Volume-based full disk encryption

With volume-based full disk encryption, all data on a volume (including boot files, pagefiles, hibernation files, temporary files, directory information etc.) are encrypted. Users do not have to change normal operating procedures or consider security.

To apply volume-based encryption to endpoint, create a policy of the type Device Protection and set the Media encryption mode to Volume-based. For further information, see Device Protection.

  • Volume-based encryption/decryption is not supported for drives without a drive letter assigned.

  • If an encryption policy exists for a volume or a volume type and encryption of the volume fails, the user is not allowed to access it.
  • Endpoints can be shut down and restarted during encryption/decryption.
  • If decryption is followed by an uninstallation, we recommend that the endpoint is not suspended or hibernated during decryption.
  • If after volume encryption a new policy is applied to an endpoint computer that allows decryption, the following applies: After a complete volume-based encryption, the endpoint computer must be restarted at least once before decryption can be started.
Note: In contrast to SafeGuard BitLocker Drive Encryption, SafeGuard volume-based encryption does not support GUID partition table (GPT) disks. Installation will be aborted if such a disk is found. If a GPT disk is added to the system later, volumes on the disk will get encrypted. Please be aware that the SafeGuard recovery tools - such as BE_Restore.exe and recoverkeys.exe - cannot handle such volumes and Sophos highly recommends to avoid GPT disks to be encrypted. To decrypt volumes that were accidentally encrypted, please change your SafeGuard Enterprise policies accordingly and have the user decrypt them.