Windows Encryption Prerequisites

  • Make sure the version of Windows you are using is supported. For details, see Supported Platforms.

  • If you intend to use this VM with a BoundaryControl-enabled Cloud VM Set, you must install the latest version of VMware Tools on the VM. For all other VMs, installing VMware Tools is recommended but not required.

  • DataControl creates a 10 MB private RAW partition for storing metadata first time you encrypt a partition on a disk. This metadata is required for all subsequent client operations on the encrypted drives. It should be backed up with the drives themselves whenever back ups are taken. If the metadata partition is inadvertently removed, the encrypted drives will be rendered inaccessible as the data encryption keys will not be found.

    DataControl first attempts to create the private partition from unallocated space. If the disk does not have at least 10 MB of unallocated space, it automatically shrinks the data partition to create space for the private RAW partition. On large partitions, this can be a very time consuming operation. If the Virtual Disk does not have 10 MB of unallocated space, we recommend that you use your Hypervisor tools to extend the virtual disk to ensure that DataControl can create the private partition from unallocated space.

  • Make sure that the disk contains no more than two partitions, excluding the Microsoft Reserved Partition and the DataControl private partition.

    DataControl only supports encrypting either two data partitions or encrypting the root drive partition and one data partition. You cannot encrypt the boot drive and multiple data partitions.

    Note: Only primary partitions can be encrypted. Logical or extended partitions are not supported.

    If the disk contains a hidden Snapshot partition, that snapshot partition must be removed as described in Detecting and Removing a Windows Snapshot Partition.

  • The virtual disks you want to encrypt must support NTFS or ReFS.
  • The disks you want to encrypt must be basic Windows disks. DataControl does not support Windows dynamic disks.
  • The virtual disks you want to encrypt must be assigned a drive letter or folder mount. The assigned drive letter or folder mount can be changed at any time using the Windows Disk Manager. DataControl automatically detects the change and updates the configuration. The new drive assignment will be displayed in the KeyControl webGUI after the next heartbeat.