Full Disk Encryption

With Full Disk Encryption, data on endpoint computers is protected against unauthorized access. Drives are encrypted transparently and Power-on Authentication (POA) provides an additional authentication mechanism before the operating system starts. You can manage Full Disk Encryption with Sophos Enterprise Console 5.1.

Sophos Disk Encryption agent system requirements

*  The installation needs at least 300 MB of free hard disk space. For the Sophos Disk Encryption agent, at least 100 MB of this free space must be one contiguous area. Please defragment your system before installation if you have below 5 GB free hard disk space and your operating system is not freshly installed to increase the chance that this contiguous area is available. Otherwise, installation may fail due to "not enough free contiguous space” and cannot be supported.

** This memory space is recommended. Not all of this memory is used by Sophos Disk Encryption.

Required software: Internet Explorer version 6.0 or higher

Languages supported: English, French, German, Italian, Japanese, Spanish

SafeGuard Policy Editor system requirements

You only need to install the SafeGuard Policy Editor 5.61 in the following case: When you have multiple independent Sophos SafeGuard Disk Encryption/SafeGuard Easy 5.x environments with different company certificates and want to merge them into one environment, you need to carry out a company certificate change in the SafeGuard Policy Editor 5.61.

* This memory space is recommended. Not all of this memory is used by SafeGuard Policy Editor.

Required software: .NET Framework 3.0 SP1

Languages supported: English, French, German, Japanese

General

• Novell Client

  To use Sophos Disk Encryption 5.61 in combination with a Novell Client there are some project specific adaptations necessary. Please contact Sophos Support for further information.

• Fast user switching is not supported and must be disabled.

  Before the installation is started, it is verified that only one user is logged on. Logging on with another user during installation is not supported.

• Floppy drive

  After installing Sophos Disk Encryption 5.61 on Windows Vista the built-in floppy drive is no longer available. This limitation does not apply to external floppy drives attached via the USB bus.

• Partition resizing not supported

  Resizing any partition on an endpoint where Sophos Disk Encryption 5.61 is installed is not supported.

• Boot time increase

  Boot time increases by about one minute after installing Sophos Disk Encryption 5.61 on an endpoint.

• Virtualization platform support

  Sophos Disk Encryption only supports VMware Workstation and Player as virtualization platform. All other platforms like VMware ESX/ESXi Server, MS Virtual PC or MS HyperV are not supported.

• (DEF82166) On a Japanese operating system, logon recovery using Local Self Help may fail because Japanese characters cannot be entered at Power-on Authentication (POA).

  In the Local Self Help Wizard, on Japanese operating systems, users can define answers to questions for logon recovery in Japanese characters. But when answering these questions during logon recovery in the POA, Japanese characters are not supported. If the answers entered in the Wizard and in the POA do not match, logon cannot be recovered.

  Workaround: When entering answers in Japanese in the Local Self Help Wizard, you have to use Romaji (Roman) characters. Otherwise the answers will not match when you answer the questions in the POA.

Encryption

• (DEF69429) On some Toshiba OPAL disks, OPAL mode encryption may fail if the first partition is not located at the beginning of the disk

  The TCG Storage OPAL specification for Self Encrypting Drives (http://www.trustedcomputinggroup.org/resources/storage_work_group_storage_security_subsystem_class_opal) requires a so-called Shadow MBR area of at least 128 MB size. If this area is not completely accessible for reading and writing, which is the case for Toshiba OPAL disks with firmware version MGT00A, and the start sector of the disk's start partition falls in the range of sector numbers of the unaccessible area, Sophos Disk Encryption will not be able to activate the OPAL encryption for such a drive.

  Workaround: Relocate the start partition to the beginning of the disk.

• (DEF69695) OPAL restrictions

  The Sophos Disk Encryption support for OPAL self-encrypting drives has the following limitations:

  • OPAL mode encryption can only be activated for one OPAL drive per machine.
  • If more than one OPAL drive is present and an encryption policy is assigned to any of its volumes, these will be software encrypted just as on a non-self-encrypting drive. This implies that a RAID configuration with more than one OPAL drive will always be software-encrypted.
  • If an OPAL drive contains more than one volume, the OPAL encryption activation state applies to all volumes simultaneously.
  • The first sector of the start partition of the disk must be located within the first 128 MB.

• (DEF70019) Do not use Windows Hybrid Sleep mode on OPAL machines

  On computers with an OPAL self-encrypting drive, activating Allow hybrid sleep in the Advanced Power Options dialog may lead to errors during the wake-from-sleep (resume) procedure. This implies the loss of all data that has not been saved to disk before the computer was put to sleep.

• (DEF69207) OPAL Self Encrypting Drives become unusable in case of a lost encryption key

  According to the TCG Storage OPAL specification for Self Encrypting Drives (http://www.trustedcomputinggroup.org/resources/storage_work_group_storage_security_subsystem_class_opal), there is no way to access an activated drive in case the credentials for unlocking the drive are lost. This means the disk becomes completely unusable, a fact that stands in contrast to a disk that has been encrypted via software, where the data is lost, too, but the hardware can be reused after reformatting. Sophos Disk Encryption will prompt the user to back up the key file, but in case this data is lost, the described scenario applies.

• (DEF69207) OPAL Self Encrypting Drives need to be permanently unlocked before being reformatted/reimaged

  Self Encrypting Drives must be reset to their factory state before they can be reformatted or reimaged. For those scenarios where this cannot be achieved by a "regular" decryption or the uninstallation of Sophos Disk Encryption, a tool (OPALEmergencyDecrypt.exe) is available to permanently reset an OPAL drive managed by Sophos Disk Encryption. For security reasons, this tool is available from Sophos' customer service.

• (DEF66126) Resume from Sleep fails when Windows' MSAHCI driver is installed on a computer with an activated OPAL drive

  When a machine is being suspended into Sleep mode, the resume will fail if Microsoft's MSAHCI hard disk driver is installed. MSAHCI has been introduced with Windows Vista, so this issue applies to Windows Vista and Windows 7, but not Windows XP.

  Workarounds: If applicable for the hardware configuration, use the appropriate IAStore driver instead. The "Intel RST driver package v10.1.0.1008" has been tested successfully. Change the BIOS setting for the hard disk controller (e.g. SATA Mode, ATA Controller Mode, IDE Controller Mode, ...) to Compatibility Mode. On most BIOSes this means selecting a value other than AHCI (e.g. IDE, Compatibility, ...).

• (DEF68440) Security concerns when using Solid State Drives (SSD)

  On current SSDs, it is impossible for any software (including the operating system) to determine the exact physical location of where any data is being stored on the SSD. A controller, which is an essential component of any SSD, simulates the external behavior of a platter drive while doing something completely different internally. This has several implications for the security of the stored data, see http://www.sophos.com/en-us/support/knowledgebase/113334.aspx. The most important one being as follows: Only data that has been written to a SSD volume after an encryption policy has been activated is cryptographically secure. This means in turn that any data that is already on the SSD before the initial encryption process of Sophos Disk Encryption starts cannot be guaranteed to have been completely physically erased from the SSD once the initial encryption has finished. Please note that this issue is not specific to Sophos Disk Encryption but applies to any software-based full disk encryption system.

• (DEF65729, DEF66438, DEF58796) full disk encryption for removable eSATA drives does not work as expected

  Currently, most external eSATA drives fail to advertise themselves as a removable device. This leads to those drives being treated by Sophos Disk Encryption as an internal drive and all corresponding policies will apply. We do not recommend to use eSATA drives in a Sophos full disk encryption environment unless the applied encryption policies explicitly take this into account.

• Encryption of Virtual Drives

  Virtual drives that are mounted on the endpoint (e.g. VHD file into Windows using Microsoft Virtual Server mounter) are considered as local hard drives and therefore their contents will be encrypted too if an encryption policy for other volumes is defined.

• During the initial encryption of the system partition (i.e. the partition, where the hiberfil.sys file is located) Suspend to disk may fail and should therefore be avoided. After the initial encryption of the system partition a restart is required before Suspend to disk works properly again.

Windows XP

• Microsoft Windows XP up to Service Pack 2 shows a problem on some machines, where a resume after standby does not show the locked desktop but directly opens the user desktop. The problem also applies to endpoints with Sophos Disk Encryption. This should be fixed with Windows XP SP3.
• Microsoft Windows XP has a technical limitation in its kernel stack. If several file system filter drivers (for example anti-virus software) are installed, the memory might not be sufficient. In this case you might get a BSOD. Sophos cannot be made liable for this Windows limitation and cannot solve this issue.

Compatibility

• (WKI81667) SDE 5.61 is not compatible with third-party full disk encryption solutions such as Microsoft BitLocker Drive Encryption and cannot be used on the same endpoint.

  If SDE 5.61 is installed on an endpoint but the drive is not encrypted and then Microsoft BitLocker Drive encryption is installed on top and used to protect the endpoint, the LocalCache will be corrupted causing the endpoint to restart. Further restarts then result in a restart loop.

  Workaround: Do not install third-party full disk encryption solutions on an endpoint with SDE 5.61 installed.

• (DEF69644) SafeGuard LAN Crypt needs a repair when uninstalling the Sophos Disk Encryption 5.61 agent on the same computer. 

  An uninstallation of Sophos Disk Encryption 5.61 on a computer that has the SafeGuard LAN Crypt Client (SGLC) installed leads to an internal driver error when the user tries to load their SGLC keyring. 

  Workaround:  Run a repair installation on the SafeGuard LAN Crypt Client package. 
• (DEF69092) SafeGuard RemovableMedia and Sophos Disk Encryption 5.61 cannot be run on the same endpoint. The discontinued SafeGuard RemovableMedia product must be uninstalled before using any Sophos Disk Encryption 5.61 components on the same computer.
• Empirum Security Suite Agent

  If Sophos Disk Encryption 5.61 software is installed and run in combination with Empirum Security Suite Agent software, the system might stop with the following BSOD:

  BSOD on system startup with stop code 0x00000044 MULTIPLE_IRP_COMPLETE_REQUESTS

  This problem is caused by one of the Empirum Software components. A fix for that problem will be included in Empirum Security Suite. Please contact Matrix42 support for latest details/updates on this issue.

• AbsoluteSoftware Computrace

  Sophos Disk Encryption 5.61 fails to install on endpoints which have AbsoluteSoftware Computrace with activated track-0 based persistent agent installed.

• Compatibility with imaging tools has not been tested and is therefore not supported by Sophos.

Upgrading

• When upgrading from Sophos SafeGuard Disk Encryption/SafeGuard Easy 5.x to Sophos Disk Encryption 5.61, POA bitmaps are not updated to the new Sophos branding.

• When upgrading to SafeGuard Enterprise managed encryption, the SafeGuard Management Center and SafeGuard Enterprise Server must have at least version 6.0.