Support Center > Search Results > SecureKnowledge Details
ATRG: Full Disk Encryption E80.40
Solution

Table of Contents

  • Background
  • How does Check Point Full Disk Encryption protect my data?
  • Main Components
  • Full Disk Encryption Installation and Deployment
    • Client Requirements for Full Disk Encryption Deployment
    • Moving from Deployment phase to Full Disk Encryption policy enforcement
    • Primary Full Disk Encryption Components
  • Full Disk Encryption Recovery
    • Recovery Media
  • Full Disk Encryption Basic Troubleshooting
    • Using CPinfo
    • Using CPinfoPreboot
    • Pre-boot Issues
    • Full Disk Encryption Logs
    • Full Disk Encryption Deployment Phase
    • Dynamic Mount Utility

 

Full Disk Encryption

For additional information, refer to the Endpoint Security Management Server E80.40 Administration Guide.

For the most recent FDE versions, refer to sk112693 - ATRG: FDE E80.64 and above.

 

Background

Any PC operating system, such as Microsoft Windows, Mac OS X, or Linux, can be configured for password protection at startup, but such protection is easily defeated. To understand its basic vulnerability, consider the system startup sequence for a PC running Microsoft Windows OS.

The startup sequence consists of five steps:

  1. The basic input/output system (BIOS) loads the master boot record (MBR).
  2. The master boot record loads the active partition boot record (PBR).
  3. The active PBR loads and starts the operating system (OS), which displays the blue Windows startup screen and accesses the system files, including the password files.
  4. The user authenticates by selecting a user name (for multiple-user installations) and/or entering a password at the startup screen.
  5. Windows validates the user and continues the startup process, displaying the desktop and starting any applications

Although the Windows authentication process can prevent unauthorized people from using the computer, it does not protect the data from access. Hackers can easily bypass the Windows authentication process, for example, by booting the PC from a Windows PE or Linux Live CD. Also they could physically remove the hard disk and mount it as a slave (or secondary) drive on a different computer. In summary, Windows authentication attempts to prevent unauthorized use of the system, but stops short of protecting the information stored on the system.

Some PC BIOS programs allow the creation of a BIOS password, however, the level of security provided is similar to that of Windows authentication, and is just as easily defeated. BIOS passwords may prevent unauthorized users from accessing the OS and, in some cases, may even prevent the hard drive from starting by using a BIOS hard drive password, but even this defense can be defeated by determined hackers.

Because startup password protection is so easily defeated, it is necessary to provide a higher level of security for data at rest on a PC hard disk. The best way is to encrypt the data, that is, to scramble the data on the disk such that it can only be unscrambled and read by an authorized user. Encryption renders data unreadable to unauthorized users, even when disks are slaved to hacker computers or computer security is otherwise compromised. Only authorized users can access the key that enables decryption of the data.

Many data encryption products exist in the marketplace, but not all products use the same approach or are equally effective.

PC data encryption products typically use either of two schemes:

  • File/folder encryption: encrypts only data located in specified files, folders, and/or disk partitions
  • Full-disk encryption: encrypts the entire hard disk including the OS, system files, and all data

File/folder encryption schemes are inexpensive and plentiful and can provide a useful means of protecting data under certain circumstances. However, full-disk encryption schemes are far more secure, easier to manage, and fully compliant with current privacy and data security laws and regulations.

File/folder encryption

File/folder encryption schemes selectively encrypt data in specified files, folders, and/or disk partitions. As a result, they protect only certain sections of the disk. The unencrypted sections of the disk remain vulnerable to access by unauthorized users.

When installing and setting up a file/folder encryption scheme, users typically specify which file types, folders, and/or disk partitions to encrypt. When the encryption program is running, any data created or saved as a specified file type, or moved to a specified folder or partition, is automatically encrypted. However, because such programs encrypt data selectively, they suffer from two major drawbacks: the user-dependent nature of the file/folder scheme and their inability to guarantee protection of critical files, such as OS and password files.

User dependence: Unfortunately, file/folder encryption schemes rely on users to ensure that sensitive data is protected. Consequently, these solutions are user-dependent and inherently subject to human error. Such errors can involve failing to store data in a secure file type, neglecting to move sensitive data to an encrypted folder, accidentally copying the data to an unencrypted folder, or incidentally generating an unencrypted residual copy of the data (for example, a temporary file) in the normal course of using the PC. A few file/folder encryption solutions attempt to enforce security policy through automatic identification of the type of data being stored. However, these solutions are easily bypassed by careless users and determined hackers.

In addition, relying on end users to secure data is inherently unenforceable. Therefore, its use constitutes a weak defense against lawsuits filed in response to the loss or theft of confidential information. As a result, file/folder encryption schemes do not comply with current privacy and security legislation, and they leave businesses that use them vulnerable to costly legal battles and excessive damage control operations in the event of data loss or theft. File/folder encryption schemes cannot guarantee that sensitive user data has been encrypted.

Lack of guaranteed protection for critical files: To ensure data security, it is also necessary to protect certain files that may provide access to the data, especially the OS and system files, as well as any files containing application user passwords. If such files are not explicitly included in the list of files to be encrypted when setting up a file/folder encryption scheme, they are vulnerable to compromise by unauthorized users, often resulting in devastating outcomes. For example, an unauthorized user who is able to obtain the local password for a VPN client could gain access to the associated VPN network, possibly disrupting company-wide operations.

Full-disk encryption

Unlike file/folder schemes, full-disk encryption protects an entire PC hard disk, including the OS and system files. Once a disk is fully encrypted, a dedicated driver encrypts and decrypts data on the fly, completely transparent to authorized PC users. Because the encryption/decryption operations are automatic and continuous, full-disk encryption schemes are inherently user independent and completely enforceable, making them fully compliant with current computer privacy and security legislation. Full-disk encryption also eliminates the problem of unencrypted residual data because all data is encrypted, even temporary files. This removes the administrative burden of being forced to determine which files and folders require protection, and renders a slave hard disk completely unreadable to an unauthorized user.

Check Point Full Disk Encryption (FDE) provides complete protection for data at rest on a PC disk. Sensitive data is fully protected no matter where it resides on a hard disk, and the security system is fully enforceable, enabling compliance with current privacy and data security legislation.

 

How does Check Point Full Disk Encryption protect my data?

In order to protect your data, Check Point FDE changes the way in which your data is accessed and processed.

It is easy to install Check Point FDE on new laptops and PCs as well as those already in use. Deploying Check Point FDE on existing PCs can be accomplished by pushing it out with software distribution systems, initiated by different types of scripts, or started by an end user working on a PC as a silent (noninteractive) installation. Check Point FDE can also be incorporated into a standard operating environment and used with different types of hard-drive imaging products to simplify deployment on new PCs. When first installed, Check Point FDE installs an encryption/decryption driver that acts as a filter between the operating system and the hard disk to ensure that all data stored on or retrieved from the disk is encrypted or decrypted on the fly. During the last part of installation, Check Point FDE automatically starts the hard-disk encryption process. This process encrypts data at about 20 to 30 GB/hour and is completely fault tolerant, that is, immune to power loss or computer shutdown. If the computer loses power or shuts down during its initial encryption, Check Point FDE simply resumes encryption when the computer is next turned on. The initial encryption process works entirely in the background so that users can run other applications and continue to use their computers.

Check Point FDE adds a layer of authentication to the startup process by installing its own access control module between the MBR and the active PBR.

After the MBR loads, Check Point FDE requests user authentication by displaying its access control screen. The normal startup sequence of booting the OS and displaying the Windows startup screen will proceed only after users have satisfied all Check Point FDE authentication requirements. Utilizing the Windows integrated login (WIL) feature presents users with a single login screen if this better suits the organization’s needs.

Does Check Point FDE affect normal PC operations?

Each time users start their computers and successfully authenticate at the access control screen, Check Point FDE automatically installs its encryption/decryption driver between the OS and the disk driver.

Thereafter, the encryption/decryption driver runs in the background, automatically encrypting and decrypting data as it is stored on and retrieved from the disk. Check Point FDE remains transparent to all other computer applications, including system operations such as disk defragmentation.

 

Main Components

Full Disk Encryption includes two main components:

  • Disk encryption - All volumes of the hard drive and hidden volumes are automatically fully encrypted. This includes system files, temporary files, and even deleted files. There is no user downtime because encryption occurs in the background without noticeable performance loss. The encrypted disk is inaccessible to all unauthorized people.
  • Pre-boot Protection - Users must authenticate to their computers in the Pre-boot, before the computer boots. This prevents unauthorized access to the operating system using authentication bypass tools at the operating system level or alternative boot media to bypass boot protection.

Configure the settings for Full Disk Encryption in SmartEndpoint in the 'Policy tab > Full Disk Encryption Rules'.

Make sure to configure the User Authentication (OneCheck) Policy also in the 'Policy tab > User Authentication (OneCheck) Rules'. Many of the settings that relate to the Pre-boot are configured there.

 

Full Disk Encryption Installation and Deployment

Client Requirements for Full Disk Encryption Deployment

Clients must have:

  • 32MB of continuous free space on the client's system volume.
    Note: During deployment of the Full Disk Encryption blade on the client, the Full Disk Encryption service automatically defragments the volume to create the 32MB of continuous free space, and suspends the Windows hibernation feature while the disk is encrypted.
  • Clients must not have:
    • RAID
    • EFI (Extensible Firmware Interface)
    • Partitions that are part of stripe or volume sets
    • On Windows XP, the root directory cannot be compressed. Subdirectories of the root directory can be compressed.

Moving from Deployment phase to Full Disk Encryption policy enforcement

After a package that includes Full Disk Encryption is successfully installed on a client, many requirements must be met before the Full Disk Encryption policy can be enforced. Before these requirements are met, the Pre-boot does not open. The period of time between the installation and when the policy can be enforced is called the Full Disk Encryption Deployment Phase.

To move from Deployment phase to Full Disk Encryption policy enforcement, these requirements must be met:

  • There must be communication between the client and the server.
  • The client must receive Full Disk Encryption and user policies from the server.
  • Users must be acquired according to the configured policy.
  • At least one user account must be configured.
  • The client must send a recovery file to the server.
  • The required System Area must be created and boot records must be updated according to the configuration (this includes the activation of Pre-boot).
  • The device must have the Client requirements or Full Disk Encryption.

If there is communication between the client and server and the client meets the Client requirements, all of the requirements are completed automatically. However, if these requirements are not met, Full Disk Encryption cannot protect the computer and the Pre-boot cannot open.

Primary Full Disk Encryption Components

Component Name File Name
Description

Full Disk Encryption service

FDE_srv.exe

The Full Disk Encryption service contains the current configuration data and initiates background encryption or decryption. By exchanging volume boot records, the Full Disk Encryption service identifies volumes that are targeted for encryption.

Crypto core ccore32.bin The Crypto core contains the encryption algorithms.
Filter driver Prot_2k.sys The Full Disk Encryption driver for encryption. The File Allocation Table (FAT) provides the driver with the location of sectors where data is stored. Full Disk Encryption encrypts every byte of the selected disk. Background encryption starts from the first sector of the selected volume and moves in sequence to the last sector. The entire operating system is encrypted.

 

Full Disk Encryption Recovery

If system failure prevents Windows from starting on a client computer, you can use Full Disk Encryption Recovery Media to decrypt the computer and recover the data. Client computers send recovery files to the Endpoint Security Management server once during the initial deployment so that you can create Recovery Media, if necessary. After the recovery, the files are restored as decrypted, as they were before the Full Disk Encryption installation, and Windows can run without the Pre-boot.

Recovery Media

  • Is a snapshot of a subset of the Full Disk Encryption database on the client.
  • Contains only the data required to do the recovery.
  • Updates if more volumes are encrypted or decrypted.
  • Removes only encryption from the disk and boot protection.
  • Does not remove Windows components.
  • Restores the original boot record.

Users must authenticate to the Recovery Media with a username and password. These are the options for which credentials to use:

  • Users that are assigned to the computer and have the "Allow use of recovery media" permission (in User Authentication (OneCheck) rule > Advanced > Default logon settings) can authenticate with their regular username and password.
  • When you create the Recovery Media, you can create a temporary user who can authenticate to it. A user who has the credentials can authenticate to that Recovery Media. Users do not require "Allow use of recovery media" permission to use the Recovery Media. Smartcard users must use this option for recovery.

Creating Data Recovery Media

You can create Full Disk Encryption Recovery Media that can run on a failed computer to decrypt it. The media can be on a CD/DVD, USB device, or REC file.

Users who can only authenticate in the Pre-boot with Smartcards must use the procedure shown below to create a temporary user who can use the Recovery Media.

Note: Creating a Recovery Media on a USB flash disk formats the device and removes all previous content.

To create recovery media:

  1. In SmartEndpoint, select 'Tools > Encryption Recovery Media'. The Full Disk Encryption Recovery Media Tool window opens.
  2. Double-click a folder from the navigation tree to see the users and computers that it contains.
  3. Right-click the computer to restore and then select "Encryption Recovery Media". The target retrieves the last known recovery data that was uploaded to the server by the client.
  4. Users who have permission to use Recovery Media for the computer are shown in the Users Allowed to Recover area.
    • If the user who will perform the recovery shows on the list, continue to the next step.
    • If the user who will perform the recovery is not on the list:
      1. Click "Add" to create a temporary user who can use the recovery media.
      2. In the window that opens, add a username and password that the user will use to access the file.
  5. Select a destination for the Recovery Media:
    • For a bootable CD/DVD, enter a path to a directory for the ISO file
    • For a REC file, enter a path to a directory for the file.
    • For a USB device, select the target drive from the list.
  6. Click "Write Media".
  7. Give the Recovery Media file or device to the user who will perform the recovery.
  8. Make sure the user knows:
    • Which username and password to use.
    • How to boot the computer: with a CD or USB device.

Using Data Recovery Media

Use the newly created Full Disk Encryption Recovery Media to decrypt the failed computer.

To recover an encrypted computer:

  1. On the failed computer, run the Recovery Media from a CD/DVD or bootable USB device.
  2. When the Recovery Console Login window is displayed, enter the name and password of a user on the Recovery Media. The disk decrypts using partition keys contained in the Recovery Media.

Note: During the decryption process, the client cannot run other programs.

 

Full Disk Encryption Basic Troubleshooting

Using CPinfo

CPinfo is used to collect data about components in the Full Disk Encryption environment on the client. We recommend that you send the collected data to Check Point Support for analysis.

If you do not enter an output folder, CPinfo collects data about components in the Full Disk Encryption Pre-boot environment on the client.

Run CPinfo if:

  • Encrypting or decrypting fails on Windows.
  • The selected disk or volume does not encrypt or decrypt.
  • Full Disk Encryption related issues occur.
  • You experience system issues or crashes.

CPinfo gathers:

  • All files in the data directory.
  • Installation log.
  • File version data for executables.
  • Registry values for Full Disk Encryption
  • GinaDll, UpperFilters and ProviderOrder.
  • SMBios structure.
  • Installed application lists.
  • Microsoft Windows Partition list.

To run CPinfo:

  1. In the notification area, right-click the client icon.
  2. Select Display Overview.
  3. In the left pane, click Advanced.
  4. Click Collect information for technical support. CPinfo opens in the command prompt.
  5. Press ENTER to start. The information is collected. A window opens that shows the location of the cab file.
  6. Press a key to exit CPinfo.

To run CPinfo manually:

  1. Open Windows Command Prompt.
  2. Go to the CPinfo tool path location: cd \path\
  3. Run CPinfo with output filename and folder: C:\path\> CPinfo.exe <output_cab_filename> <output_folder_name>

    For example: C:\path\> CPinfo.exe SR1234 temp
    The CPinfo application stores the output to the designated folder.

    • If no output name is specified, the output file has the same name as the output folder.
    • If no output folder is specified, CPinfoPreboot saves the output file to the directory where the CPinfo tool is located.

Using CPinfoPreboot

Run CPinfoPreboot if you cannot:

  • Access the Pre-boot Logon window.
  • Log in to the Pre-boot Logon window.
  • Start encryption or decryption.
  • You have had a system crash- this includes a Windows or Full Disk Encryption crash.
    • A Windows crash gives you a blue or black screen.
    • A Full Disk Encryption crash gives you a green or red screen.

CPinfoPreboot collects the:

  • Readable log of all disks and volumes (scan.log).
  • Master Boot Record for each disk.
  • Partition Boot Record for each volume.
  • First 100 sectors from each physical disk.
  • First 100 sectors from each volume.
  • System area data.

Use an external USB device to collect the Pre-boot data. The device must have at least 128 MB of free space, and sufficient storage for the output cab file. CPinfoPreboot cannot run on boot media prepared with the Full Disk Encryption filter driver.

To collect Pre-boot data:

  1. Copy CPinfoPreboot.exe to an external USB device.
  2. Boot the client from the USB device.
    Note: Microsoft Windows does not automatically detect USB devices after boot up. The USB device must be connected while booting the computer.
  3. Open the command prompt and type: <path_to_CPinfoPreboot> <CPinfoPreboot.exe <output_cap_filename> <output_folder_name>>
    For example: C:\path\> CPinfoPreboot.exe SR1234 temp
  4. CPinfoPreboot stores the output file to the designated folder.
    • If no output name is specified, the output file has the same name as the output folder.
    • If no output folder is specified, CPinfoPreboot saves the output file to the working directory on the external media. An output folder is required if the working directory is on read-only media.

Debug Logs

You can use the debug logs to examine the deployment phase or problems that occur. The information there is included in CPinfopreboot. Send the full results of CPinfopreboot to Check Point Support for analysis. The Client debug log is named dlog1.txt, and found in these places on user:

Operating System
Path to log file

Windows XP

C:\Documents and Settings\All Users\Application Data\CheckPoint\Endpoint Security\Full Disk Encryption\

Windows Vista, Windows 7 C:\ProgramData\CheckPoint\Endpoint Security\Full Disk Encryption\

 

Pre-boot Issues

Mouse or Keyboard Trouble

If users have trouble with their mice or keyboards during Pre-boot, you might need to change the setting of Enable USB device in Pre-boot environment. This setting is in the Full Disk Encryption Policy > Pre-boot Settings. You can also change this setting from the Pre-boot Customization Menu by pressing both shift keys while Full Disk Encryption is loading when the computer starts up.

Trouble with Password on First Pre-boot

When the Pre-boot window opens for the first time on a computer, users get a message to log in with their Windows password. If the Windows password does not meet the requirements configured for the Pre-boot, the authentication does not work.

To resolve this, change the password requirements in the User Authentication (OneCheck) to match the Windows requirements. Then install the new User Authentication (OneCheck) policy on the client.

Trouble with Smartcards

If Smartcard compatibility issues occur, try to toggle the Legacy USB Support setting in the BIOS to either enable or disable it, depending on the current setting.

Full Disk Encryption Logs

Full Disk Encryption utilizes the client logger module for audit logging. Logs are created in the Pre-boot and Windows environments. Logs created in Pre-boot are cached in the Full Disk Encryption system area before they are transferred to the client logger module. Full Disk Encryption logs these operations:

  • User acquisition
  • Installation and upgrade
  • Policy changes
  • Dynamic encryption
  • User authentication/user locked events

Full Disk Encryption Deployment Phase

Here are some issues that can occur in the Deployment Phase and possible causes and solutions.

Problem: The deployment is stuck at the User Acquisition step.

Causes and Solutions:

  1. The User Acquisition policy might say that multiple users must log on to a computer. You can:
    • Change the User Acquisition policy.
    • Instruct users to log on to the computer so Full Disk Encryption can acquire them.
    If User Acquisition is not enabled, at least one user with a password must be assigned to the device.
  2. The Pre-boot password requirements must not be stricter than the Windows logon password requirements. If the password requirements of Windows and the Pre-boot do not match, change the password settings for the Pre-boot password.
  3. Make sure that the necessary connections work and that all processes are running. Make sure that:
    • The FDE Credential Manager (PssoCM32) is active on Windows XP:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order.
    • The FDE Credential Provider (PCP) is active on Windows Vista or Windows 7:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PCP\NetworkProvider.
    • The network connection is stable.
    • The Driver Agent is running and has a connection to the server.
    • The Device Auxiliary Framework is running.

Problem: The deployment is stuck at the encryption.

Causes and Solutions:

If encryption stopped at 50%,make sure that system services are running. Make sure that the fde_srv.exe service is running. If it is not running, start it manually (right click the service and select start in Windows Task Manager).

Problem: The deployment is slow or hanging.

Causes and Solutions:

  • Make sure that the computer has all client requirements.
  • Disk fragmentation or a damaged hard drive can cause problems with Full Disk Encryption. Run disk defragmentation software on the volume to repair fragmentation and damaged sectors.
  • Make sure that the network connection is stable.

Dynamic Mount Utility

To access data on the hard disk of a Full Disk Encryption-protected computer without doing a Recovery, use the Dynamic Mount Utility of Full Disk Encryption. See the Dynamic Mount Utility 2.0 Administration Guide.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment