Many laws and regulations require that to operate in compliance with federal and state standards, organizations have to encrypt computers that house sensitive information (such as PHI). For organizations that do not operate on Windows 8 and above, this can be an issue, as Bitlocker is not available on systems using a pre-Windows 8 Windows OS.
But DESlock+ encryption offers an effective solution for encryption —both in these cases and in cases of general data encryption.
Managed Vs. Standalone
DESlock is available in both managed and standalone setups. Standalone DESlock+ will work for very small environments or for home workstation encryption, but managed DESlock+ is what you will want to use for most organizations. This article will detail how to add a user, add a workstation, encrypt a workstation within a Managed DESlock+ environment, and generating a DESlock+ preboot password.
DESlock+ Enterprise Server
Managing users and workstations with DESlock+ Enterprise Server is moderately easy, with a pretty low learning curve. It is important to note that DESlock+ operates on the user level – that is, that workstations are connected to users and most management is performed by making configuration changes for the user. This product-management strategy is predicated on the fact that one user can use more than one workstation, allowing one DESlock+ license to extend to multiple workstations.
Adding a User to DESlock+ via Enterprise Server
From within DESlock+ Enterprise Server, under “Users” in the left-hand-side folder tree, double-click on the folder of the location that the new user will be working in. Once inside the folder, click “Add,” which is located on the second-from-the-top ribbon at the top of the DESlock Enterprise Server window.
Enter the email address for the user that you are creating in DESlock+. After you enter the email address, click “Add.” This simple process is all that is required for adding a user.
Adding a Workstation
Adding a workstation is also easy, but the process is not as intuitive as adding a user. The first step to adding a workstation is to install DESlock+ on the workstation itself. To do this, double-click on the latest version of DESlock+ installer. After DESlock+ is installed, you will be prompted by a window requiring an activation code.
This activation code is generated with DESlock+ Enterprise Server. To generate an activation code, double-click on the user within his/her respective “Users” folder in DESlock+ Enterprise Server. Click on the “Activation Code” tab within the user’s profile.
Click on “New.”
You will be prompted with a “Generate Activation Codes” window. Uncheck “Send users Activation Code in an E-mail.”
Click “Generate.” Copy this code and input the code into the window prompt on the endpoint computer that is requesting an activation code as shown below.
This will complete the activation of DESlock+ and allow it to communicate with DESlock+ Enterprise Server. With this said, what still needs to be performed is a sync in between DESlock+ and the enterprise server.
To sync a client endpoint workstation with DESlock+ Enterprise Server, first click on the little arrow on the right-hand side of the endpoint computer taskbar. Right-click on the black shield with the blue cross and click “Enterprise Sync.”
Now perform a proxy sync on the server side by clicking the ‘proxy sync’ button at the bottom of the DESlock+ window.
Any change within DESlock+ has to be synced from both the workstation and the DESlock+ Enterprise Server, whether it be activating DESlock+ or changing a policy for the workstation.
Full Disk Encryption
With both the user and workstation added to DESlock+ Enterprise Server, and DESlock+ installed on the workstation, all that is left is to perform a full disk encryption. Follow the steps below to perform this action.
Select the workstation from “Workstations” within DESlock+ Enterprise Server. Double-click the workstation. Once inside the workstation window, click “Full Disk Encryption” on the second-from-the-top ribbon at the top of the DESlock+ Enterprise Server window.
This will prompt you with the Full Disk Encryption wizard as seen below.
Click “Next.” This will present you with the Compatibility Checks window as seen below.
Generally, there will be no compatibility issues with DESlock+ when installing on a workstation, and you will see a green-topped panel indicating that there are no incompatibilities. However, if you are installing DESlock+ onto certain systems, such as a Lenovo thin client, you will see that you have to install in “Safe Mode,” which will take one extra restart of the computer before Full Disk Encryption will occur.
This selection can be made by using the drop-down menu. Click “Next.”
You will be presented with an Add FDE Login window. Click “Next.”
You will then be presented with an FDE Login Details window. This window will allow you to choose the user’s preboot password and allows you to configure how many password attempts and recovery password uses are available, as well as whether to email the login details to the end user. Click “Next.”
This will lead you to the Full Disk Encryption drive partition selection window. The default is set to encrypt all drive partitions on the workstation however you will only want to encrypt C: drive. To unselect the other drive partitions you need to click the “Change Disk” button.
After clicking “Change Disk,” you will be presented with a DESlock+ window that lets you select which drive partitions you do not want to encrypt. Click on the drives that you do not want to encrypt and click the “not encrypted” button. You will then be presented with a drive partitions window that looks similar to the window below.
This window clearly shows that only the C: drive will be encrypted. Click “OK.” You will be now be presented with a window that indicates which drives you selected to encrypt in the previous step.
Click “Start Encryption.”
At this point, the client endpoint workstation will need a restart. On the workstation you will be presented with the below window. Click “Restart.”
When the workstation comes back up from the restart you will be presented with a Disk Encryption Status window. When encryption is complete, you will be presented with the Disk Encryption Status window below.