After the successful deployment of BestCrypt Volume Encryption (BCVE) on remote computers, an administrator can manage BCVE on client computers through Jetico Central Manager Console (see below):
Jetico Central Manager Database receives and displays the following information from BCVE program running on the client computers:
Additionally, the administrator can clickto prepare rescue file or rescue bootable disk to recover encrypted disk volume on the selected computer. See the section of this manual entitled Rescue procedures in Jetico Central Manager for more details about how to recover encrypted disk volumes on client computers.
The administrator of JCM Console can manage encryption policy on client computers by assigning a policy to the whole group, or to selected computers.
Computers with individual policies are marked with the 'gear' icon in the list of computers:
If the assigned policy forces the client software to encrypt fixed disks (in the policy, Fixed drive action = Encrypt), BCVE will ask the user on the client computer to enter a password to encrypt the volumes. The encryption will start and will be performed in the background. The process can be stopped, but it will be automatically resumed after a short time or after reboot. As soon as the encryption process starts, the user will be prompted to enter the password at boot.
NOTE: The automatic encryption may NOT start (or not resume) for the following reasons:
1. The client computer was not rebooted after installation.
2. BCVE main window has been opened on the client computer.
3. The client-server connection has been lost.
The administrator can temporarily suspend client protection (i.e. remove boot-time authentication) In these cases, the volumes will remain encrypted. This feature may be required to allow the computer(s) to restart automatically (Windows Updates, backup purposes, etc.). The feature is especially necessary when managing servers that are required to function around-the-clock.
As soon as the administrator enables this option, it will be reported by JCM Console to the log file:
Server: Suspend Protection set for computer 'compluter name'
After that, if the client computer is ON, another report in the log file is expected:
Client: Suspend Protection set for computer 'compluter name'
If the client computer is OFF, it will receive the setting and send this report to the Console when it is turned on. Upon receiving this confirmation from the client, boot-time authentication is removed.
As soon as the administrator disables this option, two records appear in the log file:
Client: Suspend Protection unset for computer 'compluter name'
Server: Suspend Protection unset for computer 'compluter name'
At this point, the boot-time authentication is restored.
Computers with 'Suspend protection' option enabled are marked with the 'pause' icon in the list of computers:
Furthermore, computer status for such computer is set to 'yellow' on the computer page, and the warning is posted:
ATTENTION! The option Suspend protection exposes a security risk. For example, someone can turn off the computer, take it out of the company's network, turn it on again and gain access to the data. Remember to disable this option as soon as automatic reboot is no longer required.