Technical support

Knowledgebase
How do I Full Disk Encrypt a Client Workstation using OPAL?
Article ID: KB526 email a link to this article
Important: Using OPAL Hardware Encryption, entrusts the security to the disk hardware vendor. ESET cannot verify or be liable for the strength of security in third-party devices and advise checking whether the disk in use has any known security vulnerabilities.

Requirements 

Please make sure your system meets the requirements for OPAL encryption - KB527 - OPAL Encryption FAQ

This article only applies to managed environments using an ESET Endpoint Encryption (EEE) Server and your client Workstations have a supported OPAL disk, then you can Full Disk Encrypt (FDE) them using EEE OPAL FDE.

Enabling OPAL in the Server

To enable OPAL encryption, you will first need to enable it within your organisation. OPAL encryption is enabled on a per organisation basis, you will need to enable OPAL in your organisation settings.

To do this -

  • Go to your ESET Endpoint Encryption Server Control Panel
  • Go to the organisation panel on the left and click Settings
  • Go to the Full Disk Encryption Settings section
  • Check Enable OPAL Hardware Encryption for supported drives
  • You also have the option to have OPAL encryption as the default encryption method on systems which support it in this menu

Sending an OPAL encrypt command to the workstation

To issue a FDE command to a Workstation, you will need to select the User associated with the Workstation and double click on the user to open a new window called the User Card.

Clicking on the Workstation tab, you will see all of the Workstations which the User is associated with. You will also be able to see the FDE status of the workstation under the FDE status column.

Highlight the Workstation you wish to send an FDE command to and then click the Full Disk Encryption button.

This will start the FDE wizard as seen below. If you do not wish to see the initial FDE wizard window in future, then put a tick in the box next to Don't show this page again and click the Next button.

You will now be shown the Compatibility Checks stage of the FDE wizard. This stage will inform you if there are any incompatibilities on the Workstation to which you are about to send the command.

Providing there are no compatibility issues raised, you will be able to choose the security mode.

You can use OPAL with TPM encryption, however in our example we do not do this. If you wish to use the TPM module when using OPAL encryption, please click it when requested.

If you are unsure about the different security methods, please read this article: KB430 - Trusted Platform Module (TPM) Support

In the next stage of the FDE wizard, you will be able to set the FDE login credentials (username and password) for the User. If you would like EEE to synchronize the FDE password with the User's Windows password, then you may wish to use Single Sign-On (SSO) instead. For more information about SSO, please read this article: KB187 - What is Single Sign-On (SSO)

Once you have set the FDE details for the User, click Next.

If this is the first FDE command that you are sending from the EEE Server, then you will be prompted to set the FDE Admin username and password. The FDE admin username and password is sticky, meaning it will be remembered for each subsequent FDE command you send to other Workstations. When setting your FDE Admin username and password, it is not advisable for it to be the same as the EEE Server Admin username and password, as doing so would compromise the security if someone were to discover what the credentials are. Click Next to continue.

The next stage of the FDE wizard will give you the option of either encrypting the whole disk or encrypting specific partition(s) of the disk. The screenshot below depicts that the whole disk will be encrypted. To select the OPAL encryption mode please click the Change button. Note - If the drive does not have OPAL stated in this Window, you will not be able to OPAL encrypt it.

Once the change button has been clicked, the window as shown in the screenshot below will appear. To enable OPAL encryption, you must click the Use OPAL button. Once you have done this please click the OK button, then the next button on the following page.

Finally, you will be presented with the final encryption start stage. With OPAL encryption, Safe Start is mandatory to start the encryption process.

For more information about Safe Start please click here - KB177 - What is Full Disk Encryption Safe Start?

Click the Start button to send the FDE command to the target Workstation. This will be apparent by the workstation icon being orange and under the FDE status the status will be set as Start FDE Pending.

For the FDE command to be processed by the workstation, you can either:

1. Wait for the background check period to elapse (by default this is every 60 minutes)

2. Manually synchronize the client as shown by this article: KB195 - How do I manually synchronise the ESET Endpoint Encryption Client and Server?

 

Once the FDE command has been processed, the client machine will restart the system to perform Safe Start and encryption will take place if Safe Start is succesful.

Keywords: OPAL encryption FDE send command


We use cookies on our website to enhance your browsing experience. Read more