For a correct understanding of the processes involved in the encryption and decryption of information, it is necessary to present some concepts related to the encryption technology used. In this article we will also describe what the Recovery Key plus the basics on Bitlocker, the technology used by Panda Full Encryption.
BitLocker
It is the software installed in some versions of the Windows 7 and above computers in charge of managing the encryption and decryption of the data stored in the volumes of the equipment. Panda Full Encryption installs BitLocker automatically in those server versions that do not include it but are compatible.
- System Partition
This is a small area of ??the 1.5 gigabyte hard disk that remains unencrypted and is necessary for the computer to complete the startup process correctly. Panda Full Encryption automatically creates this system partition if it did not previously exist. - Encryption algorithm
The encryption algorithm chosen in Panda Full Encryption is AES-256, although computers with user-encrypted volumes that use another encryption algorithm are also compatible.
Encryption technologies
- TPM
TPM (Trusted Platform Module, secure platform module) is a chip that is included in some motherboards of desktops, laptops and servers. Its main objective is to protect the sensitive information of users, storing keys and other information used in the authentication process. In addition, the TPM is responsible for detecting changes in the chain of computer startup, for example preventing access to a hard drive from a computer other than the one used for encryption. The minimum version of TPM supported by Panda Full Encryption is 1.2. and Panda Security recommends its use in combination with other supported authentication systems. In some scenarios it is possible that the TPM is disabled in the BIOS of the equipment and its manual activation is necessary. - PIN and PIN Extended / Improved PIN (Personal Identification Number) is a sequence of 4 to 20 numbers (6 to 20 on Windows 10 version 1709 and later computers) that acts as a simple password and is required at the start of a computer that has an encrypted volume. Without the PIN the boot sequence is not completed and access to the equipment is not possible. If the hardware is compatible, Panda Endpoint Protection will use an extended PIN or enhanced PIN consisting of letters and numbers to increase the complexity of the password. Because the Extended PIN is requested in the computer startup process prior to loading the operating system, BIOS limitations may restrict keyboard input to the 7-bit ASCII table. Additionally, keyboards that use a distribution different from that provided in the EN-US character map, such as QWERTZ or AZERTY keyboards, can cause the failure to enter the Extended PIN. For this reason Panda Endpoint Protection controls that the characters entered by the user belong to the EN-US map before establishing the extended PIN in the process of encrypting the equipment.
- Passphrase
It is a password of 8 to 255 alphanumeric characters equivalent to the Extended PIN. - USB key
Store the encryption key in a USB device formatted with NTFS, FAT or FAT32. In this way, you do not have to enter a password in the process of starting the computer, although it is necessary that the USB device that stores the password is connected to the computer. Some older PCs are not able to access the USB drives in the boot process, check that the computers in your organization have access to the USB drives from the BIOS.
When an anomalous situation is detected in a computer protected with Panda Full Encryption or in case we have forgotten the access password, the system will request a 48-digit recovery key. This key is managed from the administration console and must be entered to complete the start of the computer. Each encrypted volume will have its own independent recovery key.
The recovery key is requested in the scenarios shown below:
- When the PIN or passphrase is entered incorrectly and repeatedly in the process of starting the equipment.
- When a protected device with TPM detects a change in the boot sequence (hard disk protected by TPM and connected to another device).
- When the base plate of the equipment has been changed and therefore the TPM.
- When deactivating, disabling or deleting the contents of the TPM.
- When changing the configuration values ??of the equipment startup.
- When changing the boot process of the equipment:
- BIOS update.
- Firmware update.
- Update of the UEFI.
- Modification of the boot sector.
- Modification of the master boot record.
- Modification of the boot manager.
- Change of firmware implemented in certain components that are part of the process of starting the equipment (video cards, disk controllers etc) known as Option ROM.
- Change of other components that intervene in the initial phases of system startup.