Disk encryption end-user experience

While the Disk Encryption Manager installation is configured and initiated in SolarWinds N-central, it may require user interaction.

Installation

During the install of Disk Encryption Manager, the user can encounter one of three scenarios:

  • If the device has no TPM, the user is prompted to set an encryption password that they use to unlock the disk to use the computer. The password must be eight characters and include at least one uppercase and lowercase letter and a number. The user can ignore the request. If a user does not input the required Password, they will see a prompt every few minutes reminding them to complete the installation.
  • If the device has TPM, and you selected to prompt the user for a PIN, the user must set a PIN. The encryption PIN must be at between six and 21 alphanumeric characters.
  • If the device has TPM, and you did not select for the user to enter a PIN, then no interaction is needed by the user.

After this step, Disk Encryption Manager first encrypts the Boot drive, then continues with the D: drive and then any additional drives. There is no option to only encrypt selected drives.

A message appears informing the user that the encryption process has started including the drive and time it began. Another message appears when the encryption has completed. Encrypting a disk can take a while to complete; roughly one minute for every 500 MB.

Should the user shut down the computer during the encryption process, the encryption will resume once the device is back up and running.

Computer start up

When the user starts their computer, depending whether they have TPM on their device and how its configured, the user can encounter one of three scenarios:

  • If there is no TPM on the device, the user is prompted for their password, and then the Windows authentication,
  • If there is TPM and if configured, the user is prompted to enter their PIN and then the Windows authentication.
  • If there is TPM and configured with no PIN, the user only needs to complete the Windows authentication.

The device will not continue the boot sequence until they enter the correct password. After entering their password, Disk Encryption Manager unlocks their device and the user can then enter their system credentials and continue the startup as normal.

If the user forgets their password, they can press Escape to display the encryption recovery screen that includes a recovery key ID. The User presents the recovery ID key to their Administrator. The Administrator uses this to provide a recovery key. The user enters the recovery key in the field on the Recovery screen to continue.

The user will need to create a new password before unlocking the drive.