This article details the best practices to use prior to performing Symantec Drive Encryption (previously PGP Whole Disk Encryption).
The following best practices are recommended for preparing to encrypt your disk with Symantec Drive Encryption. Please follow the recommendations below to protect your data during and after encryption. Before you encrypt your disk, there are a few tasks you must perform to ensure successful initial encryption of the disk.
1. Determine whether your target disk is supported.
The Drive Encryption secures your desktop or laptop disks (either partitions, or the entire disk), external disks, and USB flash disks. CD-RW/DVD-RWs are not supported using Drive Encryption.
Supported Disk Types
Unsupported Disk Types
Warning: Windows XP allows basic disks to be converted to dynamic disks, which support some features that basic disks do not. Never perform this conversion on the boot drive of a system that has already been protected using Drive Encryption. This conversion, from a basic-type disk to a dynamic one, renders the drive unusable.
2. Confirm operating system support.
The following operating systems are supported with Symantec Drive Encryption.
Note: See the following article TECH203071 - Running Symantec Encryption Desktop on Microsoft Windows 8 UEFI Systems for more information on using Drive Encryption on Windows 8 systems.
Note: Beginning with version 10 of Symantec Encryption Desktop (formerly known as PGP Desktop), Drive Encryption is supported on server hardware including the following: Windows Server 2003 SP2 (32-bit and 64-bit editions), Windows Server 2008 SP1 & SP2, Windows Server 2008 R2 (64-bit), and VMWare ESXi4 (supported Microsoft Windows Servers operating in a virtual environment) Drive Encryption is supported on systems with internal hardware RAID-1 and RAID-5. Software RAID is not supported.
3. Confirm keyboard support.
Be sure that you are using a keyboard with one of the supported languages. For a list of the supported languages, see the following links for your operating system:
4. Back up the disk before you encrypt it.
Before you encrypt your disk, be sure to back up the data so that no data will be lost if your laptop or computer is lost, stolen, or you are unable to decrypt the disk. Also be sure to make regular backups of your disk.
5. Ensure the health of the disk before you encrypt it.
It is not uncommon to encounter Cyclic Redundancy Check (CRC) errors while encrypting a hard disk. In stand-alone installations of Encryption Desktop, if Drive Encryption encounters a hard drive or partition with bad sectors, Drive Encryption will, by default, pause the encryption process. This pause allows you to remedy the problem before continuing with the encryption process, thus avoiding potential disk corruption and lost data.
In Symantec Encryption Management Server managed environments, if Drive Encryption encounters a hard drive or partition with bad sectors, an event is added in the server logs and continue disk encryption.
Before you attempt to use Drive Encryption, use a third-party scan disk utility that has the ability to perform a low-level integrity check and repair any inconsistencies with the drive that could lead to CRC errors. Third-party software such as SpinRite or Norton Disk Doctor can correct errors that would disrupt the encryption of the disk.
Note: As a best practice, highly fragmented disks should be defragmented before you attempt to encrypt the disk.
6. Create a recovery disk.
While the chances are extremely low that a master boot record could become corrupt on a boot disk or partition protected by Drive Encryption, it is possible. Before you encrypt a boot disk or partition using Drive Encryption, create a recovery disk.
7. Be certain that you will have AC power for the duration of the encryption process.
Because encryption is a CPU-intensive process, encryption cannot begin on a laptop computer that is running on battery power.
Do not remove the power cord from the system before the encryption process is over. If loss of power during encryption is a possibility or if you do not have an uninterruptible power supply for your computer consider choosing the Power Failure Safety option.
8. If encrypting a Laptop set the Power Management options to Performance/Always On.
Almost all laptops are configured to use the Power Save or Balanced modes of Power Management. This can cause the CPU and Hard Disk to throttle back as well as hibernate to conserve energy. The problem with this is that it can either extend or interrupt the Whole Disk Encryption process making it progress much more slowly.
To ensure maximum speed for encryption we recommend changing the Power Management profile to be Performance or Always On for the duration of the encryption process.
Please consult your Laptop Manufacturers Documentation or the Help section of your Operating System for steps on modifying these settings.
9. Run a pilot test to ensure software compatibility.
As a good security practice, it is recommended to test Symantec Drive Encryption on a small group of computers to ensure that are not any conflicts with any software on the computer before rolling it out to a large number of computers. This is particularly useful in environments that use a standardized Corporate Operating Environment (COE) image.
The following software is not compatible with Symantec Drive Encryption:
The following programs co-exist with Drive Encryption on the same system, but will block the Drive Encryption feature:
10. Perform Disk Recovery on Decrypted Disks.
Where possible, as a best practice, if you need to perform any disk recovery activities on a disk protected with Drive Encryption, it is recommended that you first decrypt the disk. Do this using on of the following: opening Symantec Encryption Desktop and selecting PGP Disk > Encrypt Disk or Partition, then select the disk and click Decrypt, using your prepared Recovery Disk, or by connecting the hard disk via a USB cable to a second system and decrypting from that system's Drive Encryption software. Once the disk is decrypted, proceed with your recovery activities.
Warning: Do not attempt to decrypt the drive more than once using the recovery disk - doing so will cause file corruption and make any data on the drive unrecoverable.
Login to Subscribe
Please login to set up your subscription.
Get support for your product, with downloads, knowledge base articles, documentation, and more.
Maximize your product competency and validate technical knowledge to gain the most benefit from your IT investments.
Set default language
Do you wish to save this as your future site?