Fast Initial Encryption (FIE)
FIE is implemented to decrease the initial background encryption time. This is accomplished by only encrypting used space on the hard drive (files on disk) instead of every sector as the normal initial encryption operates. However, when new files (data) are written to the disk they will be encrypted. In a typical new deployment case, the used space is only 10 % of the hard drive. This means that we only need to encrypt 10% of the drive.
The encryption time if you have a 1 TB HDD, but only 50 GB used space, would be ~25 min instead of ~9 hours(500 min). Calculated with a 2 GB/min encryption speed, depends on CPU and disk performance.
FIE works on both NTFS and FAT32 volumes.
FIE should only be used when you have new laptop/hdd or when you are certain that there never has been any company confidential data on the hard drive. (since deleted files otherwise could be found and restored).
FIE also operates when removing encryption (decryption). There is no security aspect with FIE when removing encryption.
When should FIE be used
- New computer without any company data (secret data).
- Systems with a large hard drive without company data (secret data).
- Earlier encrypted system with reimaged volumes without any company data (secret data).
- Laptop that is deployed in house by system administrator and want a fast deployment of Full Disk Encryption.
- Wear level friendly for SSD (since it only writes to sectors containing data).
- Virtual machines will not grow to the full disk size (since only used space will be touched on the virtual machine image).
FIE operation modes
To activate FIE, you should run the msi installer with the argument FDE_FAST_INSTALL=2 or FDE_FAST_INSTALL=4, (operation mode 4 is recommended for most of the customers).
FIE mode 2 with FAILSAFE information
FIE, with failsafe encryption information written for all sectors, meaning that system will resume encryption at last operated block on a restart during initial encryption. Encryption will be slightly slower than FIE with no background information (depending on the amount of free space).
FIE mode 4 with no FAILSAFE information
Encryption will only write failsafe encryption information on used space, meaning that if system is restarted during the initial encryption it will restart on last sector with used space. You will not lose any data. The only difference is that the encryption will not continue on the last operated block. It will instead redo/recheck the empty space. Initial encryption will be faster than with failsafe info, unless you restart the machine during initial encryption.
Installing with FIE
To install FDE with FIE enabled, you should download desired blades from the Management server and run msi with the argument FDE_FAST_INSTALL=<chosen FIE mode> without the angle brackets <>. Since you cannot install FDE with FIE enabled from software deployment in the Management server, use command line e.g. msiexec/i"eps.msi" FDE_FAST_INSTALL=4.
Note: This feature can be combined with FDE fast install feature by adding the numbers together, values will then be 3 and 5.
Encryption progress does not always show the correct percentage done when running with FIE. When running with FIE, the encryption progress is calculated by dividing the amount of encrypted data with the amount of allocated data plus an estimate of the time it takes to check if the space is used or not. If the machine is restarted during initial encryption, encryption progress can show a smaller value than it was before the restart, but all allocated data will be encrypted correctly, nevertheless.
Disclaimer for using FIE
Fast Initial Encryption encrypts the sectors used by the file system at the time of encryption. The security implication is that sectors retired by the file system, for example containing deleted file data or re-allocated sectors from defragmentation, will not be encrypted.
The recommended usage is therefore not to store any sensitive data on the disk prior to encrypting it with Fast Initial Encryption turned on. This makes Fast Initial Encryption useful in, for example, imaging deployment situations. If the disk has been in use without encryption and sensitive data has been stored on the disk at some point, the traditional Full Initial Encryption should be used where all sectors of a volume are encrypted, regardless if it's in use or not.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.