Purpose of knowledge article:
- Overview of Full Disk Encryption (FDE)
- FDE pilot program for selected Operations groups
What is Full Disk Encryption (FDE)?
- Encryption technology scrambles data into illegible code, making it indecipherable to anyone without a password or recovery key.
Full disk encryption protects the system as a whole instead of requiring the user to protect individual files or folders. This greatly improves the ease of use for the user and minimizes the chances of a confidential or sensitive file going unprotected.
- Full disk encryption does not protect files in transit (i.e., email attachments), only files at rest when stored on the protected system.
Encryption Technologies
- Windows BitLocker provides full disk encryption to Microsoft operating systems from Windows Vista to Windows 11 or Server 2008 to Server 2012. The use of full disk encryption helps provide enhanced protection from data theft or exposure in the event a protected device is ever lost or stolen by preventing any information contained within the device from being readable without the decryption key. Bitlocker requires a user to provide a pin or a recovery key to unlock the system.
- Mac FileVault is the standard encryption method on all current Mac computers. It provides full disk encryption when enabled, which is beneficial to the user because rather than individually encrypting files and folders, it automatically encrypts all data contained within the encrypted drive. By encrypting the hard drive, any data contained within the drive will be unreadable if access is attempted without the decryption key or the user’s password. This will protect the data in the event the device is ever lost or stolen.
Other related questions:
Can I lose my data?
No, the data will always be on the computer but it will require you to have the pin (Windows) or password to unlock the computer (Mac). In addition, it is recommended to backup your data to ensure you don't lose data, see Druva inSync.
How does disk encryption make me safer?
Full disk encryption uses a specific algorithm, or cipher, to convert a physical disk or logical volume into an unreadable format that cannot be accessed by anyone without the recovery key or password that was used to encrypt the drive. This prevents unauthorized people or hackers from accessing the information especially if your computer is lost or stolen.
Does Berkeley Lab offer an FDE solution?
Yes, Berkeley Lab IT is piloting Sophos Device Encryption software as an enterprise service. Sophos Device Encryption stores all recovery keys in a server for computers that are enrolled with the software. The service includes a self-service portal to retrieve your key if needed or enables IT to provide you with a key when a support ticket is created. Note: FDE will be piloted during August 2022 with specific Operations groups working with protected data types (like health info and PII).
Is Sophos FDE available to Lab employees?
Currently, Berkeley Lab IT is running a pilot project with specific operation groups. It may be available to the Lab community at a later date.
Resolution:
How to install Sophos Disk Encryption?
Expand the instruction you need:
Process overview:
- Download and Install Sophos Endpoint Protection from the email invite
- Follow all the instructions to complete the installation procedure
- Upon reaching step 8 in the instructions below,
A prompt asking you to create a BitLocker password will either pop up before or after you restart the computer in step 7, either way:
-
- Create a BitLocker password
- Type the password in slowly, and DO NOT forget it
-
| 1 | Check your email for an email from [email protected] with the subject line "Software Deployment For Sophos Central" |
|
| 2 | In the email, under the “Sophos Endpoint Protection” section, click the Windows link | |
| 3 | The file SophosSetup.exe will start downloading. Launch it once it finishes downloading |
|
| 4 | You will see a popup window saying, "Do you want to allow this app to make changes to your device?" Click Yes |
|
| 5 | Click Install Note: this step can take anywhere from 10 minutes to an hour |
|
| 6 | Once installation is done, the "Installation successful. You're protected" screen will appear. Make sure the "Restart my computer now" box is checked. |
|
| 7 | Click the Finish button | |
| 8 | A prompt asking you to create a BitLocker password will either pop up before or after you restart the computer in step 7, either way to:
|
|
| 9 | Click Save and Restart | |
| 10 | When the computer restart, you will be asked to provide the BitLocker password you just created in step 8. Type it in and hit the Enter button on your keyboard, and continue to log in to your computer as usual |
|
| 11 | You're done | no image |
| 1 | Check your email for an email from [email protected] with the subject line "Software Deployment For Sophos Central" |
|
| 2 | In the email, under the “Sophos Endpoint Protection” section, click the macOS X link | |
| 3 | SophosInstall.zip will start downloading. Browse to the location of the downloaded file in Finder |
|
| 4 | Double click on SophosInstall.zip |
|
| 5 | If your mac computer has an M1 chip: a) Copy the SophosInstall folder b) In the Menu bar, Click Go >>> Go to Folder c) Copy and paste /Users/Shared into the Go to the folder box d) Click Go e) Paste the SophosInstall folder f) Open the SophosInstall folder OR If your mac computer has an Intel chip: a) Open the SophosInstall folder |
|
| 6 | Double click the Sophos Installer file |
|
| 7 | Click Open |
|
| 8 | Click OK |
|
| 9 | Click Install |
|
| 10 | Input your computer login credential |
|
| 11 | Click Install Helper | |
| 12 | You may get a popup warning or more. Click Open Security Preferences on one of them |
|
| 13 | Select Security & Privacy |
|
| 14 | Select the General tab |
|
| 15 | Bottom left corner, click on the Lock icon and input your computer credential in the popup to unlock it | |
| 16 | Bottom right corner area, click on Details | |
| 17 | Make sure both Sophos Network Extension.app and SophosScanD.app is checked and click OK |
|
| 18 | Another popup or two may appear. Click Allow on both of them |
|
| 19 | Once installation is done. Click Quit |
|
| 20 | a) If the computer has FileVault turned on, Sophos Devie Encryption popup will appear, guiding you to set up a recovery key
OR b) If the computer has FileVault turned off, a popup will appear saying "fdesetup would like to enable FileVault."
|
a)
b)
|
| 21 | Click OK, continue to the next step |
|
| 22 | Open Sophos Endpoint Self Help Application under the Application\Sophos folder |
|
| 23 | Select Prerequisites |
|
| 24 | Click on Allow Full Disk Access button | |
| 25 | Follow instructions in the popup window |
|
| 26 | A prompt asking to Quit Sophos will appear. Click Quit & Reopen |
|
| 27 | Once Sophos Endpoint Self Help relaunches, everything should have a green check; Sophos is ready |
|
| 28 |
|
|
| 29 | You're done | no image |
How to retrieve the recovery key to unlock your device?
- This must be performed on a device that you have access to and can access the internet.
- This works for both Windows and Mac computers.
| 1 |
|
|
| 2 | Return to the email and click the link Sophos Central Self Service |
|
| 3 |
|
|
| 4 | Click Retrieve for the computer you need the recovery key for |
|
| 5 | A pop-up with the recovery key information for the computer will appear |
|
| 1 | Click on the Start Menu and just start typing "manage bitlocker" |
|
| 2 | In the result, you will see an item called Manage Bitlocker. Click on it | |
| 3 | Click Turn on Bitlocker |
|
| 4 | Create a PIN for BitLocker and click Set PIN Note:
|
|
| 5 | BitLocker Configuration will start |
|
| 6 | Select one of the following options:
Click Next Note:
|
|
| 7 | Select Encrypt entire drive (slower but best for PCs and drives already in use) and click Next |
|
| 8 | Select New encryption mode (best for fixed drives on this device) and click Next |
|
| 9 | Check the box Run BitLocker system check and click Continue |
|
| 10 | The computer may prompt to restart, go ahead and restart. If not, restart the computer manually |
|
| 11 | Open up Manage BitLocker again( see step 1-2). It will state "BitLocker Encrypting". Let it run and check back on it periodically |
|
| 12 | When encryption is completed, it will state "BitLocker on" |
|
| 13 | Restart the computer and you will be prompt to input your BitLocker PIN |
|
How to turn on FileVault (Mac)?
| 1 | Top left corner, click on the Apple icon |
|
| 2 | Select System Preferences | |
| 3 | Select Security & Privacy |
|
| 4 | Select FileVault tab |
|
| 5 | Bottom left corner, click on the Lock icon | |
| 6 | Input your computer credential |
|
| 7 | Click Unlock | |
| 8 | Click Turn On FileVault |
|
| 9 | Select Create a recovery key and do not use my iCloud account |
|
| 10 | Click Continue | |
| 11 | The encrypting progress will take some time. Once encryption is completed, You will see "Encryption finished" |
|
