Download Dell Data Security Encryption Personal Installation Guide v8.17.2 PDF

TitleDell Data Security Encryption Personal Installation Guide v8.17.2
File Size2.2 MB
Total Pages85
Table of Contents
                            Dell Encryption Personal Installation Guide v10.7
	Encryption Personal
	Advanced Authentication
	Contact Dell ProSupport
	SED Management
Download the Software
	Import Entitlement
	Choose an Installation Method
		Install Using the Master Installer - RECOMMENDED
		Install Encryption Personal Using the Child Installers
Advanced Authentication and Encryption Personal Setup Wizards
Configure Console Settings
	Change the Administrator Password and Backup Location
	Configure Pre-Boot Authentication
		Change SED Management and PBA Settings
	Manage Users and Users' Authentication
		Add User
		Delete User
		Remove All of a User's Enrolled Credentials
Uninstall the Master Installer
	Choose an Uninstallation Method
		Uninstall Interactively
		Uninstall from the Command Line
Uninstall Using the Child Installers
	Uninstall Encryption
		Choose an Uninstallation Method
	Uninstall Encryption Management Agent
		Choose an Uninstallation Method
Data Security Uninstaller
Policies and Template Descriptions
	Template Descriptions
		Aggressive Protection for All Fixed Drives and External Drives
		PCI Regulation Targeted
		Data Breach Regulation Targeted
		HIPAA Regulation Targeted
		Basic Protection for All Fixed Drives and External Drives (Default)
		Basic Protection for All Fixed Drives
		Basic Protection for System Drive Only
		Basic Protection for External Drives
		Encryption Disabled
Extract Child Installers
	Dell Encryption Troubleshooting
	Dell ControlVault Drivers
		Update Dell ControlVault Drivers and Firmware
	Registry Settings
		Advanced Authentication
Document Text Contents
Page 1

Dell Encryption PersonalInstallation Guide v10.7June 2020Rev. A01

Page 2

Notes, cautions, and warningsNOTE: A NOTE indicates important information that helps you make better use of your product.CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid theproblem.WARNING: A WARNING indicates a potential for property damage, personal injury, or death.• 2012-2020 Dell Inc. All rights reserved. Registered trademarks and trademarks used in the Dell Encryption, Endpoint Security SuiteEnterprise, and Data Guardian suite of documents: Dell• and the Dell logo, Dell Precision•, OptiPlex•, ControlVault•, Latitude•, XPS†,and KACE• are trademarks of Dell Inc. Cylance†, CylancePROTECT, and the Cylance logo are registered trademarks of Cylance, Inc. inthe U.S. and other countries. McAfee† and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. in the US and othercountries. Intel†, Pentium†, Intel Core Inside Duo†, Itanium†, and Xeon† are registered trademarks of Intel Corporation in the U.S. andother countries. Adobe†, Acrobat†, and Flash† are registered trademarks of Adobe Systems Incorporated. Authen tec† and Eikon† areregistered trademarks of Authen tec. AMD† is a registered trademark of Advanced Micro Devices, Inc. Microsoft†, Windows†, andWindows Server†, Internet Explorer†, Windows Vista†, Windows 7†, Windows 10†, Active Directory†, Access†, BitLocker†,BitLocker To Go†, Excel†, Hyper-V†, Outlook†, PowerPoint†, Word†, OneDrive†, SQL Server†, and Visual C++† are eithertrademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. VMware† is a registeredtrademark or trademark of VMware, Inc. in the United States or other countries. Box† is a registered trademark of Box. Dropbox is aservice mark of Dropbox, Inc. Google•, Android•, Google• Chrome•, Gmail•, and Google• Play are either trademarks or registeredtrademarks of Google Inc. in the United States and other countries. Apple†, App Store, Apple Remote Desktop•, Boot Camp•,FileVault•, iPad†, iPhone†, iPod†, iPod touch†, iPod shuffle†, and iPod nano†, Macintosh†, and Safari† are either servicemarks,trademarks, or registered trademarks of Apple, Inc. in the United States and/or other countries. EnCase• and Guidance Software† areeither trademarks or registered trademarks of Guidance Software. Entrust† is a registered trademark of Entrust†, Inc. in the UnitedStates and other countries. Mozilla† Firefox† is a registered trademark of Mozilla Foundation in the United States and/or othercountries. iOS† is a trademark or registered trademark of Cisco Systems, Inc. in the United States and certain other countries and is usedunder license. Oracle† and Java† are registered trademarks of Oracle and/or its affiliates. Travelstar† is a registered trademark ofHGST, Inc. in the United States and other countries. UNIX† is a registered trademark of The Open Group. VALIDITY• is a trademark ofValidity Sensors, Inc. in the United States and other countries. VeriSign† and other related marks are the trademarks or registeredtrademarks of VeriSign, Inc. or its affiliates or subsidiaries in the U.S. and other countries and licensed to Symantec Corporation. KVM onIP† is a registered trademark of Video Products. Yahoo!† is a registered trademark of Yahoo! Inc. Bing† is a registered trademark ofMicrosoft Inc. Ask† is a registered trademark of IAC Publishing, LLC. Other names may be trademarks of their respective owners.

Page 42

Click Finish to complete removal and reboot the computer. Reboot machine after clicking finished is selected by default.Uninstallation and removal is complete.42Data Security Uninstaller

Page 43

Policies and Template DescriptionsTooltips display when you hover your mouse over a policy in the Local Management Console.PoliciesPolicyAggressiveProtectionfor AllFixedDrivesandExternalDrivesPCIRegulationDataBreachRegulationHIPAARegulationBasicProtectionfor AllFixedDrivesandExtDrives(Default)BasicProtectionfor AllFixedDrivesBasicProtectionforSystemDriveOnlyBasicProtectionforExternalDrivesEncryptionDisabledDescriptionFixed Storage PoliciesSDEEncryptionEnabledTrueFalseThis policy is the "masterpolicy" for all other SystemData Encryption (SDE)policies. If this policy is False,no SDE encryption takesplace, regardless of otherpolicy values.A True value means that alldata not encrypted by otherPolicy-Based Encryptionpolicies are encrypted perthe SDE Encryption Rulespolicy.Changing the value of thispolicy requires a reboot.SDEEncryptionAlgorithmAES256AES-256, AES-128SDEEncryptionRulesEncryption rules to be usedto encrypt/not encryptcertain drives, directories,and folders.Contact Dell ProSupport forguidance if you are unsureabout changing the defaultvalues.General Settings PoliciesEncryptionEnabledTrueFalseThis policy is the "masterpolicy" for all GeneralSettings policies. A Falsevalue means that no10Policies and Template Descriptions43

Page 84

NOTE: Manually deleting this key can create unintended results for users syncing with the PBA resulting in the needfor manual recovery.…To determine if a smart card is present and active, ensure the following value is set:
HKLM\SOFTWARE\Dell\Dell Data Protection\"SmartcardEnabled"=DWORD:1If SmartcardEnabled is missing or has a value of zero, the Credential Provider will display only Password for authentication.If SmartcardEnabled has a non-zero value, the Credential Provider will display options for Password and smart card authentication.…The following registry value indicates whether Winlogon should generate a notification for logon events from smart cards.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"SmartCardLogonNotify"=DWORD:10 = Disabled1 = EnabledProceed to Glossary.…To prevent SED management from disabling third-party credential providers, create the following registry key:
HKLM\SOFTWARE\Dell\Dell Data Protection\"AllowOtherCredProviders" = DWORD:10=Disabled (default)1=Enabled…The Encryption Management Agent no longer outputs policies by default. To output future consumed policies, create the following
registry key:HKLM\Software\Dell\Dell Data Protection\DWORD: DumpPoliciesValue=1Note: a reboot is required for this change to take effect.…To suppress all Toaster notifications from the Encryption Management Agent, the following registry value must be set on the client
computer.[HKEY_LOCAL_MACHINE\SOFTWARE\Dell\Dell Data Protection]"PbaToastersAllowClose" =DWORD:10=Enabled (default)1=Disabled84Troubleshooting

Page 85

GlossaryAdvanced Authentication - The Advanced Authentication product provides smart card reader options. Advanced Authentication helpsmanage these multiple authentication methods, supports login with self-encrypting drives, SSO, and manages user credentials andpasswords.Encryption Administrator Password (EAP) - The EAP is an administrative password that is unique to each computer. Most configurationchanges made in the local Management Console require this password. This password is also the same password that is required to useyour LSARecovery_[hostname].exe file to recover data. Record and save this password in a safe place.Encryption Client - The Encryption client is the on-device component that enforces security policies, whether an endpoint is connected tothe network, disconnected from the network, lost, or stolen. Creating a trusted computing environment for endpoints, the Encryptionclient operates as a layer on top of the device operating system, and provides consistently-enforced authentication, encryption, andauthorization to maximize the protection of sensitive information.Encryption keys - In most cases, Encryption uses the User encryption key plus two additional encryption keys. However, there areexceptions: All SDE policies and the Secure Windows Credentials policy use the SDE key. The Encrypt Windows Paging File policy andSecure Windows Hibernation File policy use their own key, the General Purpose Key (GPK). The Common encryption key makes filesaccessible to all managed users on the device where they were created. The User encryption key makes files accessible only to the userwho created them, only on the device where they were created. The User Roaming encryption key makes files accessible only to the userwho created them, on any encrypted Windows or Mac device.Encryption sweep - The process of scanning folders to be encrypted to ensure the contained files are in the proper encryption state.Ordinary file creation and rename operations do not trigger an encryption sweep. It is important to understand when an encryption sweepmay happen and what may affect the resulting sweep times, as follows: - An encryption sweep occurs upon initial receipt of a policy thathas encryption enabled. This can occur immediately after activation if your policy has encryption enabled. - If the Scan Workstation onLogon policy is enabled, folders specified for encryption are swept on each user logon. - A sweep can be re-triggered under certainsubsequent policy changes. Any policy change related to the definition of the encryption folders, encryption algorithms, encryption keyusage (common verses user), triggers a sweep. In addition, toggling between encryption enabled and disabled triggers an encryptionsweep.Pre-boot Authentication (PBA) - Pre-boot Authentication serves as an extension of the BIOS or boot firmware and guarantees a secure,tamper-proof environment external to the operating system as a trusted authentication layer. The PBA prevents anything being read fromthe hard disk, such as the operating system, until the user has confirmed they have the correct credentials.Single Sign-On (SSO) - SSO simplifies the logon process when multi-factor authentication is enabled at both preboot and Windows logon.If enabled, authentication is required at preboot only, and users are automatically logged on to Windows. If not enabled, authentication maybe required multiple times.System Data Encryption (SDE) - SDE is designed to encrypt the operating system and program files. To accomplish this purpose, SDEmust be able to open its key while the operating system is booting. Its intent is to prevent alteration or offline attacks on the operatingsystem by an attacker. SDE is not intended for user data. Common and User key encryption are intended for sensitive user data becausethey require a user password to unlock encryption keys. SDE policies do not encrypt the files needed by the operating system to start theboot process. SDE policies do not require preboot authentication or interfere with the Master Boot Record in any way. When thecomputer boots up, the encrypted files are available before any user logs in (to enable patch management, SMS, backup and recoverytools). Disabling SDE triggers automatic decryption of all SDE encrypted files and directories for the relevant users, regardless of otherSDE policy values, such as SDE Encryption Rules.Trusted Platform Module (TPM) - TPM is a security chip with three major functions: secure storage, measurement, and attestation. TheEncryption client uses TPM for its secure storage function. The TPM can also provide encrypted containers for the software vault.13Glossary85

Similer Documents