Full Disk Encryption

With BigFix MCM, you can centrally manage the native full-disk encryption technologies from Windows (BitLocker) and macOS (FileVault2) to secure data at rest.

Full disk encryption

Full disk encryption (FDE) is a technology which protects information at the hardware level by automatically converting it into unreadable code that cannot be deciphered easily by unauthorized people. It is used to prevent unauthorized access to data storage. Without the proper authentication key, even if the hard drive is removed and placed in another machine, the data remains inaccessible.

Benefits of FDE

BigFix MCM provides a hybrid FDE solution through which you can:

  • Enforce data encryption through an MDM policy
  • Enable or disable data encryption
  • Query encryption status of the endpoints
  • Get a report of compliant vs. non-compliant endpoints
  • Secure and manage encryption keys (key escrow)
Note:
  • FDE involves user interaction to continue with setup, enter password at start up to start encryption process, or to start OS after the forced restart.
  • On macOS, encrypting secondary drives or enforcement of encryption of removable drives is not supported.

Supported Operating Systems

BigFix MCM supports the native FDE technologies from the following operating systems:

Prerequisites

  • Enrollment to BigFix MCM.

  • Versions of Operating Systems that are supported by BigFix MCM (Windows, macOS).

  • If BES server is installed on a RHEL 8 machine, you must register the RHEL instance on RHN for the yum command to run by default. Then run the following yum command:
    yum install libnsl

  • BES server plugin service

Note: The system requirements and the limitations specific to Windows BitLocker and macOS FileVault2 are applicable as appropriate for BigFix MCM FDE feature as well.

How to configure FDE

  1. Set up the BES Server Plugin Service (Fixlet 708 in BES Support)
  2. Recovery Key Escrow Configuration

Regenerate Encryption Recovery Key

The certificate and private key used to escrow recovery keys can be regenerated if needed. Caution must be taken when doing this, as any in-progress encryption actions cannot be decrypted and escrowed. You must wait until there are no open actions and devices have had time to report recovery keys, and the escrow plugin has had time to process them.

To retrieve escrowed recovery keys, operator or support person must log in directly to the Vault server interface (if you have set up vault, you can use the bigfix-read access token) The credentials used to login to the Vault server are set at the time of installing Vault. These credentials are different from the BigFix credentials. The 'bigfix' secret engine contains the recovery keys. Recovery keys are stored in folders based on the last digit of the BigFix computer ID. Once you are inside a folder, you can search using the computer ID, computer name or user. The name of the entry in Vault has these values as of the time the recovery key was escrowed.

If you suspect an encryption recovery key has been compromised, or if you want to rotate recovery keys as part of your organizations best practices, recovery keys can be regenerated through WebUI, see Regenerate Encryption Recovery Key