With Full Disk Encryption, data on endpoint computers is protected against unauthorized access. Drives are encrypted transparently and Power-on Authentication (POA) provides an additional authentication mechanism before the operating system starts. You can manage Full Disk Encryption with Sophos Enterprise Console 5.1.
For more information about the new features, see the Sophos Enterprise Console Help and the Sophos Disk Encryption Help.
Platforms supported | 32-bit | 64-bit | IA-64 (Itanium) | recommended available disk space | Minimum RAM |
---|---|---|---|---|---|
Windows 7, SP1 Home Premium/Enterprise/Ultimate/Professional | Yes | Yes | 300 MB* | 1 GB** | |
Windows Vista SP1, SP2 Enterprise/Ultimate/Business | Yes | Yes | 300 MB* | 1 GB** | |
Windows XP Professional SP2, SP3 | Yes | 300 MB* | 1 GB** |
* The installation needs at least 300 MB of free hard disk space. For the Sophos Disk Encryption agent, at least 100 MB of this free space must be one contiguous area. Please defragment your system before installation if you have below 5 GB free hard disk space and your operating system is not freshly installed to increase the chance that this contiguous area is available. Otherwise, installation may fail due to "not enough free contiguous space” and cannot be supported.
** This memory space is recommended. Not all of this memory is used by Sophos Disk Encryption.
Required software: Internet Explorer version 6.0 or higher
Languages supported: English, French, German, Italian, Japanese, Spanish
You only need to install the SafeGuard Policy Editor 5.61 in the following case: When you have multiple independent Sophos SafeGuard Disk Encryption/SafeGuard Easy 5.x environments with different company certificates and want to merge them into one environment, you need to carry out a company certificate change in the SafeGuard Policy Editor 5.61.
Platforms supported | 32-bit | 64-bit | IA-64 (Itanium) | recommended available disk space | Minimum RAM |
---|---|---|---|---|---|
Windows 7, SP1 Enterprise/Ultimate/Professional | Yes | Yes | 1 GB | 1 GB* | |
Windows Vista SP1, SP2 Enterprise/Ultimate/Business | Yes | Yes | 1 GB | 1 GB* | |
Windows XP Professional SP2, SP3 | Yes | 1 GB | 1 GB* | ||
Windows Server 2008 SP1, SP2 | Yes | Yes | 1 GB | 1 GB* | |
Windows Server 2008 R2, SP1 | Yes | 1 GB | 1 GB* | ||
Windows Server 2003 SP1, SP2 | Yes | Yes | 1 GB | 1 GB* | |
Windows Server 2003 R2 SP1, SP2 | Yes | Yes | 1 GB | 1 GB* | |
Windows Small Business Server 2003, 2008, 2011 | 1 GB | 1 GB* |
* This memory space is recommended. Not all of this memory is used by SafeGuard Policy Editor.
Required software: .NET Framework 3.0 SP1
Languages supported: English, French, German, Japanese
Check the keyboard layouts that are supported at Power-on Authentication:
http://www.sophos.com/en-us/support/knowledgebase/112782.aspx.
Sophos Disk Encryption has been successfully tested against concurrent installations of anti-virus products by Sophos as well as the following:
Manufacturer | Product | Version |
---|---|---|
AVG | Free Anti-Virus Small Business Edition 2011 | 10.0.1153 |
Computer Associates | Security Center Version | 6.0.0.285 |
F-Secure | Anti Virus 2011 | 10.51 |
G Data | AntiVirus Version 2011 | 21.1.0.5 |
Kaspersky | Internet Security Version 2011 | 11.0.0.232 |
Symantec | Endpoint Protection | 11.0.6 |
Trend Micro | Titanium Internet Security 2011 | |
McAfee | Internet Security 2011 | |
Norman | Virus Control | 2010.02.22 |
Microsoft | Security Essentials |
Symantec PGP Desktop versions 10.0 and 10.1
TrueCrypt versions 6.3a and 7.0a
Checkpoint version 7.3va
McAfee version 1.2.0
Microsoft BitLocker Drive Encryption
To use Sophos Disk Encryption 5.61 in combination with a Novell Client there are some project specific adaptations necessary. Please contact Sophos Support for further information.
Before the installation is started, it is verified that only one user is logged on. Logging on with another user during installation is not supported.
After installing Sophos Disk Encryption 5.61 on Windows Vista the built-in floppy drive is no longer available. This limitation does not apply to external floppy drives attached via the USB bus.
Resizing any partition on an endpoint where Sophos Disk Encryption 5.61 is installed is not supported.
Boot time increases by about one minute after installing Sophos Disk Encryption 5.61 on an endpoint.
Sophos Disk Encryption only supports VMware Workstation and Player as virtualization platform. All other platforms like VMware ESX/ESXi Server, MS Virtual PC or MS HyperV are not supported.
In the Local Self Help Wizard, on Japanese operating systems, users can define answers to questions for logon recovery in Japanese characters. But when answering these questions during logon recovery in the POA, Japanese characters are not supported. If the answers entered in the Wizard and in the POA do not match, logon cannot be recovered.
Workaround: When entering answers in Japanese in the Local Self Help Wizard, you have to use Romaji (Roman) characters. Otherwise the answers will not match when you answer the questions in the POA.
(DEF69429) On some Toshiba OPAL disks, OPAL mode encryption may fail if the first partition is not located at the beginning of the disk
The TCG Storage OPAL specification for Self Encrypting Drives (http://www.trustedcomputinggroup.org/resources/storage_work_group_storage_security_subsystem_class_opal) requires a so-called Shadow MBR area of at least 128 MB size. If this area is not completely accessible for reading and writing, which is the case for Toshiba OPAL disks with firmware version MGT00A, and the start sector of the disk's start partition falls in the range of sector numbers of the unaccessible area, Sophos Disk Encryption will not be able to activate the OPAL encryption for such a drive.
Workaround: Relocate the start partition to the beginning of the disk.
The Sophos Disk Encryption support for OPAL self-encrypting drives has the following limitations:
(DEF70019) Do not use Windows Hybrid Sleep mode on OPAL machines
On computers with an OPAL self-encrypting drive, activating Allow hybrid sleep in the Advanced Power Options dialog may lead to errors during the wake-from-sleep (resume) procedure. This implies the loss of all data that has not been saved to disk before the computer was put to sleep.
According to the TCG Storage OPAL specification for Self Encrypting Drives (http://www.trustedcomputinggroup.org/resources/storage_work_group_storage_security_subsystem_class_opal), there is no way to access an activated drive in case the credentials for unlocking the drive are lost. This means the disk becomes completely unusable, a fact that stands in contrast to a disk that has been encrypted via software, where the data is lost, too, but the hardware can be reused after reformatting. Sophos Disk Encryption will prompt the user to back up the key file, but in case this data is lost, the described scenario applies.
Self Encrypting Drives must be reset to their factory state before they can be reformatted or reimaged. For those scenarios where this cannot be achieved by a "regular" decryption or the uninstallation of Sophos Disk Encryption, a tool (OPALEmergencyDecrypt.exe) is available to permanently reset an OPAL drive managed by Sophos Disk Encryption. For security reasons, this tool is available from Sophos' customer service.
When a machine is being suspended into Sleep mode, the resume will fail if Microsoft's MSAHCI hard disk driver is installed. MSAHCI has been introduced with Windows Vista, so this issue applies to Windows Vista and Windows 7, but not Windows XP.
Workarounds: If applicable for the hardware configuration, use the appropriate IAStore driver instead. The "Intel RST driver package v10.1.0.1008" has been tested successfully. Change the BIOS setting for the hard disk controller (e.g. SATA Mode, ATA Controller Mode, IDE Controller Mode, ...) to Compatibility Mode. On most BIOSes this means selecting a value other than AHCI (e.g. IDE, Compatibility, ...).
On current SSDs, it is impossible for any software (including the operating system) to determine the exact physical location of where any data is being stored on the SSD. A controller, which is an essential component of any SSD, simulates the external behavior of a platter drive while doing something completely different internally. This has several implications for the security of the stored data, see http://www.sophos.com/en-us/support/knowledgebase/113334.aspx. The most important one being as follows: Only data that has been written to a SSD volume after an encryption policy has been activated is cryptographically secure. This means in turn that any data that is already on the SSD before the initial encryption process of Sophos Disk Encryption starts cannot be guaranteed to have been completely physically erased from the SSD once the initial encryption has finished. Please note that this issue is not specific to Sophos Disk Encryption but applies to any software-based full disk encryption system.
Currently, most external eSATA drives fail to advertise themselves as a removable device. This leads to those drives being treated by Sophos Disk Encryption as an internal drive and all corresponding policies will apply. We do not recommend to use eSATA drives in a Sophos full disk encryption environment unless the applied encryption policies explicitly take this into account.
Virtual drives that are mounted on the endpoint (e.g. VHD file into Windows using Microsoft Virtual Server mounter) are considered as local hard drives and therefore their contents will be encrypted too if an encryption policy for other volumes is defined.
If SDE 5.61 is installed on an endpoint but the drive is not encrypted and then Microsoft BitLocker Drive encryption is installed on top and used to protect the endpoint, the LocalCache will be corrupted causing the endpoint to restart. Further restarts then result in a restart loop.
Workaround: Do not install third-party full disk encryption solutions on an endpoint with SDE 5.61 installed.
An uninstallation of Sophos Disk Encryption 5.61 on a computer that has the SafeGuard LAN Crypt Client (SGLC) installed leads to an internal driver error when the user tries to load their SGLC keyring.
Workaround: Run a repair installation on the SafeGuard LAN Crypt Client package.If Sophos Disk Encryption 5.61 software is installed and run in combination with Empirum Security Suite Agent software, the system might stop with the following BSOD:
BSOD on system startup with stop code 0x00000044 MULTIPLE_IRP_COMPLETE_REQUESTSThis problem is caused by one of the Empirum Software components. A fix for that problem will be included in Empirum Security Suite. Please contact Matrix42 support for latest details/updates on this issue.
Sophos Disk Encryption 5.61 fails to install on endpoints which have AbsoluteSoftware Computrace with activated track-0 based persistent agent installed.
When upgrading from Sophos SafeGuard Disk Encryption/SafeGuard Easy 5.x to Sophos Disk Encryption 5.61, POA bitmaps are not updated to the new Sophos branding.
When upgrading to SafeGuard Enterprise managed encryption, the SafeGuard Management Center and SafeGuard Enterprise Server must have at least version 6.0.
(DEF76145) Sophos Disk Encryption Help launched from "User Machine Assignments" dialog did not display the help page
Clicking on the help button on the "User Machine Assignments" dialog now launches the corresponding help page.
(DEF79546) Sophos Disk Encryption POA only deployment and restart is not correctly reported
Users are now prompted to do a further restart after encryption agent installation to activate POA.
(DEF78786) POA exceptions not working as expected
POA exceptions now take effect as expected on the encryption agent.
You can find technical support for Sophos products in any of these ways:
Copyright © 2012 Sophos Group. All rights reserved. SafeGuard is a registered trademark of Sophos Group.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.
You find copyright information on third party suppliers in the Disclaimer and Copyright for 3rd Party Software document in your product directory.