Overview

In addition to encrypting regular Windows data partitions, you can also encrypt your Windows boot disk (C:). Encrypting the C: drive ensures that clear-text data never leaves the VM on its way to storage. This prevents virtualization and storage admins from being able to view the data.

Note: HyTrust does not support boot drive encryption on a dual-boot system.

Boot drive encryption is done using an optional component of the HyTrust DataControl Policy Agent called the HyTrust Bootloader for Windows (the Bootloader). If you install this component when you install the Policy Agent, DataControl can encrypt the boot drive partition using keys that are retrieved as needed from KeyControl during the VM bootstrap. The keys are not kept with the encrypted boot partition, thus providing an extra layer of security.

There are a number of steps required to set up your Windows system for boot drive encryption. If you are running within a virtual infrastructure, we recommend that you go through this process once and set up a template VM from which new VMs can be created.

After the Bootloader has been installed, you can see the distinction between the Windows boot partition and the root partition by running the Windows diskmgr utility. The small boot partition will be listed as System Reserved and the Bootloader appears as HTBOOTLDR. No part of the Windows root C: is ever decrypted on disk, and the Bootloader partition contains only a small part of the bootstrap process. For example:

From a KeyControl perspective, the boot drive is simply another Windows disk that can be managed just like any other Windows disk through the KeyControl webGUI or hicli. You can also manage encryption on the VM itself using the HyTrust Policy Agent GUI installed with the Policy Agent. For details, see Data Encryption.