|BitLocker Drive Encryption / Encrypting with BitLocker managed by SafeGuard Enterprise|
Before the encryption starts, the encryption keys are generated by BitLocker. Depending on the system used the behavior differs slightly.
The TPM (Trusted Platform Module) is a hardware device BitLocker uses to store its encryption keys. The keys are not stored on the computer’s hard disk. The TPM must be accessible by the basic input/output system (BIOS) during startup. When the user starts the computer, BitLocker will get these keys from the TPM automatically.
If an endpoint is not equipped with a TPM, either a BitLocker startup key or, if the endpoint is running Windows 8 or later, a password can be used as the logon mode.
A BitLocker startup key can be created using a USB memory stick to store the encryption keys. The user will have to insert the memory stick each time when starting the computer.
When SafeGuard Enterprise activates BitLocker, users are prompted to save the BitLocker startup key. A dialog appears displaying the valid target drives in which to store the startup key.For boot volumes, it is essential that the startup key is available when the endpoint is started. Therefore, the startup key can only be stored on removable media.
For data volumes, the BitLocker startup key can be stored on an encrypted boot volume. This is done automatically if Auto-Unlock is defined in the policy.
For BitLocker recovery, SafeGuard Enterprise offers a Challenge/Response procedure that allows information to be exchanged confidentially and allows the BitLocker recovery key to be retrieved from the helpdesk, see Response for BitLocker encrypted SafeGuard Enterprise Clients - UEFI endpoints and Recovery key for BitLocker encrypted SafeGuard Enterprise Clients - BIOS endpoints.
If there are any drives already encrypted with BitLocker on your computer when SafeGuard Enterprise is installed, SafeGuard Enterprise takes over the management of these drives.
Encrypted boot drives
Encrypted data drives
Management is taken over and recovery is possible.
SafeGuard Enterprise recovery is possible.