Data encryption and protection

Data encryption reduces the risk of unintentional leakage in case your laptop or hard drive is stolen or lost, or upon access by unauthorized users and applications.

The following Kaspersky applications support encryption:

• Kaspersky Endpoint Security for Windows
• Kaspersky Endpoint Security for Mac

You can show or hide some of the interface elements related to the encryption management feature by using the user interface settings.

Encryption of data in Kaspersky Endpoint Security for Windows

You can manage the BitLocker Drive Encryption technology on devices running a Windows operating system for servers or workstations.

By using these components of Kaspersky Endpoint Security for Windows, you can, for example, enable or disable encryption, view the list of encrypted drives, or generate and view reports about encryption.

You configure encryption by defining policies of Kaspersky Endpoint Security for Windows in Kaspersky Security Center Cloud Console. Kaspersky Endpoint Security for Windows performs encryption and decryption according to the active policy. For detailed instructions on how to configure rules and a description of encryption features, see the Kaspersky Endpoint Security for Windows Help.

Encryption of data in Kaspersky Endpoint Security for Mac

You can use FileVault encryption on devices running macOS. While working with Kaspersky Endpoint Security for Mac, you can enable or disable this encryption.

You configure encryption by defining policies of Kaspersky Endpoint Security for Mac in Kaspersky Security Center Cloud Console. Kaspersky Endpoint Security for Mac performs encryption and decryption according to the active policy. For a detailed description of encryption features, see the Kaspersky Endpoint Security for Mac Help.

Viewing the list of encrypted drives

In Kaspersky Security Center Cloud Console, you can view details about encrypted drives and devices that are encrypted at the drive level. After the information on a drive is decrypted, the drive is automatically removed from the list.

To view the list of encrypted drives,

In the main menu, go to Operations → Data encryption and protection → Encrypted drives.

If the section is not on the menu, this means that it is hidden. In the user interface settings, enable the Show data encryption and protection option to display the section.

You can export the list of encrypted drives to a CSV or TXT file. To do this, click the Export to CSV or Export to TXT button.

Creating and viewing encryption reports

You can generate the following reports:

• Report on encryption status of managed devices. This report provides details about the data encryption of various managed devices. For example, the report shows the number of devices to which the policy with configured encryption rules applies. Also, you can find out, for instance, how many devices need to be rebooted. The report also contains information about the encryption technology and algorithm for every device.
• Report on encryption status of mass storage devices. This report contains similar information as the report on the encryption status of managed devices, but it provides data only for mass storage devices and removable drives.
• Report on rights to access encrypted drives. This report shows which user accounts have access to encrypted drives.
• Report on file encryption errors. This report contains information about errors that occurred when the data encryption or decryption tasks were run on devices.
• Report on blockage of access to encrypted files. This report contains information about blocking application access to encrypted files. This report is helpful if an unauthorized user or application tries to access encrypted files or drives.

You can generate any report in the Monitoring & reporting → Reports section. Alternatively, in the Operations → Data encryption and protection section, you can generate the following encryption reports:

• Report on encryption status of mass storage devices
• Report on rights to access encrypted drives
• Report on file encryption errors

To generate an encryption report in the Data encryption and protection section:

1. Make sure that you enabled the Show data encryption and protection option in the Interface options.
2. In the main menu, go to Operations → Data encryption and protection.
3. Open the Encrypted drives section to generate the report on encryption status of mass storage devices or the report on rights to access encrypted drives.
4. Click the name of the report that you want to generate.

The report generation starts.

Granting access to an encrypted drive in offline mode

A user can request access to an encrypted device, for example, when Kaspersky Endpoint Security for Windows is not installed on the managed device. After you receive the request, you can create an access key file and send it to the user. All of the use cases and detailed instructions are provided in the Kaspersky Endpoint Security for Windows Help.

To grant access to an encrypted drive in offline mode:

1. Get a request access file from a user (a file with the FDERTC extension). Follow the instructions in the Kaspersky Endpoint Security for Windows Help to generate the file in Kaspersky Endpoint Security for Windows.
2. In the main menu, go to Operations → Data encryption and protection → Encrypted drives.

   A list of encrypted drives appears.

3. Select the drive to which the user requested access.
4. Click the Grant access to the device in offline mode button.
5. In the window that opens, select the plug-in corresponding to the Kaspersky application that was used to encrypt the selected drive.

   If a drive is encrypted with a Kaspersky application that is not supported by Kaspersky Security Center Cloud Console, use Microsoft Management Console-based Administration Console to grant the offline access.

6. Follow the instructions provided in the Kaspersky Endpoint Security for Windows Help (see expanding blocks at the end of the section).

After that, the user applies the received file to access the encrypted drive and read data stored on the drive.