Encryption policies for BitLocker Drive Encryption

The security officer can create a policy for (initial) encryption in the SafeGuard Management Center and distribute it to the BitLocker endpoints where it is executed. It triggers the BitLocker encryption of the drives specified in the policy.

As the BitLocker clients are managed transparently in the SafeGuard Management Center, the security officer does not have to specify any special BitLocker settings for encryption. SafeGuard Enterprise knows the client status and selects the BitLocker encryption accordingly. When a BitLocker client is installed with SafeGuard Enterprise and volume encryption is activated, the volumes are encrypted by BitLocker Drive Encryption.

A BitLocker endpoint processes policies of type Device Protection and Authentication.

The following settings are evaluated on the endpoint:

  • Settings in a policy of type Device Protection:
    • Target: Local Storage Devices | Internal Storage | Boot Volumes | Non-boot Volumes | Drive Letters A: - Z:
    • Media Encryption Mode: Volume based | No encryption
    • Algorithm to be used for encryption: AES128 | AES256
    • Fast initial encryption: Yes | No

For details see Device Protection.

  • Settings in a policy of type Authentication:
    • BitLocker Logon Mode for Boot Volumes: TPM | TPM + PIN | TPM + Startup Key | Startup Key |
    • BitLocker Fallback Logon Mode for Boot Volumes: Password |Startup Key | Password or Startup Key | Error
    • BitLocker Logon Mode for Non-Boot Volumes: Auto-Unlock | Password | Startup Key
    • BitLocker Fallback Logon Mode for Non-Boot Volumes: Password | Password or Startup Key| Startup Key

For details see Authentication.

All other settings are ignored by the BitLocker endpoint.