Encryption and decryption on Windows computers

Encryption of unencrypted drives

Encryption begins when the Advanced EDR agent, installed on a computer, downloads encryption settings. A wizard on the computer guides the user through the encryption process.

The number of encryption steps to take depends on the type of authentication chosen by the network administrator and the previous status of the computer. If any of the steps fails, the agent reports it to the management console and the process stops.

You cannot encrypt computers from a remote desktop session. You must restart the computer and enter a password before the operating system is loaded, and this is not possible with a standard remote desktop tool
If there is a patch installation or uninstallation task in progress managed by Cytomic Encryption, the encryption process begins when that task has completed.

This section describes the entire encryption process, whether feedback is shown to the computer user, and whether a restart is required:

Step Process on the computer User interaction

1

The agent receives settings from the encryption module. The settings establish the encryption of drives.

None

2

If a computer is a server and does not have BitLocker installed, it is downloaded and installed.

The computer user is prompted to restart the computer to complete the install. If the user chooses to postpone the restart, they are prompted again during the next login.

Requires restart.

3

If a computer has no previous encryption, a system partition is created.

The computer user must restart the computer to complete the creation of the partition. If the user chooses to postpone the restart, they are prompted again during the next login.

Requires restart.

4

If a group policy exists that conflicts with the settings in Cytomic Encryption, an error message shows and the process stops.

The group policies configured by Cytomic Encryption are:

In the Local Group Policy Editor, navigate to: Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.

Select Not Set for the specified policies to avoid this error.

If you have not defined global group policies that conflict with the local policies defined by Cytomic Encryption, no message appears.

5

If a computer has a TPM chip installed, the computer user might have to enable the TPM chip from the BIOS for the computer.

The computer must restart for the user to access the BIOS.

On Windows 10 systems, you do not need to changer the BIOS settings but the restart is required.

The restart in step 3, if required, combines with this one.

6

If a computer uses a USB device for authentication, prepare it.

The computer user must insert the USB device when the computer boots.

7

If a computer uses a PIN for authentication, prepare it.

The computer user must type the PIN. If alphanumeric characters are used and the hardware is not compatible with those characters, error -2144272180 appears. In that case, you must enter a numerical PIN.

8

If a computer uses a passphrase for authentication, prepare it.

The computer user must type the passphrase.

9

A recovery key is generated and sent to the Cytomic cloud. After it has been received, the process continues on the user computer.

None.

10

Check that the hardware on the computer is compatible with the encryption technology. The encryption process begins.

Restart the computer to check the hardware used in the various authentication methods.

Requires restart.

11

Drive encryption.

The encryption process begins. It runs in the background, without any impact to users. The length of the process varies depending on the drive that is encrypted. On average, encryption takes approximately 2-3 hours.

Users can use and shut down computers normally. In the latter case, the process continues when the computer is restarted.

12

The encryption process takes place silently, without any impact to users.

Depending on the authentication method selected, the user might need to plug a USB key, enter a PIN, a passphrase, or nothing when the computer boots.

Steps for encrypting unencrypted drives

Encryption of previously encrypted drives

If a computer already has encrypted drives, Cytomic Encryption modifies certain parameters so that the drives can be centrally managed. The actions taken are as follows:

  • If a computer user selects an authentication method that differs from the method specified in the settings profile, a prompt shows on the user's computer that asks for passwords or other hardware resources. If it is not possible to use an authentication method compatible with the operating system, and specified by the network administrator, the existing encryption method remains in place. Cytomic Encryption does not manage the computer.

  • If the encryption algorithm is not AES-256, Cytomic Encryption makes no encryption changes to the computer drive. Cytomic Encryption manages the computer.

  • If both encrypted and unencrypted drives exist, ll drives are encrypted with the same authentication method.

  • To unify authentication methods, if a previous authentication method requires a password, and the method is compatible with the authentication methods supported by Cytomic Encryption, a prompt shows on the user's computer that requests the password.

  • If computer user encryption settings differ from those configured by the administrator, to minimize the encryption process, no changes are made.

  • When you manage a drive with Cytomic Encryption, at the end of the process, Cytomic generates a recovery key and sends it to the Cytomic cloud.

Encryption of new drives

f you create a new drive entry after the encryption process is complete, Cytomic Encryption encrypts the drive immediately and according to the encryption settings.

Decrypting drives

There are three scenarios:

  • If Cytomic Encryption uses settings to encrypt a computer, Cytomic Encryption can also decrypt it.

  • If a computer was previously encrypted and the agent assigns encryption settings settings on install, Cytomic Encryption sees the computer as encrypted and you can use Cytomic Encryption settings to decrypt the computer.

  • If a computer was previously encrypted and the agent does not assign encryption settings on install, Cytomic Encryption does not class the computer as encrypted and you cannot use Cytomic Encryption settings to decrypt the computer.

Local editing of BitLocker settings

When using BitLocker to manually decrypt a drive from the Control Panel in Microsoft Windows, changes made to local settings automatically revert to settings made in the management console. The way that Cytomic Encryption responds to a change of this type is as follows:

  • Disable automatic locking of a drive: It reverts to automatic locking.

  • Remove the password for a drive: A new password is requested.

  • Decrypt a drive previously encrypted by Cytomic Encryption: The drive is automatically encrypted.

  • Encrypt a decrypted drive: If the Cytomic Encryption settings profile implies decrypting drives, the user action takes precedence and the drive is not decrypted.

Encrypting and decrypting external hard drives and USB drives

Because users can connect and disconnect external storage devices from their computers at any time, the way Cytomic Encryption works with these devices is as follows:

  • If the workstation or server does not have BitLocker installed and running, the agent does not download the required packages and the device is not encrypted. Nor are any messages shown to the user.

  • If the computer has BitLocker installed and running, a pop-up message is shown to the user prompting them to encrypt the device in these following situations:

    • Each time a user connects an unencrypted drive.

    • If there is an unencrypted device connected to the computer at the time the administrator enables the encryption settings profile from the web console.

  • The message shows for five minutes. Regardless of whether the user agrees to encrypt the device or not, they are able to use it normally, unless a settings profile has been configured that prevents the use of unencrypted devices. For more information, see Write to removable storage drives.

  • The encryption process does not require the creation of a system partition.

  • If the external storage device is already encrypted by a solution other than Cytomic Encryption, and the user connects it to their computer, the encryption message is not shown and the device can be used normally. Cytomic Encryption does not send the recovery keys to the web console.

  • Unless configured otherwise, you can use an unencrypted drive. However, in Cytomic Data Watch settings, if you enable the Write to removable storage drives option, and Cytomic Encryption or BitLocker did not encrypt the drive, you cannot write to the drive. For more information, see Write to removable storage drives.

  • To decrypt a device encrypted by Cytomic Encryption, the user can use BitLocker manually.

  • Only the used space of a drive is encrypted.

  • The same key encrypts all partitions on the external drive.

If you remove an external drive while encryption is in progress, the contents of the drive might be corrupted.