Deployment Guide
Glossary
Advanced Authentication - The Advanced Authentication product provides smart card reader options. Advanced Authentication
helps manage these multiple authentication methods, supports login with self-encrypting drives, SSO, and manages user
credentials and passwords.
Encryption Administrator Password (EAP) - The EAP is an administrative password that is unique to each computer. Most
configuration changes made in the local Management Console require this password. This password is also the same password
that is required to use your LSARecovery_[hostname].exe file to recover data. Record and save this password in a safe place.
Encryption Client - The Encryption client is the on-device component that enforces security policies, whether an endpoint is
connected to the network, disconnected from the network, lost, or stolen. Creating a trusted computing environment for
endpoints, the Encryption client operates as a layer on top of the device operating system, and provides consistently-enforced
authentication, encryption, and authorization to maximize the protection of sensitive information.
Encryption keys - In most cases, Encryption uses the User encryption key plus two additional encryption keys. However, there
are exceptions: All SDE policies and the Secure Windows Credentials policy use the SDE key. The Encrypt Windows Paging File
policy and Secure Windows Hibernation File policy use their own key, the General Purpose Key (GPK). The Common encryption
key makes files accessible to all managed users on the device where they were created. The User encryption key makes files
accessible only to the user who created them, only on the device where they were created. The User Roaming encryption key
makes files accessible only to the user who created them, on any encrypted Windows or Mac device.
Encryption sweep - The process of scanning folders to be encrypted to ensure the contained files are in the proper encryption
state. Ordinary file creation and rename operations do not trigger an encryption sweep. It is important to understand when an
encryption sweep may happen and what may affect the resulting sweep times, as follows: - An encryption sweep occurs upon
initial receipt of a policy that has encryption enabled. This can occur immediately after activation if your policy has encryption
enabled. - If the Scan Workstation on Logon policy is enabled, folders specified for encryption are swept on each user logon. - A
sweep can be re-triggered under certain subsequent policy changes. Any policy change related to the definition of the
encryption folders, encryption algorithms, encryption key usage (common verses user), triggers a sweep. In addition, toggling
between encryption enabled and disabled triggers an encryption sweep.
Pre-boot Authentication (PBA) - Pre-boot Authentication serves as an extension of the BIOS or boot firmware and guarantees a
secure, tamper-proof environment external to the operating system as a trusted authentication layer. The PBA prevents
anything being read from the hard disk, such as the operating system, until the user has confirmed they have the correct
credentials.
Single Sign-On (SSO) - SSO simplifies the logon process when multi-factor authentication is enabled at both preboot and
Windows logon. If enabled, authentication is required at preboot only, and users are automatically logged on to Windows. If not
enabled, authentication may be required multiple times.
System Data Encryption (SDE) - SDE is designed to encrypt the operating system and program files. To accomplish this
purpose, SDE must be able to open its key while the operating system is booting. Its intent is to prevent alteration or offline
attacks on the operating system by an attacker. SDE is not intended for user data. Common and User key encryption are
intended for sensitive user data because they require a user password to unlock encryption keys. SDE policies do not encrypt
the files needed by the operating system to start the boot process. SDE policies do not require preboot authentication or
interfere with the Master Boot Record in any way. When the computer boots up, the encrypted files are available before any
user logs in (to enable patch management, SMS, backup and recovery tools). Disabling SDE triggers automatic decryption of all
SDE encrypted files and directories for the relevant users, regardless of other SDE policy values, such as SDE Encryption Rules.
Trusted Platform Module (TPM) - TPM is a security chip with three major functions: secure storage, measurement, and
attestation. The Encryption client uses TPM for its secure storage function. The TPM can also provide encrypted containers for
the software vault.
13
Glossary 87