This article details the best practices to use prior to performing Symantec Drive Encryption 10.3.2 and above as well as Symantec Endpoint Encryption 11.1.3 and above.
The following best practices are recommended for preparing to encrypt your disk with Symantec Drive Encryption. Please follow the recommendations below to protect your data during and after encryption. Before you encrypt your disk, there are a few tasks you must perform to ensure successful initial encryption of the disk.
1. Determine whether your target disk is supported.
Symantec Endpoint Encryption and Symantec Drive Encryption secures your desktop or laptop disks (either partitions, or the entire disk), external disks, and USB flash disks. CD-RW/DVD-RWs are not supported using Drive Encryption.
Supported Disk Types
- SSDs (Fully supported with all versions). As part of SSD performance technology, see article TECH180373 for tips to ensure best performance using TRIM.
- NVMe Drives (Supported starting in version 10.3.2 MP13)
- M2 Drives (Fully supported)
- Desktop or laptop disks, including solid-state drives (either partitions, or the entire disk).
- External disks, excluding music devices and digital cameras.
- USB flash disks.
- GPT partitions with UEFI for Windows 8: Refer to article TECH203071 for more details and requirements on UEFI support and Symantec Drive Encryption (Windows 7 UEFI is supported only with 64-bit and Symantec Drive Encryption 10.3.2 and above).
- The following formatted disks or partitions are supported: 04 (FAT16), 06 (FAT16B), 07 (NTFS), 0B (FAT32).
Unsupported Disk Types
- Dynamic disks.
- SCSI/SAS drives/controllers.
NOTE: MSINFO32 reports will commonly misreport some drives, such as SSDs as SCSI. This can be ignored when reviewing these types of reports. Validating the drive is, in fact, SSD is enough and will not cause any issues with Drive Encryption.
- Software RAID disks.
- Diskettes and CD-RW/DVD-RWs.
- exFAT formatted disks.
- Any configuration where the system partition is not on the same disk as boot partition.
Warning on Basic-to-Dynamic Disk Conversion: Never perform a conversion from a Basic disk format to a Dynamic disk on the boot drive of a system that has already been protected using Symantec Endpoint Encryption or Symantec Drive Encryption. This conversion, from a basic-type disk to a dynamic one will render the drive unusable.
2. Confirm Operating System support.
See the System requirements articles for full details:
TECH236572 - Symantec Encryption Desktop 10.4.1 for Windows - System Requirements
INFO3170 - Symantec Endpoint Encryption 11.1.x for Windows - System Requirements
Note: See the following article TECH203071 - Running Symantec Encryption Desktop on Microsoft Windows 8 UEFI Systems for more information on using Drive Encryption on Windows 8 systems.
3. Confirm keyboard support (Symantec Encryption Desktop 10).
Be sure that you are using a keyboard with one of the supported languages. For a list of the supported languages, see the following links for your operating system:
4. Back up the disk before you encrypt it.
Before you encrypt your disk, be sure to back up the data so that no data will be lost if your laptop or computer is lost, stolen, or you are unable to decrypt the disk. Also be sure to make regular backups of your disk.
5. Ensure the health of the disk before you encrypt it.
If Symantec Drive Encryption or Symantec Endpoint Encryption encounters a hard drive or partition with bad sectors, the encryption process will pause. This pause allows you to remedy the problem before continuing with the encryption process, thus avoiding potential disk corruption and lost data.
In Symantec Encryption Management Server or Symantec Endpoint Encryption Management Server managed environments, if a hard drive or partition with bad sectors is encountered, an event is added in the server logs.
Before you attempt to use Symantec Drive Encryption products, use a third-party scan disk utility that has the ability to perform a low-level integrity check and repair any inconsistencies with the drive that could lead to CRC errors. Third-party software such as SpinRite or Norton Disk Doctor can correct errors that would disrupt the encryption of the disk.
Note: As a best practice, highly fragmented disks should be defragmented before you attempt to encrypt the disk.
6. Create a recovery disk.
While the chances are extremely low that a master boot record could become corrupt on a boot disk or partition protected by Symantec Drive Encryption or Symantec Endpoint Encryption, it is possible. Before you encrypt a boot disk or partition using Drive Encryption, create a recovery disk.
See the following articles for Recovery using WinPE:
For Symantec Drive Encryption 10.4 Recovery ISOs, see article TECH235059.
7. Be certain that you will have AC power for the duration of the encryption process.
Because encryption is a CPU-intensive process, encryption cannot begin on a laptop computer that is running on battery power.
Do not remove the power cord from the system before the encryption process is over. If loss of power during encryption is a possibility or if you do not have an uninterruptible power supply for your computer consider choosing the Power Failure Safety option.
8. If encrypting a Laptop set the Power Management options to Performance/Always On.
Almost all laptops are configured to use the Power Save or Balanced modes of Power Management. This can cause the CPU and Hard Disk to throttle back as well as hibernate to conserve energy. The problem with this is that it can either extend or interrupt the Whole Disk Encryption process making it progress much more slowly.
To ensure maximum speed for encryption we recommend changing the Power Management profile to be Performance or Always On for the duration of the encryption process.
Please consult your Laptop Manufacturers Documentation or the Help section of your Operating System for steps on modifying these settings.
9. Run a pilot test to ensure software compatibility.
As a good security practice, it is recommended to test Symantec Drive Encryption on a small group of computers to ensure that are not any conflicts with any software on the computer before rolling it out to a large number of computers. This is particularly useful in environments that use a standardized Corporate Operating Environment (COE) image.
The following software is not compatible with Symantec Drive Encryption:
- Faronics Deep Freeze (any edition)
- Utimaco Safeguard Easy 3.x
- Absolute Software's CompuTrace laptop security and tracking product. Drive Encryption is compatible only with the BIOS configuration of CompuTrace. Using CompuTrace in MBR mode is not compatible.
- Caution: Any other Drive Encryption software should be completely removed prior to installing Symantec Drive Encryption or Symantec Endpoint Encryption. Having two drive encryption solutions may render a machine unusable and unrecoverable, and is unsupported.
10. Perform Disk Recovery on Decrypted Disks.
Where possible, as a best practice, if you need to perform any disk recovery activities on a disk protected with Drive Encryption, it is recommended that you first decrypt the disk. Once the disk is decrypted, proceed with your recovery activities.
11. Windows Upgrades for Windows 10
In order to perform an in-place upgrade, please consult the following articles to successfully upgrade:
HOWTO125875 - Upgrading Encrypted Computers to the Windows 10 Creators Update from Earlier Versions of Windows with Symantec Endpoint Encryption 11.1.2 and later
HOWTO125876 - Upgrading Encrypted Computers to the Windows 10 Creators Update from Earlier Versions of Windows with Symantec Encryption Desktop 10.4.1 MP1 and later
12. Best Practice for performance on Solid State Drives
The following information will help if performance degradation is observed after encrypting a Solid State Drive
TECH180373 - SSD Performance issues with certain drives using Symantec Endpoint Encryption 11 or Symantec Encryption Desktop 10
Imported Document Id