Idea ID: 2783261

Policy based control over hardware encryption

Status : Delivered
over 6 years ago
It has been more and more frustrating to try to find out what hardware encryption (OPAL) drives work with FDE.

I would like to see that you can control with policy would the FDE engine try to use software or HW based encryption. You could define default policy without HW encryption and if seen that certain drives/laptop models work ok, you could enable it HW encryption afterwards (if possible) or vice versa.

I have discussed about this with support earlier but just in case.. ;)
  • This has been implemented with ZCM 11.4: "... Enable software encryption of Opal compliant self-encrypting drives: When enabled, this option does the following to OPAL 2.0 compliant self-encrypting drives: - Prevents the ZENworks Pre-Boot Authentication (PBA) mechanism from initiating the drive’s locking feature. This allows the ZENworks PBA to work with ALL OPAL 2.0 compliant self-encrypting drives, not just the drives that are known to be drive-locking compatible with ZENworks Full Disk Encryption. - Applies software encryption to the drive, adding a second layer of encryption to the drive’s already hardware-encrypted contents. ..."