) partitions on the system boot drive.

5) What happens if a computer is shut down during disk encryption?

The GuardianEdge Hard Disk Encryption driver is built to handle endpoint standby, hibernation, shut down – even power loss – during drive or partition level encryption. Encryption will automatically resume where it left off when you restore power to the machine.

6) What type of encryption is used?

The primary encryption algorithms used are the Advanced Encryption Standard (AES) in Cipher Block Chaining mode with either a 128 or 256-bit key for encrypting data on the drive, SHA-1 for generating secure “hashes” or signatures of data used in key management, and the standard IEEE P-1363 implementation of Elliptic Curve Cryptography for public/private key cryptography used in key management.

7) Is the product certified?

Yes

GuardianEdge Hard Disk Encryption includes the FIPS 140-2 certified GuardianEdge Encryption Library.
GuardianEdge Hard Disk Encryption is Common Criteria EAL4+ certified.

8) What is the impact of disk encryption on performance?

Users typically don’t notice the performance impact of GuardianEdge Hard Disk Encryption, which varies between 5% and 15% depending on the machine configuration and hardware. The GuardianEdge Hard Disk Encryption driver is specifically architected to run at low priority during drive or partition level encryption, so users can continue to work productively on machines that are undergoing encryption for the first time.

9) What hardware platforms and operating systems are supported?

For endpoint encryption, all of Microsoft’s current business-class endpoint operating systems are supported:

Microsoft Windows 2000 SP 4
Microsoft Windows XP Professional and Tablet Edition SP 2 and SP 3
Microsoft Vista Business Edition
Microsoft Vista Ultimate Edition
Microsoft Vista Enterprise Edition

The GuardianEdge Management Server supports Microsoft Windows Server 2003 SP1 and SP2.

Enterprise Manageability

1) How does GuardianEdge leverage Active Directory?

GuardianEdge Hard Disk Encryption is a component of the GuardianEdge Data Protection Platform. The GuardianEdge Data Protection Platform has the most extensive Active Directory integration of data protection products on the market today. The points of integration into Active Directory include:

MMC interface - The GuardianEdge Management Console uses a native MMC interface, already familiar to administrators for managing email and systems and allowing them to be immediately effective with minimal training.
Microsoft GPO policy control - Policies can be deployed to all levels of the Active Directory hierarchy, including domains, sites, OUs, and groups. This Active Directory hierarchy is natively available through GuardianEdge Manager, and no LDAP synch is required to periodically update it.
Active Directory role based administration - The GuardianEdge Data Platform uses Active Directory’s powerful role-based capabilities. Administrators can be limited to specific functions, such as creating MSI files or viewing monitored data, within the GuardianEdge Management Console. Additionally, administrators can only be allowed to deploy GuardianEdge policies to a specific domain, site, OU, or group.
Active Directory’s Resultant Set of Policies (RSoP) can be used to determine the winning GuardianEdge policy on an endpoint.
Structure and policy deployment - GuardianEdge Platform policies use Active Directory’s replication, forest / domain structures and policy deployment mechanisms

2) How does GuardianEdge support Novell eDirectory?

GuardianEdge provides support for Novell eDirectory via an automatic synchronization. The Novell eDirectory full hierarchy and computer objects are imported, and can be managed from the same single management console with Active Directory endpoints and endpoints not part of any network domain. Policy deployment is via GuardianEdge’s native policy control mechanism or via MSI package deployment to the Novell endpoints.

In addition, machines can be moved to Active Directory management from eDirectory management without loss of protection or reporting, and may be simultaneously memebers of both Active directory and eDirectory domains.

3) How does GuardianEdge support PCs not connected to any network domain (eDirectory or Active Directory)?

Non-domain endpoints, such as computers that are connected via VPN from home users and also contractors’ machines that connect to the network are supported from the GuardianEdge Management Console. Once software is deployed to these endpoints, they begin reporting in to the console and are managed in with GuardianEdge’s native policy control and reporting mechanisms.

In addition, these non-domain machines can be moved to Active Directory management without loss of protection or reporting.

4) What administrative roles are includes with the solution?

For Active Directory:

Four administrative roles are included, three for the server and management console and one for local endpoint administration:

The Hard Disk Encryption Administrator is responsible for the installation, configuration and maintenance of the GuardianEdge Hard Disk Encryption server and management console, and for the creation and deployment of client installer packages.
Hard Disk Encryption Policy Administrators are responsible for creating and deploying Microsoft Group Policy Objects (GPO) through the Active Directory snap-in within the GuardianEdge management console. These group policy objects control the security profile for groups of machines protected by GuardianEdge Hard Disk Encryption.
One-Time Password administration is typically assigned to Help Desk personnel, who provide assistance to users who have forgotten or lost their password or PIN.
Client Administrators are provisioned by the Hard Disk Encryption Administrator or Policy Administrator, and have special privileges for local administration of endpoints protected by GuardianEdge Hard Disk Encryption.

For Novell eDirectory and non-domain endpoints:

A single level of administrative access is available

5) How hard is it to provision hard disk encryption to endpoints?

It’s simple and easy! Client installer packages come in the standard MSI format, and can be deployed to endpoints through Active Directory group policy or any standard enterprise software provisioning tool such as SMS, Tivoli or Altiris. Silent installation is supported to help make the end user experience seamless and transparent.

6) How are software updates installed?

Software updates for both the GuardianEdge Hard Disk Encryption server and endpoint clients come in the standard MSI format, making it easy to deploy updates using standard enterprise software provisioning tools. Updates can be installed at any time, and never require un-installation of previous versions or decryption of endpoint data.

7) How are disk encryption policies set and changed?

Endpoint disk encryption policies are controlled through Microsoft Active Directory Group Policy Objects (GPO). The GuardianEdge Hard Disk Encryption management console includes a group policy snap-in that interfaces with Active Directory. Policies created by the Hard Disk Encryption Policy Administrator can be deployed at any level of granularity within the Active Directory tree, from all machines within an Active Directory forest to any organizational unit - even to a single machine.

Novell eDirectory and non-domain computers use GuardianEdge’s native policy deployment mechanism to deploy policies.

8) Is GuardianEdge disk encryption able to handle thousands of endpoints?

Yes. The server management infrastructure leverages Microsoft Active Directory, Microsoft SQL Server and Microsoft Windows Server clustering services, ensuring robust management and reporting capabilities to meet virtually all enterprise deployment requirements for scale and availability. GuardianEdge can provide references to enterprise customers who protect tens of thousands of their endpoints with GuardianEdge Hard Disk Encryption.

9) Is GuardianEdge Hard Disk Encryption Integrated with Altiris?

Yes. GuardianEdge Altiris Connector Integrates GuardianEdge Hard Disk and Removable Storage Encryption controls with the Altiris Notification Server. Allow organizations to:

Manage Removable Storage Encryption and Hard Disk Encryption from a common management environment with asset, configuration, patch and update
Easily identify systems without protection
Remediate immediately from the Altiris Notification Server

User Authentication

1) How do users authenticate to encrypted endpoints?

GuardianEdge Hard Disk Encryption supports password authentication for endpoint users and— when combined with GuardianEdge Advanced Authentication—can be extended to provide and token or smartcard authentication. Single sign-on is supported for both authentication methods, enabling endpoint users to authenticate to GuardianEdge Hard Disk Encryption pre-boot authentication and Windows using a single set of credentials. For password users with single sign-on enabled, user authentication credentials consist of their Windows logon name, Active Directory domain, and password. When combined with GuardianEdge Advanced Authentication, users extend their credentials with tokens or smartcards. In this circumstance user credentials consist of their Windows logon name, Active Directory domain, the physical token, and their token PIN.

2) Is strong multi-factor authentication supported?

GuardianEdge Hard Disk Encryption supports multi-factor authentication when combined with GuardianEdge Advanced Authentication. This combination supports tokens and smartcards with X.509 digital certificates during pre-boot authentication, including tokens and smartcards certified as compliant with the U.S. Department of Defense Common Access Card (CAC) standard and the Personal Identity Verification (PIV) standard.

3) Do users have to remember multiple passwords?

No. With GuardianEdge Hard Disk Encryption’s single sign-on feature, users provide their normal Windows or Novell credentials once and GuardianEdge Hard Disk Encryption automatically and securely passes those credentials to the Windows logon process after authenticating in pre-boot. GuardianEdge Hard Disk Encryption can be configured to require two separate user passwords – one for pre-boot authentication and one for Windows authentication – but most customers prefer to deploy with the GuardianEdge Hard Disk Encryption single sign-on feature enabled.

4) What happens when a user’s Windows password changes?

With single sign-on enabled, GuardianEdge Hard Disk Encryption automatically receives notice of changes to the user’s Windows password from the Windows GINA or Credentials Manager. It automatically updates any change with pre-boot authentication, ensuring that the user’s password remains in sync for both pre-boot and Windows authentication.

End User Experience

1) Do users have to stop working while their disk is being encrypted?

No. The GuardianEdge Hard Disk Encryption driver runs at a low priority in the background during disk or partition level encryption, so users can continue to use their machines productively while data on the hard drive is being encrypted for the first time.

2) What happens if power is lost during disk encryption?

Power loss protection is *always* enabled during disk or partition level encryption. The GuardianEdge Hard Disk Encryption driver maintains the state of disk encryption and, if power is lost, will automatically resume encryption where it left off when power is restored.

3) How easy is it for a user to set up an account?

It’s as easy as logging on to Windows! When a user logs on to Windows after GuardianEdge Hard Disk Encryption has been installed on their endpoint, a simple dialog prompts them to become a registered GuardianEdge Hard Disk Encryption user. All they have to do is reply “Yes” to the dialog, and the GuardianEdge Hard Disk Encryption registration process sets up their account for them.

4) Will users notice changes to system performance because of encryption?

5) Can more than one user log on to an encrypted endpoint?

Yes. GuardianEdge Hard Disk Encryption endpoints can be configured through policy to support up to 250 user accounts and 250 administrator accounts.

6) What happens when a user forgets their password or PIN?

GuardianEdge Hard Disk Encryption provides both self-help and Help Desk-assisted recovery for users who forget their password or PIN. Authenti-Check™ is a self-help, challenge and response feature that enables users to recover access to their machines through a combination of questions and answers that were defined during the user’s GuardianEdge Hard Disk Encryption registration process. Authenti-Check provides secure recovery without involving Help Desk or other administrative personnel, reducing the TCO for a GuardianEdge Hard Disk Encryption deployment. One Time Password is a Help Disk-assisted recovery feature that enables user to recover access to their machines even if they’ve forgotten their password or PIN and the answers to their Authenti-Check questions. One Time Password uses a secure challenge and response system based on public/private key cryptography to provide a user with one-time access to their machine.

Integration with Network Environment

1) Can IT administrators push out patches to encrypted endpoints?

Yes. GuardianEdge Hard Disk Encryption supports remote machine administration or “Wake on LAN”. Through policy, administrators can establish a window of time during which machines will re-boot without requiring pre-boot authentication, and also specify the number of times the machine can re-boot before pre-boot authentication is reactivated.

2) Is encryption compatible with anti-virus products?

Yes. GuardianEdge tests its endpoint data encryption products with current anti-virus solutions to ensure that they are compatible with typical enterprise deployments.

3) Can the GuardianEdge disk encryption products leverage existing directory services?

Yes. Close integration with Microsoft Active Directory is a key component of the GuardianEdge Hard Disk Encryption solution. Security policies for GuardianEdge Hard Disk Encryption endpoints are controlled through Microsoft Group Policy Objects (GPO), and creation and deployment of GuardianEdge Hard Disk Encryption policies is leveraged within the GuardianEdge management console through an MMC snap-in to Active Directory group policy management. In addition, GuardianEdge also supports the Novell eDirectory environment, including all computer objects and the complete eDirectory organizational unit hierarchy.

4) Does encryption affect compatibility with office productivity applications?

Virtually all office productivity applications are compatible with full disk encryption. The GuardianEdge Hard Disk Encryption driver sits at a software layer well below these applications. Both encryption of data written to the disk and decryption of data read from the disk are completely transparent to the Windows software application layer.

5) What operating systems does GuardianEdge Hard Disk Encryption support?

For endpoint encryption, all of Microsoft’s current business-class endpoint operating systems are supported:

Microsoft Windows 2000 SP 4
Microsoft Windows XP Professional and Tablet Edition SP 2 and SP 3
Microsoft Vista Business Edition
Microsoft Vista Ultimate Edition
Microsoft Vista Enterprise Edition

The GuardianEdge Management Server supports Microsoft Windows Server 2003 SP1 and SP2.

6) Are 3rd party disk forensics supported?

Yes. GuardianEdge and Guidance Software have integrated their solutions with the EnCase Forensic product from GuidanceSoftware, an industry leading computer forensic investigation tool. The EnCase Forensic product is compatible with GuardianEdge Hard Disk Encryption, and provides comprehensive computer forensic investigation for disks encrypted by GuardianEdge Hard Disk Encryption. Note that the customer must supply valid GuardianEdge Hard Disk Encryption administrative credentials in order for EnCase to be able to access encrypted data on the disk.

Key Management

1) Is a PKI infrastructure required to support your product?

No. GuardianEdge has implemented its own robust, secure public/private key infrastructure within the Hard Disk Encryption product for key escrow and recovery. For customers who have deployed PKI solutions within their enterprise, GuardianEdge Hard Disk Encryption is fully compatible with Windows authentication methods required by these solutions including two-factor authentication.

2) How are the encryption keys for an encrypted machine protected?

Encryption keys are generated by GuardianEdge Hard Disk Encryption’s FIPS 140-2 validated pseudo-random number generator and are unique to each endpoint. These keys are encrypted with public keys derived from user and administrator credentials applied to the Elliptic Curve Cryptography public/private key pair algorithm and securely stored within the GuardianEdge Hard Disk Encryption pre-boot environment, ensuring that the disk encryption keys can only be unlocked through valid user or administrator authentication.

3) Can administrators gain emergency access to encrypted machines?

GuardianEdge Hard Disk Encryption ensures that at least one valid administrative account is always provisioned to each machine. A comprehensive set of utilities is provided with the solution that allow administrative accounts to remove existing registered users from a machine, add new users to a machine, or quickly and securely recover data from encrypted machines when user account information is lost or missing.

4) What is the role of the IT help desk in assisting users with key recovery?

One Time Password is a Help Disk-assisted recovery feature that enables user to recover access to their machines even if they’ve forgotten their password or PIN and the answers to their Authenti-Check questions. One Time Password uses a secure challenge and response system based on public/private key cryptography to provide a user with one-time access to their machine.

5) Is password or access recovery supported even when the endpoint is off the network?

Yes. Both the self-help Authenti-Check access recovery feature and the Help Desk-assisted One Time Password feature can be used regardless of whether a machine is currently connected to the corporate network.

Reporting

1) What information do endpoints report back to the central management console?

All endpoints report information to the GuardianEdge Hard Disk Encryption server, providing a centralized, aggregated view of the state of endpoint encryption throughout an enterprise deployment. This information includes:

State of drive and partition encryption on a machine
User accounts per machine
Administrative accounts per machine
Timestamp of last check-in by a machine to the server
SM BIOS id information
Asset Tag
Part number
Serial number

2) What reports are provided?

Ten standard reports are included as starting points for administrators. Data from these reports can be exported to CSV file for further analysis, printed (both print preview and column show/hide are supported), or viewed from the screen 100 at a time:

Collection of machine names and status
All machines without Hard Disk Encryption
All machines without Removable Storage Encryption
Machines with decrypted logical drives
Non-reporting computers
Computers not encrypting to removable storage devices
All computers with specific registered users
Computers with client TLS/SSL certificates at or nearing expiration
Synchronization status for Active Directory
Synchronization status for eDirectory

3) How can I get custom and more detailed reports?

All data reported to the GuardianEdge Management console is stored in the Microsoft SQL server instance that you are using with your GuardianEdge installation. To create customized reports, use standard database reporting tools.

4) How can I know if a system has been subject to a “brute force” or other similar attack?

GuardianEdge Hard Disk Encryption logs all user and administrative authentication attempts to the Windows Event Log on the local machine. These logs provide comprehensive data regarding all authentication attempts, including user names, success or failure, reason for failure, and timestamp. GuardianEdge Hard Disk Encryption protects against brute force authentication attempts at the pre-boot logon dialog by implementing an automatic delay after the administrator-defined threshold for unsuccessful logon attempts has been exceeded.

5) Can an endpoint that goes lost or missing be locked out from all user access?

Yes. Through policy, machines can be required to “check in” to the GuardianEdge Hard Disk Encryption server periodically. A machine that exceeds the administrator-defined reporting interval will be automatically locked out to all user accounts.

6) Is there an audit trail that shows what users are registered on what endpoints?

Yes. All endpoints report information to the GuardianEdge Hard Disk Encryption server, providing a centralized, aggregated view of the state of endpoint encryption throughout an enterprise deployment. This information includes both user and administrative accounts per machine.

7) Is there an audit trail proving that an endpoint is encrypted?

How Does GuardianEdge Compare?

1) How is GuardianEdge’s solution different that Microsoft Vista Bitlocker?

Bitlocker and GuardianEdge Hard Disk Encryption are two completely different classes of product. Bitlocker is a relatively immature, difficult to deploy and manage first generation product. GuardianEdge Hard Disk Encryption is a mature, robust product with hundreds of successful enterprise deployments over the past ten years.

Microsoft BitLocker is a first-generation disk encryption product. Bitlocker:

Runs only on certain versions of the Vista operating system.
Requires IT administrators to create a special partition on the system boot drive for all endpoints.
Requires either a TPM module, or a USB Flash drive to store logon keys. If TPM is used, TPM modules must be deployed, activated and managed on all protected endpoints (Microsoft does not provide a management solution for TPM)
Does not include a management console. Microsoft does not provide a central management console for BitLocker. In order to escrow recovery keys from BitLocker endpoints, Microsoft requires the modification of the enterprise Active Directory schema.

By contrast, GuardianEdge Hard Disk Encryption:

Leverages the existing enterprise infrastructure and is designed from the ground up for the best security with the lowest total cost of ownership.
Runs on all Microsoft endpoint operating systems that Microsoft provides support for today (Windows 2000, XP Professional and Vista), and requires no additional hardware or software to deploy and manage thousands of endpoints.
Has an enterprise class management console tightly integrated with Active Directory, does not require the extension of the enterprise Active Directory schema, and provides a common interface for management of all GuardianEdge data protection solutions, including Hard Disk Encryption, Removable Storage Encryption, and Device Control.

2) What makes GuardianEdge different from other full disk encryption software vendors?

GuardianEdge offers the only native Active Directory integration in the industry. This approach leverages the significant investment that organizations have already implemented in Active Directory—a scalable, robust and familiar management environment. It includes existing organizational structures such as groups, OUs and domains, role-based administration, training, replication and failover. The result is the industry’s lowest total cost of ownership, with minimal training requirements for IT staff and fast deployments.

Not only does GuardianEdge have the only native integration to Active Directory, it also supports Novell eDirectory and non-domain endpoints from the same single console environment. This makes it possible for organizations that primarily use eDirectory as their directory services solution—or who use it in addition to Active Directory—to get the full benefit of GuardianEdge’s integrated data protection platform. In addition, as users increasingly work from home with either a full time or part time connection to the network, and as contractors bring their machines into the network, these PCs not registered with the domain can also be protected and managed from this same single management console.

Enterprises also need common administration for data protection solutions. GuardianEdge enables common policy management, reporting, role-based administration, help desk, key management and other administrative actions for GuardianEdge Hard Disk Encryption, Removable Storage Encryption and Device Control from the same single management console.

GuardianEdge Hard Disk Encryption is based on a 13-year track record of success in full disk encryption solutions. It has the highest success rates on deployment of any full disk encryption solution and a long list of satisfied blue chip customers. Service and support for GuardianEdge products—a key component of any enterprise-class solution—also meets the highest standards for availability, customer satisfaction and expert assistance.

It is also non-disruptive and transparent to end-users. For successful deployment and operation, a full disk encryption solution must both protect data, and make it possible for workers to productively use their PCs. Key to this balance are minimal user adoptions requirements, and implementations that allow users to continue to use their systems as they have in the past, while providing the protection organizations require for their data. GuardianEdge provides a truly non-disruptive, transparent environment that allows users to productively get on with their work, while protecting the data on their systems.

Email Page

Print Page

top of page

learn more

nobis