Windows Installation Prerequisites

  • Make sure the version of Windows running on the target system is supported for data encryption. If you want to encrypt the boot drive, make sure the Windows version is supported for boot drive encryption as well. For details, see Supported Platforms.
  • Make sure the default language for the Windows operating system is English. The HyTrust DataControl Policy Agent uses scripts that parse the output of Windows commands, and those scripts may give unexpected results if the command output is in a language other than English.
  • Make sure that HyTrust KeyControl is installed and the cluster is configured properly as described in Basic KeyControl Configuration. The cluster must be healthy. You cannot register the Policy Agent with a degraded KeyControl cluster.
  • Make sure the target system is partitioned correctly and you know which partition you want to encrypt. In addition, the partition must be assigned a drive letter or folder mount through the Windows Disk Manager. For details, see your Windows documentation.
  • If you are using Windows 2008R2 or Windows 7 and you want to manage the Policy Agent through the HyTrust Policy Agent GUI, make sure that the Microsoft .NET framework version 4 or higher is installed on the target system. For details, see http://www.microsoft.com/en-us/download/details.aspx?id=17851.

  • If you want to encrypt the boot drive, make sure that:

    • The encrypted boot partition must be on the Windows C: drive. Although Windows itself can boot from alternate drive letters, the boot volume can only be encrypted if it is the C: drive or if it is mapped to C:.

      The Bootloader is automatically assigned a drive letter during installation. This default drive letter can be changed using the Windows Disk Manager after the Bootloader has been installed.

    • The Bootloader requires a Windows System Reserved Partition (SRP). We will create an SRP if one does not already exist.

      The Bootloader SRP requires roughly 350 MB on Windows 2012 and above, and roughly 100 MB on Windows 7, Windows 8, Windows 8.1, Windows 10, and Windows 2008 R2. As part of the installation process, the boot drive will shrink to free up space for the Bootloader (and Windows SRP if one does not already exist). If there is insufficient space on the boot drive, the Bootloader will fail to install.

      Note: If the Bootloader SRP has less than 50 MB free space, KeyControl generates an alert every six hours until the issue is resolved.
    • The SRP and the boot partition must both reside on Harddisk0 (Disk 1). You cannot encrypt a boot partition that resides on any other disk, or split the SRP and the boot partition across disks.
    • The Bootloader can only be installed on an MBR disk. GPT disks cannot be configured as encrypted boot drives.
    • The boot disk must have at least 1 MB of free space at the beginning of the disk that DataControl can use to store encryption metadata. If this free space is not available, boot drive encryption will fail.

    • If the VM is associated with a Cloud VM Set that is controlled by a Key Encryption Key (KEK), the HSM must be available before you can encrypt the root drive on the VM. For more information, see KEKs with Cloud VM Sets.

    • The Disk Defragmenter service on the target server must be enabled before installing the Policy Agent software.
    • The user account used for installing the software must have SeRestorePrivilege and SeTakeOwnershipPrivilege.
    • If you are using Windows 2008R2, the installation user account must also have SeSecurityPrivilege.

 

HyTrust DataControl v 4.3.2

Copyright © 2019 HyTrust, Inc. All Rights Reserved.

Follow us: