|Installation / Installing the encryption software on Windows|
SafeGuard Enterprise supports the vendor-independent Opal standard for self-encrypting hard drives and offers management of endpoints with hard drives of this type.
To ensure that the support of self-encrypting, Opal-compliant hard drives follows the standard closely, two types of check are carried out at the installation of SafeGuard Enterprise on the endpoint:
These include, among others, checking whether the drive identifies itself as an "OPAL" hard drive, whether communication properties are correct, and whether all Opal features required for SafeGuard Enterprise are supported by the drive.
Security checks ensure that only SafeGuard Enterprise users are registered on the drive and that only SafeGuard Enterprise users own the keys used to software-encrypt non-self-encrypting drives. If other users are found to be registered at installation, SafeGuard Enterprise automatically tries to disable these users. This is a functionality required by the Opal standard with the exception of a few default "authorities" which are required to run an Opal system.
If any of these checks fail in an unrecoverable way, the installation does not fall back to software-based encryption. Instead all volumes on the Opal drive remain unencrypted.
From SafeGuard Enterprise version 7 onwards, no Opal checks are performed by default. This means that, although an Opal drive is present, SafeGuard Enterprise will encrypt volumes on this drive using software-based encryption.
If you want to force Opal checks, use the following command line syntax:
MSIEXEC /i <name_of_selected_client_msi>.msi OPALMODE=0
Some Opal hard drives may have potential security issues. There is no way to automatically determine which privileges have been assigned to an unknown user/authority that has already been registered on the drive when SafeGuard Enterprise installation/encryption is carried out. If the drive refuses the command to disable such users, SafeGuard Enterprise falls back to software encryption to ensure maximum security for the SafeGuard Enterprise user. As we cannot give any security guarantees for the hard drives themselves, we have implemented a special installation switch to enable you to use drives which may have potential security risks at your own discretion. For a list of hard drives for which this installation switch is necessary and for further information on supported hard drives, refer to the SafeGuard Enterprise Release Notes.
To apply the installation switch, use the following command line syntax:
MSIEXEC /i <name_of_selected_client_msi>.msi IGNORE_OPAL_AUTHORITYCHECK_RESULTS=1
The internal property of the .msi has the same name, if you want to install it using a transform.