Configure full disk encryption

If you are installing the Sophos encryption software for the first time, we strongly recommend that you enable and test each setting step-by-step.

If you use role-based administration:

For more information, see About roles and sub-estates.

By default, full disk encryption is not enabled.

To enable and configure full disk encryption:
  1. Check which full disk encryption policy is used by the group or groups of computers you want to configure.
  2. In the Policies pane, double-click Full disk encryption. Then double-click the policy you want to change.
    The Full disk encryption dialog box is displayed.
  3. Under Volumes to encrypt, specify which volumes you want to encrypt by selecting the relevant check box(es):
    • Boot volumes
    • Non-boot volumes
  4. Select Fast initial encryption (only encrypts used space on a drive) to reduce the time needed for initial encryption on endpoint computers.
    Note: The fast initial encryption mode leads to a less secure state if a disk has been in use before encryption is applied. Unused sectors may still contain data.
  5. Click OK.
When you assign the full disk encryption policy with these settings to a group of computers with the latest Sophos encryption software installed, the encryption process starts once the policy is received. The user can carry on working.
Note: To decrypt computers, clear the relevant options under Volumes to encrypt and assign the policy to the group of computers to be decrypted. Users are then allowed to manually decrypt the respective drives.