Requirements for Windows Boot Drive Encryption

The Entrust KeyControl Policy Agent supports encryption for Windows MBR and GPT boot disks, including any GPT boot disks that use UEFI Secure Boot, as long as those boot disks meet the following requirements.

  • Make sure the version of Windows running on the target system is supported for boot drive encryption. For details, see Supported Platforms.

  • The encrypted boot partition must be on the Windows C: drive. Although Windows itself can boot from alternate drive letters, the boot volume can only be encrypted if it is the C: drive or if it is mapped to C:.

    The Bootloader is automatically assigned a drive letter during installation. This default drive letter can be changed using the Windows Disk Manager after the Bootloader has been installed.

  • The Bootloader requires a Windows System Reserved Partition (SRP). We will create an SRP if one does not already exist.

    The Bootloader SRP requires roughly 350 MB on Windows 2012 and above, and roughly 100 MB on Windows 8.1 and Windows 10. As part of the installation process, the boot drive will shrink to free up space for the Bootloader (and Windows SRP if one does not already exist). If there is insufficient space on the boot drive, the Bootloader will fail to install.

    Note: If the Bootloader SRP has less than 50 MB free space, KeyControl generates an alert every six hours until the issue is resolved.

  • The SRP and the boot partition must both reside on Harddisk0 (Disk 1). You cannot encrypt a boot partition that resides on any other disk, or split the SRP and the boot partition across disks.
  • The boot disk must have at least 1 MB of free space at the beginning of the disk that DataControl can use to store encryption metadata. If this free space is not available, boot drive encryption will fail.

  • If the VM is associated with a Cloud VM Set that is controlled by a Key Encryption Key (KEK), the HSM must be available before you can encrypt the root drive on the VM. For more information, see KEKs with Cloud VM Sets.

  • The Disk Defragmenter service on the target server must be enabled before installing the Policy Agent software.
  • The user account used for installing the software must have SeRestorePrivilege and SeTakeOwnershipPrivilege.

  • For GPT boot disks:

    • The GPT disk must be running Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, or Windows 10.

    • The boot partition must be one of the first four partitions on the disk.

      Tip: If you try to encrypt the boot disk and the boot partition is not one of the first four partitions, the encryption will fail with the error "Maximum supported encrypted partition limit exceeded."

    • If you want to extend the boot partition, you must use the hcl extend command. For details, see Disk Size Management in Windows.

For details on installing the Policy Agent, see Windows Policy Agent Installation. If the Policy Agent is already installed but the Bootloader component is not, see Installing the Bootloader After the Policy Agent Is Installed.