|Recovery options / System Recovery for SafeGuard Full Disk Encryption|
SafeGuard Enterprise allows encrypted volumes or hard disks to be enslaved. It permits the end user, the Windows administrator and the SafeGuard Enterprise Security Officer to connect or remove new volumes or hard disks in spite of sector-based encryption.
A volume's Key Storage Area (KSA) holds all the information required, this means:
The randomly generated DEK (Data Encryption Key).
An ID for the encryption algorithm used to encrypt the volume.
The list of GUIDs for the KEKs (Key Encryption Keys) that can encrypt and decrypt the DEK.
The volume itself contains its size.
A volume encrypted with SafeGuard Enterprise can be accessed from all SafeGuard Enterprise protected endpoints, provided that the user or computer possess a KEK for the KSA of the volume on their key ring.
Users or computers must be able to decrypt the DEK encrypted by the KEK.
Many users and computers can access a volume that has been encrypted with a distributable KEK such as an OU, group or domain key, because many users/computers of a domain have this key on their key ring.
However, a volume that is only encrypted with the individual boot key ("Boot_machinename") of the SafeGuard Enterprise protected endpoint can only be accessed by that particular computer.
If a volume does not boot on its original computer, it may be "enslaved" on another SafeGuard Enterprise protected endpoint. However, the correct boot key cannot be accessed then. It has to be made accessible.
Whenever the user attempts to access the volume from another computer, this can be done, because the KEKs in the KSA and the key rings of the other users or computers match again.