This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SafeGuard Encryption Enables 256 Bit Encryption on SATA HD workstations but only 128-Bit Encryption on SSD Workstations

Hi there, 

I was hoping someone can help me figure out why the encryption on SSD workstations is only enabling with 128-BIT Encryption and the SATA workstation are getting the full 256-Bit encryption.  The default full encryption policy in SafeGuard Management Center is set to Local Storage Devices\Drive Letters\C: and the algorithm to be used for encryption is set to AES256.  

We are using software encryption with "hardware encryption" disabled in the group policy because we read how some SSD's don't protect the HD properly because of a know BitLocker flaw.  

Any ideas why the full encryption policy for HD's is set properly on the endpoints but the SSD's are using 128-Bit (instead of the AES256)?



This thread was automatically locked due to age.
Parents Reply
  • Ok I finally figured out what I needed to do to get the endpoints to all use AES 256-bit encryption.  I had to set the group policy for the Cypher encryption to ensure all endpoints use the AES 256-Bit method.  This was timely as to I had to fully decrypt them to do this.  

     

    So my final question is,  If we have to set all the policies manually in the local group policy 'anyways' what is the purpose of having the SafeGuard Management Software and the SafeGuard Agent?  We wanted to use the management center as a way to easily set policies and manage endpoints...

Children
  • With the advent of BitLocker Sophos does less management of Windows I appreciate. It still does though give a single pane of glass for the management and recovery of Windows AND Mac. It also offers file encryption and the management of that, something Windows can’t do on its own.

    Sophos works in conjunction with AD though, and allows you to control centrally what key protectors will use and what fallback option.

    You’re also getting a self service portal for users to get their own recovery keys (should you want to)

    So yes, a few policies to set in AD, but once you have that set right (and sounds like you have now) then Sophos can do the rest, include file encryption and also manage your Mac estate in the same way too. With a portal for your staff (or tech staff) to use.

    I’m not saying it’s perfect and you could use MBAM to do much the same if you didn’t need file encryption but the console does a lot more than just the few policies AD does.

  • Ok, this is what I found.  You can get the 256-bit encryption to enable but even when you it in the local group policy of all devices, it still will initially encrypt to 128-bit.  So if you are using software based encryption, you still have to decrypt the drive after you install the safeguard software and re-encrypt the drive again for it to use 256-bit encryption.  All which is very time consuming.  This is true for both SSD and SATA drives.  

     

    In conclusion if we plan on using this software we will have to accept the lower level encryption standards because it is too much work and time consuming to go through the entire process of re-encryption to achieve the best security.  

     

    Thanks for you help on this issue.  

  • I'm confused why this would be? Most of my estate is 256bit, and I've not decrypted and encrypted again any of the devices? I can't comment on your estate but I don't feel it's Sophos SafeGuard limiting this - at least it doesn't here!

  • Not sure why either.   I have tried it on a factory bran new ASUS ZenBoon with SSD and an older Dell Latitude with SATA (in field PC).  Also testing on my own workstation Dell Latitude.  I was only able to get the 256-working on my own after fully decrypting the drive drive and manually enabling Bitlocker.  The 256-bit encyption will not start on its own.  It has to be manually configured and turned on.  

    The policies are updating from the server management panels with no issues.  Just the process is not working.  Maybe it is because of the disabling of the hardware encryption?  

     

  • My Boss says he is fine with the 128-Bit encryption.  So were good to go here.  I personally just wonder if there is a better way to the the 256-Bit without re-encrypting.  Thanks