Cytomic Encryption (Device encryption)

Cytomic Encryption is a built-in module on Cytomic platform that encrypts the content of the data storage media connected to the computers managed by Advanced EDR. By doing this, it minimizes the exposure of corporate data in the event of data loss or theft as well as when storage devices are removed without having deleted the data.

Cytomic Encryption is compatible with certain versions of Windows 7 and higher and certain versions of macOS (see Supported Windows operating systems). It enables you to monitor the encryption status of network computers and centrally manage their recovery keys. It also takes advantage of hardware resources such as TPM chips, delivering great flexibility when it comes to choosing the optimum authentication system for each computer.

Introduction to encryption concepts

Cytomic Encryption uses tools integrated in the Windows and macOS operating systems to manage encryption on network computers protected with Advanced EDR.

To help you understand the processes involved in the encryption and decryption of information, we present some concepts related to the encryption technology we use.

TPM

TPM (Trusted Platform Module) is a chip installed on the motherboard of some desktops, laptops, and servers. Its main aim is to protect user sensitive data, stored passwords, and other information used in login processes.

TPM also detects any changes in the boot events of the computer, for example preventing access to a hard drive from a computer other than the one used for its encryption.

Cytomic Encryption supports TPM versions 1.2 and higher. If possible, use TPM technology along with other supported authentication systems. If you disabled the TPM chip in the BIOS settings of your computer, you might have to manually enable the chip from the BIOS.

Supported authentication types

Login password

On macOS operating systems, the authentication method used is a login password. Compatible with all macOS versions supported by Cytomic Encryption.

PIN

A PIN (Personal Identification Number) is a sequence of numbers that works as a simple password and is requested when you boot a computer that has an encrypted drive. Without the PIN, the boot sequence is not completed and you cannot access the computer. Compatible with all supported versions of Windows.

Extended PIN

If the hardware is compatible, Cytomic Encryption uses an extended or enhanced PIN which combines letters and numbers to increase the complexity of the password.

Because the extended PIN is requested in the computer boot process prior to loading the operating system, BIOS limitations might restrict keyboard input to the 7-bit ASCII table.

Additionally, on computers with a keyboard layout other than EN-US, such as QWERTZ or AZERTY keyboards, there can be errors when you enter the extended PIN. For this reason, Cytomic Encryption checks that the characters entered by the user belong to an EN-US keyboard layout, before setting the extended PIN for the computer encryption process.

Compatible with all supported versions of Windows.

Passphrase

A passphrase is similar to a password, but is typically longer. It consists of alphanumeric characters and is equivalent to the extended PIN.

Cytomic Encryption prompts users for different types of passwords based on these circumstances:

  • Passphrase: If the computer has a TPM chip installed.

  • Extended PIN: If the computer operating system and hardware support it.

  • PIN: If the other options are not valid.

Only available on Windows 8 computers and higher without a TPM chip.

USB key

Enables you to store the encryption key on a USB device formatted with the NTFS, FAT, or FAT32 file system. With a USB key, you do not need to enter a password to boot the computer. However, the USB device with the startup password must be plugged into the computer USB port.

Required on Windows 7 computers without a TPM chip.

Some older PCs cannot access USB drives during the boot process. Verify whether the computers in your organization have access to USB drives from the BIOS.

Recovery key

When Cytomic Encryption detects unusual activity on a protected computer, it prompts the user to enter a BitLocker recovery key. This key is managed from the management console and must be entered to complete the boot process.

Cytomic Encryption stores the recovery keys for all encrypted computer drives that it manages. The management console does not show keys for computers encrypted by users or not managed by Cytomic.

The recovery key is requested in these scenarios:

  • A user makes repeated attempts to enter an incorrect PIN or password while the device boots up.

  • A Trusted Platform Module (TPM) chip detects a change in the boot sequence.

  • Changes are made to the computer motherboard.

  • Deletion or disablement of TPM content

  • Changes are made to the computer boot settings.

  • When the startup process is changed:

    • BIOS update.

    • Firmware update.

    • UEFI update.

    • Changes to the boot sector.

    • Changes to the master boot record.

    • Changes to the boot manager.

    • Changes to the firmware (Option ROM) in certain components that are part of the boot process (video cards, disk controllers, etc).

    • Changes to other components that are part of the initial boot phases.

BitLocker

BitLocker is software installed on some versions of Windows 7 and higher operating systems. It encrypts and decrypts the data stored on computer drives. If not already installed, Cytomic Encryption automatically installs BitLocker on supported drives and then manages the drives.

FileVault

FileVault is built-in software on macOS operating systems. It automatically encrypts all files in a computer hard disk or SSD memory.

System partition

On Windows operating systems, a system partition is a small area of the hard disk which remains unencrypted and is required for the computer to correctly complete the boot process. Cytomic Encryption automatically creates this system partition if it does not already exist.

Encryption algorithm

For Windows, the encryption algorithm Cytomic Encryption uses is AES (256-bit), although computers with drives encrypted by users using other algorithms are also compatible.

For macOS, the algorithm used is AES-XTS.