Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/esg/endpoint/help/en-us/index.html?contextId=encrypt-computer

Encrypt the computer

You can encrypt the computer if your license includes encryption.

To see how, click the tab for your operating system.

Encryption is not available for servers.

Sophos Device Encryption encrypts the hard disk of the computer using BitLocker. Your administrator defines whether you need to authenticate each time you access the computer.

If no authentication is required, the encryption of the hard disk starts automatically as soon as you restart the computer after you received the Sophos Central policy. There is nothing you need to do in this case.

If you need to authenticate, do as follows:

  1. When the Sophos Device Encryption dialog is displayed, follow the instructions in the dialog. The specific instructions depend on your system and the policy settings defined by your administrator.

    • If the Device Encryption policy requires a PIN or password for authentication, follow the on-screen instructions to create a PIN or password.

      Note

      Be careful when you create a PIN or password. The pre-boot environment only supports the US-English keyboard layout. If you create a PIN or password now with special characters, you might have to use different keys when you enter it to sign in later.

    • If the Device Encryption policy requires a USB key for authentication, you need to connect a USB drive to your computer. The USB drive must be formatted with NTFS, FAT, or FAT32.

  2. Click Restart and Encrypt. The computer restarts and encrypts the hard disks. You can work as usual.

    Note

    You can select Do this later to close the dialog. However, it will appear again next time you sign in.

After Sophos Central has encrypted the system volume, the encryption of the data volumes is started. Removable data volumes such as USB drives are not encrypted.

From now on, when you sign in to the computer, you may need a PIN, password, or USB key to unlock your system volume. Data volumes are unlocked automatically.

Sophos Device Encryption encrypts the hard disk of the Mac using FileVault 2.

When your administrator activates Device Encryption, the Sophos Device Encryption dialog is displayed.

To encrypt the Mac, do as follows:

  1. In Sophos Device Encryption, enter your sign-in password and click Encrypt. This turns on Sophos Device Encryption. Alternatively, click Postpone to start the process later.
  2. Your recovery key is automatically stored in Sophos Central.

  3. Click Restart when prompted to restart the Mac.

    Warning

    Do not restart the Mac until you see the restart notification. If you restart without the recovery key safely stored and you forget your sign-in password, you can't access the Mac. Recovery isn't possible in this case.

When the system disk is encrypted, the internal data volumes are automatically encrypted. Removable data volumes such as USB drives are not encrypted.

Encrypted disks are automatically unlocked when the Mac starts.