Encryption Settings
Applies To: WatchGuard Full Encryption
WatchGuard Full Encryption minimizes the exposure of corporate data in the event of data loss or theft, as well as minimizes the exposure of data when users remove storage devices. It enables you to monitor the encryption status of network computers and centrally manage recovery keys. It also takes advantage of hardware resources such as a Trusted Platform Module (TPM) chip.
For more information about Full Encryption, go to About Full Encryption.
Configure Encryption Settings
You create settings profiles to encrypt the content of different internal and external storage devices.
To configure encryption settings:
- In WatchGuard Cloud, select Configure > Endpoints.
- Select Settings.
- From the left pane, select Encryption.
- In the upper-right corner, click Add.
To edit an existing profile, select the profile from the list.
- In the Name text box, type a name for the encryption settings profile.
- In the Description text box, type a brief description of the profile.
- In the Recipients text box, click No Recipients Selected Yet.
The Recipients page opens. - Add recipient groups, computers, and devices for the settings profile, as required. For more information, go to Assign a Settings Profile.
- Enable Encrypt All Hard Disks on Computers. For information about user interaction that might be required to encrypt devices, go to Full Encryption and Computer User Interactions — Windows Computers.
All hard disks on your computers are encrypted. Any computer that is already encrypted receives the encryption settings specified. If the user decrypts a hard disk, Full Encryption encrypts them again.
If you disable encryption, Full Encryption decrypts all information stored on the computers. If the user encrypted a hard disk with a product other than Full Encryption, the hard disk remains encrypted. For more information, go to About Full Encryption.
- For Windows computers, specify Advanced Windows Options:
- To enable password authentication, select Ask For Password to Access the Computer.
This enables password authentication when a computer or device starts. Computers with TPM require a PIN type password. Computers without TPM require a passphrase. If you disable this option and the computer does not have access to a compatible TPM security processor, the disks are not encrypted. - To prevent the use of supported USB devices in authentication, enable Do Not Encrypt Computers That Require a USB Drive for Authentication.
- (Optional) To minimize the encryption time, enable Encrypt Used Disk Space Only to only encrypt sectors of the hard disk that are used.
Sectors released after a file is deleted remain encrypted, but the space that was free before encryption of the hard disk remains unencrypted. It will be accessible to third parties with tools to recover deleted files. - To enable encryption on removable devices, enable Prompt for Removable Storage Drive Encryption.
When a user inserts an unencrypted removable drive in a computer that has Microsoft BitLocker technology enabled, they receive a prompt to encrypt its contents.
For more information about this setting, go to Encryption of External Drives (Windows Computers).
Only Microsoft Windows 7 without TPM can use USB authentication. If you disable USB devices, Full Encryption does not encrypt these computers.