Symantec Endpoint Encryption 11 and Symantec Drive Encryption 10 have the ability to encrypt each sector of the disk, including unused sectors.
Symantec Endpoint Encryption 11 enables a feature by default called “Include unused disk space when encrypting disks and partitions”. Symantec Drive Encryption 10 will encrypt all sectors by default. Because this functionality will encrypt each sector of the disk, even if the sectors are not yet used by the operating system, performance can be decreased when working with Solid State Drives.
This potential decrease in drive performance is because the encrypted sectors may appear as though some of the data on the sector is valid, and some of the data is invalid. The OS must run through a process to reconcile the unused, but encrypted sectors to determine whether data can actually be written to the disk, which can cause a slowdown in disk performance.
Windows 7 introduced a new feature called the TRIM command, which was implemented to improve performance for SSDs. Trim alleviates this need for the OS and Drive to reconcile whether the sectors can be used in realtime, and can help ensure data can be written efficiently.
Windows 8 and Windows 10 have included improved trim optimizations as part of Windows Disk Defragmenter utility and can be used by the click of the “Optimize” button. From a command line, running “defrag c: /o” can be used to run through the same trim optimization operation for a SSD. Trim is enabled by default on Windows 7 and above.
Note: The command "defrag c: /o" will not actually run a defragment on an SSD, and will typically take less than a minute to complete.
Because of the performance issues associated with encrypting unused sectors, Trim should be used on a regular basis, especially on disks which have exhibited slow performance behavior. Depending on the drive, optimizations may need to be run more frequently than others to ensure the OS and drives mark the sectors clear and ready for use w/out having to reconcile the sectors constantly. Some disks are optimized better than others, however, running through this trim optimization frequently will ensure best success for performance on encrypted disks.
Note: When scheduling these trim optimizations, ensure that even if one of the scheduled days is missed, other scheduled optimizations can still take place to keep the drives in good condition.
Alternatively, SEE 11 includes the ability to disable the option to encrypt unused sectors if the disks in question are new drives. This is not a recommended method for encrypting disks in general as disks that have been repurposed could contain sensitive data, and leaving these sectors unencrypted could potentially make this data accessible. In these scenarios, securely wiping the drives is recommended. Disable this feature with caution.
Although trim should be enabled by default, run through the following commands to ensure it is enabled:
How to check if TRIM is enabled: Click on the Start Orb > Type "CMD.exe" in Search box > Right click on "CMD" and select "Run as Administrator" (If you receive a prompt confirmation, click YES), and run the following command:
fsutil behavior query disabledeletenotify
Results explained below: DisableDeleteNotify = 1 (Windows TRIM commands are disabled) DisableDeleteNotify = 0 (Windows TRIM commands are enabled)
How to Enable TRIM Command In the Elevated command Prompt window, type the following:
fsutil behavior set disabledeletenotify 0
How to Disable TRIM Command In the Elevated command Prompt window, type the following:
fsutil behavior set disabledeletenotify 1
Imported Document ID: TECH180373
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.