If you are installing the Sophos encryption software for the first
time, we strongly recommend that you enable and test each setting
If you use role-based administration:
- You must have the Policy
setting - full disk encryption right to edit a full disk
- You cannot edit a policy if it is
applied outside your active sub-estate.
For more information, see About roles and sub-estates.
By default, full disk encryption is not enabled.
To enable and configure full
Check which full disk encryption policy is used by the group or groups of
computers you want to configure.
In the Policies pane, double-click Full disk
encryption. Then double-click the policy you want to
The Full disk encryption dialog box is
Under Volumes to encrypt, specify which volumes you want
to encrypt by selecting the relevant check box(es):
- Boot volumes
- Non-boot volumes
Select Fast initial encryption (only encrypts used space on a
drive) to reduce the time needed for initial encryption on
Note: The fast initial encryption mode leads to a less secure state if a disk
has been in use before encryption is applied. Unused sectors may still
When you assign the full disk encryption policy with these settings to a group of
computers with the latest Sophos encryption software installed, the encryption process
starts once the policy is received. The user can carry on working.
Note: To decrypt
computers, clear the relevant options under Volumes to
encrypt and assign the policy to the group of computers to be
decrypted. Users are then allowed to manually decrypt the respective