Symantec Endpoint Encryption Drive Encryption Getting Started Guide
Transcription
Symantec Endpoint Encryption Drive Encryption Getting Started Guide
Getting Started About Symantec Endpoint If you are using Microsoft Encryption Windows Server 2008 Symantec™ Endpoint Encryption is comprised of the Drive Encryption functionality, the Removable Media Encryption functionality, and a Management Agent. ■ ■ ■ Drive Encryption The Drive Encryption functionality ensures only authorized access to the data that is stored on hard disks. This functionality helps safeguard enterprises from data loss or breach in case of theft or accidental damage to laptops or PCs. Removable Media Encryption The Removable Media Encryption functionality protects data available on standard, off-the-shelf removable storage devices. As part of Symantec Endpoint Encryption, Removable Media Encryption helps prevent the unauthorized physical or logical access that jeopardizes the confidentiality of the data on a removable storage device. Removable Media Encryption provides file-based encryption using passwords or certificates and supports external hard drives, USB flash drives, and portable devices. An Access Utility to enable access to encrypted files on unmanaged systems (Microsoft Windows or Mac OS X) is also provided. Management Agent Management Agent includes all of the functionalities that are used across Symantec Endpoint Encryption, such as authentication methods and settings, registering users and setting up client administrator accounts and information. For Symantec Endpoint Encryption Management Agent to appear properly on Windows Server 2008 R2, you must install the Aero Desktop theme. Note: You must have administrator privilege to install the Aero Desktop theme. To know how to install the Aero Desktop theme, see the Microsoft documentation. Working with Drive Encryption Symantec Endpoint Encryption client software provides an interface to: ■ View the encryption status of your hard disk partitions. ■ Determine if the check-in enforcement policy is enabled for your computer. ■ Verify the last time your computer had checked in with Symantec Endpoint Encryption Management Server, if at all. ■ Force your computer to check in with Symantec Endpoint Encryption Management Server. In addition to these, you can do the following: ■ View the product version information. ■ View the Symantec Endpoint Encryption functionalities that are installed on your computer. ■ View the legal notice of the Symantec Endpoint Encryption functionalities. Viewing the encryption status of your disk Drive Encryption protects the data that are stored on your hard disk by encrypting it. Encryption is the process by which an algorithm renders data unreadable. Only those who possess the “key” can decrypt the data, thereby rendering it intelligible again. The disk of your computer is configured to get encrypted automatically after you install the Drive Encryption functionality and restart your computer. Disk encryption does not even require any user registration and starts even before you log on to Windows. You can continue to work normally during and after the encryption of your hard disk. All partitions should be encrypted, especially the Windows system partition. To view the encryption status of your disk 1 On the Start menu, click All Programs > Symantec Endpoint Encryption > SEE Management Agent. 2 On the Internal Drives tab, click Drives. 3 View the encryption status of your disk. The status can be one of the following: ■ Encrypting Indicates that the encryption of the disk is not yet complete. Along with this status, the page also displays the percentage of the disk already encrypted. functionality and restart your computer. For disk encryption, a client computer does not require any user registration. Drive Encryption silently registers you when you successfully log in to the computer using Windows credentials after installation. Drive Encryption uses your Windows password or token to register you to preboot authentication. Every time a user logs in to your computer with different Windows credentials, Drive Encryption automatically registers the new user. Note: Preboot authentication does not support certain ALT characters such as ALT+155. These are special characters that appear when you press the ALT key and your number pads. Ensure that you do not use any ALT characters in your user name or password to avoid any issues during preboot authentication. During the silent registration of a client user, Drive Encryption also enables Single sign-on. When the Single sign-on is enabled, you can authenticate at preboot and can directly access your computer without authenticating at Windows login screen. Note: Single sign-on is enabled only for client users and not for client administrators. When a client administrator authenticates at preboot, the Windows login screen appears. When you are a registered user, you can use one of the following options to authenticate and access data on your computer. ■ Encrypted with a lock icon Indicates that the disk or partition is fully encrypted. ■ Use Windows credentials at the preboot authentication screen. ■ Decrypting Indicates that the decryption of the disk is not yet complete. Along with this status, the page also displays the percentage of decryption remaining for the disk. ■ Use your Token PIN at the token login screen. ■ Not Encrypted Indicates that the disk is not encrypted. This status appears for a disk or partition that was encrypted previously but now is fully decrypted. See “Authenticating at preboot to access your encrypted computer” on page 2. See “Communicating with Symantec Endpoint Encryption Management Server” on page 3. Authenticating at preboot to access your encrypted computer The disk of your computer is configured to get encrypted automatically after you install the Drive Encryption Note: Symantec Endpoint Encryption does not support smart cards on UEFI systems. ■ Request your client administrator to authenticate with admin login credentials in case you lost your password. Note: The preboot authentication screen may not be displayed if Autologon is in effect. To authenticate at preboot using your password 1 On the preboot authentication screen, do the following: ■ In the User Name box, type your Windows user name. You can use the TAB key to navigate to another text box. ■ In the Password box, type your Windows password. You can press F3 to hide or show the password characters. ■ 2 In the Domain box, use the arrow keys to select a domain name. Press Enter. ■ A lockout enforcement policy is in effect and lockout is imminent. ■ You are running your computer on a VPN, and your computer communicates intermittently with Symantec Endpoint Encryption Management Server. ■ Your administrator instructs you to click the Check-in button. To authenticate at preboot using your token PIN 1 On the preboot authentication screen, press F7. 2 Type your PIN in the Token PIN box. 3 Press Enter. See “Recovering from a communication lockout” on page 7. See “Recovering your computer using Help Desk Recovery” on page 6. See “Using Drive Encryption Self-Recovery when you forget your password” on page 5. Selecting a keyboard layout for preboot authentication Different keyboard layouts can have different mappings between characters, potentially causing problems when you enter your passphrase to authenticate. Select the keyboard layout that most closely maps to the keyboard you are using. Ensure that you to use the same layout each time you authenticate. When you click the Check-in button, your client computer attempts to connect to Symantec Endpoint Encryption Management Server. When the communication is successful, the Last check-in field gets updated by your current date and time. If the lockout policy is enabled for your computer, the Next check-in due by field value also gets extended by a period that your policy specifies. Any potential lockout is prevented. If your client computer fails to check-in with Symantec Endpoint Encryption Management Server after you click the Check-in button, you must contact your client administrator immediately. Your client administrator can extend the communication due date if the lockout policy is enabled and can also resolve the issue preventing the communication. To view the check-in information 1 On the Start menu, click All Programs > Symantec Endpoint Encryption > SEE Management Agent. To select a keyboard layout 1 On the preboot authentication screen, press F2. 2 On the Internal Drives tab, click the Status. 2 From the list of keyboard layouts, select a keyboard layout using the up and down arrow keys. 3 View the following information: 3 Press Enter. 4 Verify the keyboard layout you selected at the bottom of the screen. 5 Press ESC to return to the preboot authentication screen. See “Authenticating at preboot to access your encrypted computer” on page 2. Communicating with Symantec Endpoint Encryption Management Server For security reasons, your policy administrator may have configured check-in enforcement for your computer. This enforcement locks out all users except the client administrator when your computer is lost or stolen and, therefore, fails to check-in within a prescribed schedule. Use the Check-in button when: ■ Next Check-in due by Provides the information about the next communication due date. A value for this field also indicates that the check-in policy is active for your client computer. ■ Last check-in Provides the information about the last communication of the client computer with Symantec Endpoint Encryption Management Server. To establish communication with the server 1 On the Internal Drives tab, click Status. 2 Click Check-in. See “About the communication lockout” on page 7. Recovering your system at preboot of security questions that are predefined and require only the answers to complete the configuration. Your policy administrator can also let you customize your questions and provide answers for them. Drive Encryption protects the data on a hard disk by prompting a user of the computer to authenticate before the Windows operating system starts. When you provide your credentials to Drive Encryption, it derives the “key” necessary to render the data on the hard disk intelligible again. Security questions are configured after installation of the Drive Encryption functionality. If you skip configuration after you log in the first time, Drive Encryption notifies you to configure Drive Encryption Self-Recovery every time you log in to your system. Drive Encryption also notifies you to configure security questions if Drive Encryption Self-Recovery was enabled after registration through a policy deployment. After encryption of the boot disk is initiated, Drive Encryption displays a preboot authentication screen every time you start your computer. This screen requires a set of credentials before it lets you access protected data on the disk. Drive Encryption restricts you from accessing your data on your computer under the following circumstances: ■ When you forget your password (Windows credentials) or token. ■ When your client computer fails to communicate with Symantec Endpoint Encryption Management Server within the schedule that the policy administrator prescribes. When you fail to authenticate at preboot, press F4 to use the recovery options that are configured for your computer as per the administrative policies. These recovery options help you bypass the preboot authentication screen once so that you can reconfigure your authentication credentials. Based on the administrative policies that are enabled for your computer, you can have the following recovery options: ■ Drive Encryption Self-Recovery ■ Help Desk Recovery Additionally, you can also contact your client administrator to gain access to your computer. About Drive Encryption Self-Recovery When you forget your password, Drive Encryption Self-Recovery assists you to gain access to your computer without any help desk assistance. You can bypass the preboot authentication step by answering predefined security questions correctly. Drive Encryption Self-Recovery is enabled or disabled for a user by the administrative policies of Symantec Endpoint Encryption Management Server. Your policy administrator can enable Drive Encryption Self-Recovery, in which case you need to configure a maximum of three security questions. Your policy administrator can specify the number When you forget your password, you can select Drive Encryption Self-Recovery and answer the security questions to gain access to your computer. After bypassing preboot authentication, you can contact your local administrator to reset your Windows login credentials. Security questions once configured can be used whenever you need to bypass preboot authentication. In case your administrator disables Drive Encryption Self-Recovery and re-enables it, the same security questions can be used to bypass preboot authentication. Note: For improved protection, Symantec recommends that you configure Drive Encryption Self-Recovery the first time you receive the Drive Encryption Self-Recovery setup after installation. See “Configuring Drive Encryption Self-Recovery security questions” on page 4. See “Using Drive Encryption Self-Recovery when you forget your password” on page 5. Configuring Drive Encryption Self-Recovery security questions You can configure security questions after the Drive Encryption functionality is installed and you log in to your computer as a new user the first time. You can skip the configuration process, in which case Symantec Endpoint Encryption notifies you to configure Drive Encryption Self-Recovery every time you log in to your system. Note: For improved protection, Symantec recommends that you configure Drive Encryption Self-Recovery the first time the Drive Encryption Self-Recovery setup appears. You must consider the following before configuring your security questions: ■ Think of the security questions that should relate to something very personal to you. The answer to these questions should be unique and easy to remember and should not be ambiguous. ■ Provide only answers to the questions that your policy administrator has already predefined. These predefined questions are not customizable. ■ Provide both question and answer when the security question is customizable and are not predefined. ■ Create answers within the limited characters. Ensure that you provide the answers that are case-sensitive. Drive Encryption Self-Recovery supports the following character set: ■ Uppercase: A-Z ■ Lowercase: a-z ■ Digits: 0-9 ■ All punctuation symbols on a standard US language keyboard To configure Drive Encryption Self-Recovery security questions 1 Log in to your system. 2 When the Self Recovery Setup dialog box appears, do one of the following: 3 ■ To proceed with the configuration of security questions, click Continue. ■ To skip the configuration of security questions and close the Self Recovery Setup dialog box, click Remind me Later. In the screen that appears, do the following: ■ ■ For the questions that your policy administrator predefines, provide only the answers. For the questions that you must define, type the question in the Question box and provide the answer in the respective Answer box. 4 Click Save. 5 In the confirmation dialog box, click Finish. See “Using Drive Encryption Self-Recovery when you forget your password” on page 5. Using Drive Encryption Self-Recovery when you forget your password When you forget your password, you can press F4, use the Drive Encryption Self-Recovery feature, and bypass preboot authentication without any assistance from the help desk. Drive Encryption Self-Recovery requires you to answer preconfigured security questions for authentication. You can configure these questions when you log in the first time after installation as a new user to the Drive Encryption functionality. When the answers are correct, Drive Encryption Self-Recovery provides access to your computer so that you can reset your Windows password. Note: The Drive Encryption Self-Recovery option appears only after your administrator enables the Drive Encryption Self-Recovery feature for your computer and at least one user is registered on the computer. To use Drive Encryption Self-Recovery and bypass preboot authentication 1 At the preboot authentication screen, press F4. 2 In the screen that appears, select Self Recovery. 3 Press Enter. 4 Answer the first security question displayed. Type the answer and press Enter. 5 Continue to answer the questions. You must answer all questions correctly to bypass preboot authentication. 6 When you have answered the questions correctly, the Windows operating system starts. Enter your new Windows credentials that you have received from your local administrator. Drive Encryption registers you with the new Windows credentials. You can use the new credentials for preboot authentication the next time you start your computer. See “About Drive Encryption Self-Recovery” on page 4. See “Configuring Drive Encryption Self-Recovery security questions” on page 4. About Help Desk Recovery With Help Desk Recovery, you can access your encrypted computer if you lose your password or if there is a lockout state at preboot. This recovery feature is enabled or disabled for a computer by the administrative policies of Symantec Endpoint Encryption Management Server. All you need is to provide your computer information to the help desk, receive a Response Key, and then use the Response Key to access your computer. A Response Key (also known as One-Time Password) that the Help Desk Recovery provides is associated with an encrypted computer, not a user. Each computer has a unique Response Key that unlocks the encrypted disk on that computer. Based on the connectivity of the client with Symantec Endpoint Encryption Management Server, Help Desk Recovery offers two types of recovery mode: ■ ■ Online Recovery Online Recovery is possible when the client establishes a connection with Symantec Endpoint Encryption Management Server after installation. The server receives data about the client that it requires to generate a Response Key in the future. Help Desk Recovery requires minimum authentication for the computer and does not involve a Challenge Key. Offline Recovery Offline Recovery is required when the client has never communicated with Symantec Endpoint Encryption Management Server after installation. The server does not find any data about the client that it requires to generate Response Key. Help Desk Recovery requires a Challenge Key for authentication. Note: When you recover from a forgotten password, you are prompted to enter a new password when the Windows operating system starts. Contact your local administrator to get your new Windows credentials. See “Recovering your computer using Help Desk Recovery” on page 6. See “Recovering from a communication lockout” on page 7. Recovering your computer using Help Desk Recovery You can use Help Desk Recovery in case of a preboot lockout or if you forget your user credentials. This recovery feature requires you to call the help desk, provide your computer information, receive the Response Key, and use the Response Key to access your computer. ■ Based on the availability of the recovery information on the server, preboot authentication displays one of the following screens when you use Help Desk Recovery: ■ The Help Desk Recovery screen appears when the recovery information is available on the server and displays only the computer identity and the Sequence Number. ■ The Advance Help Desk Recovery screen appears when the recovery information is not available on the server. This screen displays the computer identity, the Sequence Number, and the Challenge Key. The Response Key box appears on both the screens and requires you to enter the information that your help desk administrator provides. Note: You can press F5 on the Help Desk Recovery screen to switch to Advance Help Desk Recovery screen. Alternatively, you can press Esc on the Advance Help Desk Recovery screen to switch back to Help Desk Recovery. To recover your computer using Help Desk Recovery 1 On the preboot authentication screen, press F4. 2 In the screen that appears, select Help Desk Recovery, and press Enter. This intermediate screen lets you select a recovery option and appears when Drive Encryption Self-Recovery is enabled and configured for at least one user on your computer. For authentication, the following details are required: ■ ■ ■ Computer The name of your computer with the domain name. Help Desk Recovery requires this information to verify the computer record in the server database. Sequence Number A four-digit number that is used to synchronize a client with the server. Help Desk Recovery requires this information for generation of a Response Key. Challenge Key The public key that the client generates using the public key of the server. Help Desk Recovery requires this information to authenticate a client that has never communicated with the server. Checksum A two-character checksum that appears for the Response Key and the Challenge Key. Checksum helps to verify that the Challenge Key has been communicated correctly to the help desk or the Response Key to the user. A matching checksum confirms that the Challenge Key on the server side or the Response Key on the client side have been entered correctly. 3 Call your Symantec Endpoint Encryption Management Server help desk administrator. 4 From the Help Desk Recovery screen or the Advance Help Desk Recovery screen, provide the following information to the help desk administrator: ■ Computer ■ Sequence Number ■ Challenge Key (in case of Advance Help Desk Recovery) 5 Type the response key that the help desk administrator provides in the Response Key box, and then press Enter. If required, provide the checksum to the help desk administrator to confirm that you have entered the response key correctly. When the recovery is successful, contact your local administrator to get new Windows credentials. 6 Use your Windows credentials to access your computer. Drive Encryption uses your new Windows credentials to register you to the preboot authentication. See “About Help Desk Recovery” on page 5. See “About the communication lockout” on page 7. See “Recovering from a communication lockout” on page 7. About the communication lockout Client computers communicate with Symantec Endpoint Encryption Management Server to send status and recovery information to the server. For security reasons, your policy administrator might enforce a check-in policy to monitor your client computer through periodic contact with the server. When your client computer fails to communicate with the server within the prescribed schedule, the computer is locked out at preboot. When the lockout occurs, the computer remains in a pre-Windows state after restart. No registered user can log on to the computer without the assistance from the help desk or until a client administrator unlocks the system. The lockout, thereby, protects the data on your computer if the computer is lost or stolen. The administrative policies of Symantec Endpoint Encryption Management Server control the client check-in enforcement. Your policy administrator might enable communication lockout and specify a minimum contact period within which the client must check in to establish connection with Symantec Endpoint Encryption Management Server. The administrator can also specify a warning period during which Drive Encryption should notify you to communicate with the server. If you do not check in the client computer within the specified periods, the client goes into a communication lockout state after next restart. Based on the policies that are enabled for your computer, you can use one of the following options to recover from a communication lockout state: ■ Help desk assistance You can contact your help desk administrator and request for a Response Key for your computer. ■ Client administrator assistance You can contact your Client Administrator. The client administrator authenticates at the preboot and provides access to the computer. After the computer recovers from a communication lockout, the check-in due date gets extended by the same minimum contact period and warning period as previous. See “Recovering from a communication lockout” on page 7. See “Recovering your computer using Help Desk Recovery” on page 6. Recovering from a communication lockout When a communication lockout occurs, your client computer remains in a pre-Windows state after restart. Drive Encryption displays a dialog box with options to recover from the lockout state. Based on the policies that are enabled for your computer, you can recover your client computer in one of the following ways: ■ Help desk assistance The administrative policies of Symantec Endpoint Encryption Management Server manage this recovery assistance. ■ Client Administrator assistance The administrative policies do not manage this recovery assistance. Your Client Administrator uses this recovery method if you fail to get assistance from the help desk. To recover from a communication lockout using Help Desk Recovery 1 On the dialog box listing the recovery options, select Help Desk Recovery. 2 Call your Symantec Endpoint Encryption Management Server help desk administrator. 3 From the Help Desk Recovery screen or the Advance Help Desk Recovery screen, provide the following information to the help desk administrator. ■ Computer name with domain ■ Sequence Number ■ Challenge Key (in case of Advance Help Desk Recovery) 4 Type the Response Key that the help desk administrator provides in the Response Key box, and then press Enter. If required, provide the checksum to the help desk administrator to confirm that you have entered the Response Key correctly. 5 To authenticate using admin login credentials 1 On the preboot authentication screen, press F5. 2 On the Administrator login screen, do the following: When the recovery is successful, the check-in due date gets extended by the same number of days as specified by your policy administrator. ■ Type the account name of the Client Administrator in the Admin Name box. ■ Type the password of the account in the Password box. Press Enter. See “About the communication lockout” on page 7. 3 See “About Help Desk Recovery” on page 5. See “Authenticating at preboot to access your encrypted computer” on page 2. About the Client Administrator roles As a Client Administrator, you provide local support to Symantec Endpoint Encryption client software users. Client Administrator accounts are created and maintained through Symantec Endpoint Encryption Management Server. ■ The administrative privileges are independent of any operating system or a directory service that lets you support a wide range of users. ■ Client Administrator credentials are managed from Symantec Endpoint Encryption Management Server and cannot be changed at the client computer. This single-source credential management lets you remember only one set of credentials as you move among many client computers. ■ Client Administrator credentials can always be used to authenticate to client computers. This privilege lets you authenticate and provide access to the client users when they forget their password or experience a communication lockout. This privilege is independent of the administrative policies of Symantec Endpoint Encryption Management Server. As a Client Administrator, you can access the Drive Encryption functions from the command line to script Drive Encryption functions and troubleshoot problems. For more information on the Client Administrator commands, see the Drive Encryption Administrator Command Line User Guide. Recovering from a communication lockout using the administrator login Communication lockout occurs when a client computer fails to communicate with the server within the schedule that the Symantec Endpoint Encryption Management Server policy administrator prescribes. When a communication lockout occurs, the client computer remains in a pre-Windows state after restart. As a Client Administrator, you can use your administrator login credentials to provide access to an encrypted computer. A client user needs your assistance during a communication lockout when: ■ The policy administrator has disabled Help Desk Recovery for the client computer, and the only option available is to get the Client Administrator assistance. ■ The help desk recommends that the client computer should be authenticated using the administrator login credentials. To recover from a communication lockout using the administrator login 1 On the dialog box listing the recovery options at the preboot, select Administrator Password using the arrow keys. 2 Do the following: See “About the communication lockout” on page 7. Authenticating at preboot using admin login credentials As a Client Administrator, you can use your admin login credentials to authenticate at preboot. Your admin login credentials lets you provide recovery support to the client users when they forget their password or experience a communication lockout. ■ Type your administrator account name in the Admin Name box. Use the TAB key to navigate to another text box. ■ Type the password of your account name in the Password box. 3 Press Enter. 4 When the recovery is successful, verify that the check-in due date gets extended by the same number of days as specified by the policy administrator. Getting Technical Support For additional assistance using Symantec Endpoint Encryption Drive Encryption functionality, contact the help desk or the local administrator of your organization. Legal Notice Copyright © 2014 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, PGP, and Pretty Good Privacy are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com