Encryption on a BitLocker-protected computer

Before the encryption starts, the encryption keys are generated by BitLocker. Depending on the system used the behavior differs slightly.

Endpoints with TPM

If the security officer defines a logon mode for BitLocker that involves the TPM (TPM, TPM + PIN, or TPM + Startup Key), TPM activation is automatically initiated.

The TPM (Trusted Platform Module) is a hardware device BitLocker uses to store its encryption keys. The keys are not stored on the computer’s hard disk. The TPM must be accessible by the basic input/output system (BIOS) during startup. When the user starts the computer, BitLocker will get these keys from the TPM automatically.

Endpoints without TPM

If an endpoint is not equipped with a TPM, either a BitLocker startup key or, if the endpoint is running Windows 8 or later, a password can be used as the logon mode.

A BitLocker startup key can be created using a USB memory stick to store the encryption keys. The user will have to insert the memory stick each time when starting the computer.

When SafeGuard Enterprise activates BitLocker, users are prompted to save the BitLocker startup key. A dialog appears displaying the valid target drives in which to store the startup key.

For boot volumes, it is essential that the startup key is available when the endpoint is started. Therefore, the startup key can only be stored on removable media.

For data volumes, the BitLocker startup key can be stored on an encrypted boot volume. This is done automatically if Auto-Unlock is defined in the policy.

BitLocker recovery keys

For BitLocker recovery, SafeGuard Enterprise offers a Challenge/Response procedure that allows information to be exchanged confidentially and allows the BitLocker recovery key to be retrieved from the helpdesk, see Recovery for BitLocker encrypted endpoints.

To enable recovery with Challenge/Response or retrieval of the recovery key, the required data has to be available to the helpdesk. The data required for recovery is saved in specific key recovery files.
Note If SafeGuard BitLocker management without Challenge/Response in standalone mode is used, the recovery key is not changed after a recovery procedure.
Note If a BitLocker-encrypted hard disk in a computer is replaced by a new BitLocker-encrypted hard disk, and the new hard disk is assigned the same drive letter as the previous hard disk, SafeGuard Enterprise only saves the recovery key of the new hard disk.

Managing drives already encrypted with BitLocker

If there are any drives already encrypted with BitLocker on your computer when SafeGuard Enterprise is installed, SafeGuard Enterprise takes over the management of these drives.

Encrypted boot drives

  • Depending on the SafeGuard Enterprise BitLocker support used, you may be prompted to reboot the computer. It is important that you reboot the computer as early as possible.
  • If a SafeGuard Enterprise encryption policy applies for the encrypted drive:
    • SafeGuard Enterprise BitLocker Challenge/Response is installed: Management is taken over and SafeGuard Enterprise Challenge/Response is possible.
    • SafeGuard Enterprise BitLocker is installed: Management is taken over and recovery is possible.
  • If no SafeGuard Enterprise encryption policy applies for the encrypted drive:
    • SafeGuard Enterprise BitLocker Challenge/Response is installed: Management is not taken over and SafeGuard Enterprise Challenge/Response is not possible.
    • SafeGuard Enterprise BitLocker is installed: recovery is possible.

Encrypted data drives

  • If a SafeGuard Enterprise encryption policy applies for the encrypted drive:

    Management is taken over and recovery is possible.

  • If no SafeGuard Enterprise encryption policy applies for the encrypted drive:

    SafeGuard Enterprise recovery is possible.