Data encryption and protection

Data encryption reduces the risk of unintentional leakage in case your laptop or hard drive is stolen or lost, or upon access by unauthorized users and applications.

The following Kaspersky applications support encryption:

• Kaspersky Endpoint Security for Windows
• Kaspersky Endpoint Security for Mac

You can show or hide some of the interface elements related to the encryption management feature by using the user interface settings.

Encryption of data in Kaspersky Endpoint Security for Windows

You can manage the following types of encryption:

• BitLocker Drive Encryption on devices running a Windows operating system for servers
• Kaspersky Disk Encryption on devices running a Windows operating system for workstation

By using these components of Kaspersky Endpoint Security for Windows, you can, for example, enable or disable encryption, view the list of encrypted drives, or generate and view reports about encryption.

You configure encryption by defining policies of Kaspersky Endpoint Security for Windows in Kaspersky Security Center. Kaspersky Endpoint Security for Windows performs encryption and decryption according to the active policy. For detailed instructions on how to configure rules and a description of encryption features, see the Kaspersky Endpoint Security for Windows Help.

Encryption of data in Kaspersky Endpoint Security for Mac

You can use FileVault encryption on devices running macOS. While working with Kaspersky Endpoint Security for Mac, you can enable or disable this encryption.

You configure encryption by defining policies of Kaspersky Endpoint Security for Mac in Kaspersky Security Center. Kaspersky Endpoint Security for Mac performs encryption and decryption according to the active policy. For a detailed description of encryption features, see the Kaspersky Endpoint Security for Mac Help.

Viewing the list of encrypted drives

In Kaspersky Security Center, you can view details about encrypted drives and devices that are encrypted at the drive level. After the information on a drive is decrypted, the drive is automatically removed from the list.

To view the list of encrypted drives,

In the main menu, go to the OPERATIONS → DATA ENCRYPTION AND PROTECTION → ENCRYPTED DRIVES section.

If the section is not on the menu, this means that it is hidden. In the user interface settings, enable the Show data encryption and protection option to display the section.

You can export the list of encrypted drives to a CSV or TXT file. To do this, click the Export rows to CSV file or Export rows to TXT file button.

Viewing the list of encryption events

When running data encryption or decryption tasks on devices, Kaspersky Endpoint Security for Windows sends Kaspersky Security Center information about events of the following types:

• Cannot encrypt or decrypt a file, or create an encrypted archive, due to a lack of free disk space.
• Cannot encrypt or decrypt a file, or create an encrypted archive, due to license issues.
• Cannot encrypt or decrypt a file, or create an encrypted archive, due to missing access rights.
• The application has been prohibited from accessing an encrypted file.
• Unknown errors.

To view a list of events that occurred during data encryption on devices,

In the main menu, go to the OPERATIONS → DATA ENCRYPTION AND PROTECTION → ENCRYPTION EVENTS section.

If the section is not on the menu, this means that it is hidden. In the user interface settings, enable the Show data encryption and protection option to display the section.

You can export the list of encrypted drives to a CSV or TXT file. To do this, click the Export rows to CSV file or Export rows to TXT file button.

Alternatively, you can examine the list of encryption events for every managed device.

To view the encryption events for a managed device:

1. In the main menu, go to the DEVICES → MANAGED DEVICES section.
2. Click on the name of a managed device.
3. On the General tab, go to the Protection section.
4. Click the View data encryption errors link.

Creating and viewing encryption reports

You can generate the following reports:

• Report on encryption status of mass storage devices. This report contains information about the device encryption status for all groups of devices.
• Report on rights of access to encrypted drives. This report contains information about the status of user accounts that have been granted access to encrypted drives.
• Report on file encryption errors. This report contains information about errors that occurred when data encryption or decryption tasks were run on devices.
• Report on blockage of access to encrypted files. This report contains information about blocking application access to encrypted files.

You can generate any report in the MONITORING & REPORTING → REPORTS section. Alternatively, you can generate some of the encryption reports in the ENCRYPTED DRIVES section and the ENCRYPTION EVENTS section.

To generate encryption reports in the ENCRYPTED DRIVES section:

1. Make sure that you enabled the Show data encryption and protection option in the Interface options.
2. Select OPERATIONS → DATA ENCRYPTION AND PROTECTION, and in the drop-down list select ENCRYPTED DRIVES.
3. To generate an encryption report, click the name of the report that you want to generate:
   • Report on encryption status of mass storage devices
   • Report on rights to access encrypted drives

The report generation starts.

To generate Report on file encryption errors in the ENCRYPTION EVENTS section:

1. Make sure that you enabled the Show data encryption and protection option in the Interface options.
2. Select OPERATIONS → DATA ENCRYPTION AND PROTECTION, and in the drop-down list select ENCRYPTION EVENTS.
3. To generate the encryption report, click the Report on file encryption errors link.

The report generation starts.

Granting access to an encrypted drive in offline mode

A user can request access to an encrypted device, for example, when Kaspersky Endpoint Security for Windows is not installed on the managed device. After you receive the request, you can create an access key file and send it to the user. All of the use cases and detailed instructions are provided in the Kaspersky Endpoint Security for Windows Help.

To grant access to an encrypted drive in offline mode:

1. Get a request access file from a user (a file with the FDERTC extension). Follow the instructions in the Kaspersky Endpoint Security for Windows Help to generate the file in Kaspersky Endpoint Security for Windows.
2. In the main menu, go to the OPERATIONS → DATA ENCRYPTION AND PROTECTION → ENCRYPTED DRIVES section.

   A list of encrypted drives appears.

3. Select the drive to which the user requested access.
4. Click the Grant access to the device in offline mode button.
5. In the window that opens, select the plug-in corresponding to the Kaspersky application that was used to encrypt the selected drive.

   If a drive is encrypted with a Kaspersky application that is not supported by Kaspersky Security Center Web Console, use Microsoft Management Console-based Administration Console to grant the offline access.

6. Follow the instructions provided in the Kaspersky Endpoint Security for Windows Help (see expanding blocks at the end of the section).

After that, the user applies the received file to access the encrypted drive and read data stored on the drive.