After you assign a policy to a device, the policy enforcement and disk encryption workflow varies slightly if you are using pre-boot authentication. Below are the concepts for disk encryption and pre-boot authentication that you need to understand when you apply a Disk Encryption policy to a device.
ZENworks Full Disk Encryption provides software-based encryption on standard, solid state, and self-encrypted hard disks.
Full Disk Encryption provides sector-based encryption of the entire disk or selected volumes (partitions). All files on a volume are encrypted, including any temporary files, swap files, or operating system files. Because all files are encrypted, the data cannot be accessed when booting the computer from external media such as a CD-ROM, floppy disk, or USB drive.
Compatible hard disks are any 3.5 or 2.5 inch disks that have the IDE, SATA, or PATA interface standard.
You can choose the industry-standard encryption algorithm (AES, Blowfish, DES, or DESX) and key length that best meets your organizations requirements. If the device firmware is configured for UEFI, the AES algorithm and 256 key length are automatically used.
NOTE:The cryptographic module used in ZENworks Full Disk Encryption to encrypt standard hard drives is not Federal Information Processing Standard (FIPS) 140-2 certified. However, the cryptographic module implements standards consistent with FIPS 140-2 Level 1 certification.
ZENworks Full Disk Encryption protects a device’s data when the device is powered off or in hibernation mode. As soon as someone successfully logs in to the Windows operating system, the encrypted volumes are no longer protected and the data can be freely accessed. To provide increased login security, you can use ZENworks Pre-Boot Authentication (PBA).
The ZENworks PBA is a Linux-based component. When the Disk Encryption policy is applied to a device, a 500 MB partition containing a Linux kernel and the ZENworks PBA is created on the hard disk.
During normal operation, the device boots to the Linux partition and loads the ZENworks PBA. As soon as the user provides the appropriate credentials (user ID/password or smart card), the PBA terminates and the Windows operating system boots, providing access to the encrypted data on the previously hidden and inaccessible Windows drives.
The Linux partition is hardened to increase security, and the ZENworks PBA is protected from alteration through the use of MD5 checksums and uses strong encryption for authentication keys.
ZENworks Pre-Boot Authentication is strongly recommended. If you don’t use the ZENworks PBA, encrypted data is protected only by Windows authentication.
For more information about ZENworks Pre-Boot Authentication, see the ZENworks Full Disk Encryption PBA Reference