About full disk encryption

Note: This feature is not included with all licenses. If you want to use it, you might need to change your license. For more information, see http://www.sophos.com/en-us/products/complete/comparison.aspx.

Full disk encryption protects the data on endpoint computers from being read or changed by unauthorized persons. Volumes on disks are encrypted transparently. Users do not need to decide what data is to be encrypted. Encryption and decryption are performed in the background.

By default, computers protected by full disk encryption run the Power-on Authentication (POA) before the operating system starts. After the user has logged on at the Power-on Authentication, the operating system starts and the user is logged on to Windows.

For convenient access, full disk encryption offers several features that aid IT operations on endpoint computers:

The Power-on Authentication can be temporarily deactivated for Wake on LAN, for example to facilitate patch management.
Normally, the first user who logs on to an endpoint computer after the encryption software has been installed, activates the Power-on Authentication. You can configure Windows accounts for logon to endpoint computers without activating the Power-on Authentication. This helps members of the IT team, for example, rollout operators. With the Windows accounts you specify in the full disk encryption policy as Power-on Authentication exceptions, they can log on to new computers for installation and verification tasks before end users log on and activate the Power-on Authentication.
You can configure a POA user account to a member of the IT team to log on to endpoint computers for administrative tasks when the Power-on Authentication is already active.

For recovery on computers protected by full disk encryption, the following logon recovery methods are available:

Challenge/Response helps users who cannot log on to their computers or access encrypted data. A Challenge/Response procedure involves the assistance of a help desk. During the Challenge/Response procedure, the user provides a challenge code generated on the endpoint computer to the help desk officer. The help desk officer then generates a response code that authorizes the user to perform a specific action on the computer. For more information, see Recover access with Challenge/Response.
With Local Self Help users who have forgotten their password can log on at their computer without the assistance of a help desk. Users log on by answering predefined questions in the Power-on Authentication. Local Self Help reduces the number of help desk calls and allows help desk staff to concentrate on more complex support requests. For more information, see Recover access with Local Self Help.

Important: Do not delete from the console computers that have been encrypted. Encryption recovery may not be possible in this case.

For more information about the recommended settings for full disk encryption, see the Sophos Enterprise Console policy setup guide.

For information about viewing events logged for computers protected by full disk encryption, see View encryption events.