How to Troubleshoot Hard Drive Encryption Issues

Table of Contents:

1. What is hard disk encryption?
2. Hardware encryption compares with software encryption
3. What is TPM?
4. Full Disk Encryption (FDE)
5. What is BitLocker?
6. Encryption of Advanced Format 512e (4 K) FDE hard drives
7. Hard Drive not recognized by encryption software
8. Preboot issues
9. System will not boot after adding third-party encryption software.
10. Encryption and Operating System reinstall
11. Lost passwords or encryption key

1. What is hard disk encryption?

Hard disk encryption is a process where data on the disk, or the entire drive, is converted into unreadable code using mathematical algorithms so it cannot be accessed by unauthorized users. The user must provide a password, fingerprint, or smart card to access an encrypted drive. Encryption can be performed by the means of software or hardware mechanisms. In the Client world, we deal with software encryption most of the time. Encryption can be at the file level, or for the entire hard disk.

Back to Top

2. Hardware encryption compare with software encryption

The main difference between software and hardware encryption is that the master boot record (MBR) cannot be encrypted using a software encryption mechanism. Dell Client computers use Wave Trusted Drive Manager as part of the Dell Data Protection or Dell ControlPoint Security Manager suite with the TPM chip for software-based encryption. Enterprise customers can use Dell Data Protection Encryption and a DDPE Accelerator module that is used in a slot on the motherboard using the mini card for laptops, or a PCIe card for desktop computers. Hardware encryption is more secure because it isolates the drive from the CPU and operating system, making it far less vulnerable to attack.

Back to Top

3. What is TPM?

A Trusted Platform Module (TPM) is a cryptographic microprocessor on the motherboard that stores and authenticates the encryption keys for the drive, which in turn, ties the drive to the computer. This means if the encrypted drive is stolen from the computer and placed into another computer, the drive cannot be accessible. The TPM chip acts as a "gateway" into the drive. The main disadvantage of TPM chip used in an encryption scheme is if the motherboard requires replacement, the drive may potentially no longer be accessible to the user. However, Wave Trusted Drive Manager alleviates this issue by keeping the encryption keys on the hard drive as well. (This is similar to RAID arrays not being lost when a motherboard is replaced. The array information is kept on the drive stripe and in the RAID controller EPROM.)

More info: How to troubleshoot and fix common issues with TPM and BitLocker

Back to Top

4. Full Disk Encryption (FDE)

Full disk encryption simply means the entire drive (every sector) can be encrypted instead of the files, folder, or file computers. FDE hard drives are becoming the standard in laptops due to the heightened chance of computer theft or loss. The term "full disk encryption" is originally coined by Seagate, but is now an industry term for all hard drives that can be fully encrypted. FDE hard drive security features are always on and act as a normal hard drive until the security policies are implemented.

A common question that arises is whether Wave Trusted Drive Manager encryption software can be used on a non-FDE hard drive to secure the entire disk. The answer is no Wave Trusted Drive Manager requires an FDE drive. Software encryption mechanisms, such as Windows BitLocker, can be used to encrypt volumes on non-FDE drives using the TPM chip or a USB drive, but not the operating system bootstrap (boot sector) of the hard drive.

To gain access to the contents of a fully encrypted hard drive by Wave Trusted Drive Manager, preboot authentication is used so that the sectors containing the operating system and user data can be accessed. On Client computers using DDPA, preboot authentication setup is handled by the Wave software within DDPA\DCPSM.

Back to Top

5. What is BitLocker?

BitLocker is a full disk encryption feature available in Windows 7 and is only available in the Ultimate and Enterprise editions. You can use BitLocker To Go to help protect all files stored on removable data drives (such as external hard drives or USB flash drives).

Unlike Trusted Drive Manager, these drives do not need to be FDE drives, but BitLocker can only encrypt volumes but not the boot volume. Drives encrypted with BitLocker can be unlocked through preboot by using a password or Smartcard with TPM. For BitLocker to be accessed by a preboot mechanism, the BIOS must be able to read a USB drive at boot, and two partitions must be present, with the computer drive partition being at least 100 MB and set as the active partition. The operating system partition is encrypted, and the computer partition remains unencrypted so your computer can start.

TPM is not required for BitLocker use but is highly recommended for preboot for better security. Windows Updates do not require disabling BitLocker, but other updates may require disabling it. Like other encryption applications, it is recommended that recovery keys (PIN) are stored on removable media or other secure locations. If the user does not have their recovery PIN, there is no way to unlock the drive. If the computer cannot boot to get to the BitLocker Recovery Console, or the hard drive has failed, the BitLocker Repair Tool can be downloaded and extracted to a bootable key or CD to recover data from the drive. You must have the PIN to access the data.

If the user is on a domain using Active Directory and their administrator setup BitLocker, it is possible that the pin was stored within Active Directory so have them check with their IT department.

More info: How to troubleshoot and fix common issues with TPM and BitLocker

Back to Top

6. Encryption of Advanced Format 512e (4 K) FDE hard drives.

A 512e (4 K), or advanced format, hard drive simply means that the individual sectors of the drive have changed from 512 to 4,096 bytes. The first generation of advanced format hard drives accomplishes this by taking 8- 512-byte sectors and combining them into a single 4,096-byte sector. In Dell computers, the term 512e (emulation) comes from using conversion mechanisms within the firmware of the hard drive to simulate the 4,096 sector appearance for legacy components and software that is expecting 512-byte sectors. All read\writes to an advanced format 512e hard drive are done in 512-byte increments, but on a read cycle, the entire 4,096 is loaded into memory. 512e hard drives must be aligned because of this. If drive alignment is not performed, the performance of the drive can be severely impacted. Current hard drives that are purchased with a Dell computer are already aligned.

To detect if your computer has an Advanced Format (512e) drive, download the Advanced Format hard drive detection tool. 

Partition alignment is required for older Operating Systems and is recommended for new Operating Systems in order to ensure proper hard drive performance and imaging between HDDs of differing sector sizes.

Drive alignment can be done using several tools which can be downloaded from the Dell Support Site Drivers & Downloads for your computer under the SATA Drives section.

Back to Top

7. Hard Drive not recognized by encryption software.

For Wave Trusted Drive Manager, the drive must be a Full Drive Encryption (FDE) drive and the SATA operation must be set for ATA\AHCI\IRRT and not RAID On\RAID. This may be the case with third-party encryption programs.

Check with the vendor for any BIOS setting requirements.

Check for drive alignment if an operating system image is being used, especially Windows XP. Ensure that all updates have been applied to the image before encryption.

If third-party encryption software is being used, check with the vendor to ensure the software works with the hardware in the computer, and Unified Extensible Firmware Interface (UEFI) BIOS.

Back to Top

8. Preboot issues.

• If the user is experiencing issues with preboot authentication check to see which authentication mechanism they are using: Password, fingerprint, or smartcard
• For passwords, ensure they are using the correct password and check that the Cap lock and Num Lock are correctly set.
• If using fingerprints, ensure they are using the correct finger, and that they are not swiping too fast. Three invalid swipes should trigger the password prompt.
• For smartcards, check to ensure that the correct card is being used, inserted correctly, and check for any damage. Try another card if possible.
• If on a domain, ensure that they have not switched to local login. They must use the same credentials as when encryption was instituted.
• If the user states that preboot authentication is not working on a reboot, check the BIOS to ensure that the password bypass is not enabled. This feature was not working in early BIOS releases but has since been fixed. Ensure that the customer is using the latest BIOS.
• If the user has lost their password or is no longer employed, there is no way for Dell to recover the password for Trusted Drive Manager encryption. For third-party applications, see that vendor for support.

Back to Top

9. System will not boot after adding third-party encryption software.

Power up the computer and then press the F12 key during the boot process to get to the BIOS Boot Menu. It may be necessary to repeatedly press the key during the boot process to get the BIOS to recognize the key at the correct time. Use the up and down arrow keys to select <Diagnostics> on the menu and press the Enter key.

The Enhanced Preboot System Assessment diagnostics (ePSA) is run to ensure that the drive is not in a failing state and has not reported any errors. If you have an Advanced Format (512e) drive, ensure that the drive is properly aligned before encryption is performed.

Check with the third-party vendor for recovery options. Most companies have a recovery utility that the user can load to a bootable key or CD. Also, check the vendor site for computer platform issues in case there are any issues with this particular software on this model of computer.

Back to Top

10 Encryption and Operating System reinstall

If the operating system becomes corrupted on an encrypted hard disk and requires reinstallation, there is the possibility that because the hard drive is in a locked state, the Windows installation disk may not recognize the drive. For Wave Trusted Drive Manager encrypted drives, the drive must be unlocked before the reinstall of the operating system can take place.

See the support documents on the Wave site that explains how to unlock the drive prior to a reinstall Here.

For third-party encryption software, check with the vendor for the proper procedure before attempting the reinstall.

Back to Top

11 Lost passwords or encryption key

If a user has lost their preboot password, their encryption key, or an end-user has left the company, most all encryption application vendors provide a failsafe mechanism for recovery. Due to industry-standard data policies, the recovery mechanism must be initiated by the customer. This is done by saving the password\key to removable storage or network location. If full disk encryption was implemented and the user lost their password\key, Dell cannot help them recover the password\key for the drive. The user requires a replacement Hard Drive in this instance. This issue falls outside of the scope of the warranty as the encryption is operating as designed and protects the data from intrusion. Replacement of the drive will be at the user's expense. Wave can assist with username issues. The user must have their password for Wave to assist with a forgotten username. If the user has forgotten, lost, or does not have their password, unfortunately, Wave cannot help.

If the above steps do not resolve the issue, please call Dell Technical Support for assistance.

Back to Top

Recommended Articles

Here are some recommended articles related to this topic that might be of interest to you.

• Dell Full Disk Encryption System Requirements
• BIOS Option to Set a Hard Drive Password on M.2 SSD
• Automatic Windows Device Encryption or BitLocker on Dell Computers