Quick Install Guide

​Quick Install Guide - Text & Video Edition

​This video will guide you through the installation of Secure Disk for BitLocker. Please note:

Quick Install Guide - Text Version


Overview of CryptoPro Secure Disk

​CryptoPro Secure Disk includes 3 different MSI installation packages.

  • MSI package for the central administration component
  • MSI package client “Secure Disk for BitLocker” for customers using Secure Disk as a BitLocker add-on
  • MSI package client “Secure Disk Enterprise” for customers preferring a dedicated AES256 encryption or for clients that do not pass the BitLocker requirements

The central administration component of CryptoPro Secure Disk simultaneously serves both clients (BitLocker edition, Enterprise edition). Encryption of the client disk drive, when using Secure Disk for BitLocker, is done by the operating system built-in BitLocker encryption. When using Secure Disk Enterprise, a dedicated AES256 driver is used for encryption.

Figure 1: Overview components

Figure 1: Overview components

Before you start to install the CryptoPro Secure Disk software, please note the following system requirements.
Client requirements
Secure Disk Enterprise:

  • Operating system: Windows 7, Windows 8 / 8.1, Windows 10 (32 or 64 bit)

Secure Disk for BitLocker:

  • A BitLocker boot partition must already exist
  • Group Policy setting: Computer Configuration -> Administrative Templates -> Windows Components -> Bitlocker Drive Encryption -> Operating System Drives -> Request Additional Authentication at Startup -> Policy “Enabled”; “Allow BitLocker without compatible TPM”

Server requirements

  • Operating System: Windows Server 2008 R2 / 2012 R2 / 2016, incl. current updates
  • MS SQL Server 2005/2008/2010/2012/2016/2017, with database created for Secure Disk
  • Microsoft .NET Framework 4.6.1

Note: Windows SQL Server Express on the same server is possible, but not recommended for environments greater than 5000 clients

If all prerequisites are met on your system, you can begin installing CryptoPro Secure Disk.


Installation of CryptoPro Secure Disk central administration

​Start the file EDAAdmin.msi (32-bit server environments) or EDAAdmin_x64.msi (64-bit server environments). The following dialog appears.

Figure 2: Administration Setup Wizard

Figure 2: Administration Setup Wizard

Click "Next" to proceed with the installation.

Figure 3: License Agreement

Figure 3: License Agreement

Accept the license agreement to proceed.

Choose the program install path and press “Next” to continue.

Figure 4: Installation path

Figure 4: Installation path

Choose all components and press “Next”.

Figure 5: Components

Figure 5: Components

Click “Next” to proceed with the installation.

Figure 6: Start install process

Figure 6: Start install process

After few seconds you will see the final setup screen.

Figure 7: Setup completed

Figure 7: Setup completed

By pressing “Finish” you finalize the installation process.

After a few seconds, the initialization dialog starts automatically:

Figure 8: Initialization phase

Figure 8: Initialization phase

Press “Next” to continue.

Define the Windows account, under which the central "CryptoPro Secure Disk central service" should run.

Please note that the "CryptoPro Secure Disk Central Service" account mandatory requires read access to the Active Directory (AD).

Figure 9: Define service account

Figure 9: Define service account

Press “Next” to proceed.

Figure 10: Define secure server connection

Figure 10: Define secure server connection

Since the complete communication to the central admin service is protected by TLS, the server needs a corresponding SSL certificate. This required self-signed certificate is generated automatically in the background. A company server certificate can be used for productional environments, but typically not required in POC phase. In this dialog, you also may customize the communications port address.

Choose “Create a self-signed certificate” and press “Next” to proceed.

Select the already created SQL server instance and database for Secure Disk and check the corresponding login mechanism (Windows Credential or SQL Credentials)

Figure 11: Configure DB connection

Figure 11: Configure DB connection

When entering the SQL account data, there are different possibilities.

  • Windows permissions: The service account must have “Owner rights” in the database
  • Username / Password: Enter SQL user such as user SA and password
  • Attention! Do not enter a Windows account here

Next you need to define the helpdesk database settings.

Figure 12: Define helpdesk database

Figure 12: Define helpdesk database

The following screen asks for a previous installation key. For a new installation, this dialog can be skipped with “Next”.

Figure 13: Import server keypair

Figure 13: Import server keypair

Follow the wizard to complete the initialization.

Figure 14: Installation processes

Figure 14: Installation processes


Basic client configuration of CryptoPro Secure Disk

To configure the basic client settings, start the “Secure Disk Client Management” console from the Windows start menu.

In the following dialog please select the “Central Administration”:

Figure 15: CryptoPro Secure Disk administration methods

Figure 15: CryptoPro Secure Disk administration methods

This will start the management console for the first time. You will be asked to enter a server name and a communication port. Confirm the settings with “OK”.

After that, define your personal CryptoPro Secure Disk admin password. This password is requested each time the management console is started.

Figure 16: Administration logon

Figure 16: Administration logon

As up to now no license information has been imported, you will be informed and subsequently requested to specify an appropriate license file.

Figure 17: Import license file

Figure 17: Import license file

Note: To request an evaluation license file, write us with your full business contact details using our contact form​.

Now you are ready to make the configuration for your clients! For standard settings (user self-init mode), just press the “Apply” button.

Figure 18: Apply standard setting

Figure 18: Apply standard setting

The standard configuration covers:

  • After reboot the next Windows user (logon to Windows) will be captured as standard pre-boot-authentication user for Secure Disk.  (Secure Disk feature: “User Self-Init”)
  • Password changes in Windows will be synchronized with the credentials in pre-boot phase
  • Disk Drives are not encrypted with the standard configuration. Encryption will be activated at a later stage.

Server side installation and configuration is now finished – please continue with the client installation.


Secure Disk Client installation

On the client you want to install the Secure Disk client for disk encryption, start a command shell in the admin context and navigate to the directory in which the client installation package is located:

  • For 32-bit Windows OS
    • CryptoPro Secure Disk Enterprise: EDAClient.msi
    • CryptoPro Secure Disk for BitLocker: EDAClientForBitlocker.msi
  • For 64-bit Windows OS
    • CryptoPro Secure Disk Enterprise: EDAClient_x64.msi
    • CryptoPro Secure Disk for BitLocker: EDAClientForBitlocker_x64.msi

TPM is not required for Secure Disk and will be disabled by default. For this, change your Group Policy prior this installation to:

"Allow BitLocker without a compatible TPM" in Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup -> Enable

Start the installation with the following command, but first use PING.EXE to check whether the administration server can be pinged by its FQDN name (FQDN = fully qualified domain name).

Msiexec.exe /I EDAClientForBitlocker_x64.msi CA_SERVERNAME=<FQDN name of the administration server>

Setting

​Information

​Default Value

CA_SERVERNAME

​FQDN name of the server

​<none>

CA_PORT

​Communication Port

​8081

​USE_TPM

Use TPM fpr HD encryption (BitLocker)

​0

​DELETE_KEY_PROTECTION

Delete existing BitLocker key protection

1

INITIALIZE

​Create PBA partition

1

BITLOCKER_TO_GO_COMP

Enhanced BitLocker To Go compatibility

​0

INITIALIZE

​Hardware profiles hw_profiles.txt

<none>

Distribution examples for the BitLocker client

msiexec /i EDAClientForBitlocker.msi CA_SERVERNAME=Server.local CA_PORT=8081
msiexec /i EDAClientForBitlocker_x64.msi CA_SERVERNAME=Server1.microsoft.com CA_SERVERPORT=8081 BITLOCKER_TO_GO_COMP=1 HW_PROFILES=hw_profiles.txt /qn+ /log C:\TempSecureDisk_Installation.log

Note: For some antivirus systems, you should enter the "Secure Disk CryptoPro client LocalService" as a trusted program.

After successful installation, the client connects to the specified administration server and retrieves the previously made settings and applies them. The client settings can of course be changed centrally at any time and are synchronized within minutes to network connected clients.  After the first reboot, the system is in the so-called "SELFTEST mode". During the next system start the best possible configuration for your system (hardware and chipset support) is determined. This condition can cause the system to hang during the boot process and rarely a manual restart is required.

After finding the proper configuration this "SELFTEST mode" will be deactivated and the determined configuration can be used for further installations as part of a rollout parameter.

In addition, the system is also in "SELFINIT mode" for Windows credentials. This means that the next user who is logging on to Windows will be added as a pre-boot authentication (PBA) user. This user will after adding be able to log on into the Secure Disk PBA with his Windows credentials.

Follow the installation-wizard and press "Next".


Figure 19: Client setup start

Figure 19: Client setup start

Accept the license agreement and press “Next”.

Figure 20: Client end user license agreement

Figure 20: Client end user license agreement

Leave the installation features and press “Next”.

Figure 21: Client feature installation

Figure 21: Client feature installation

Define the CryptoPro Secure Disk central management server FQDN and the service port you defined during the configuration of the central service and press “Next”.

Figure 22: Central server configuration

Figure 22: Central server configuration

Leave the BitLocker support features as preconfigured and press “Next”. See our manual for more information on the BitLocker support features.

Figure 23: BitLocker support options

Figure 23: BitLocker support options

Press “Install” to start the client installation.

Figure 24: Client installation

Figure 24: Client installation

The installation progress will be shown in the progress bar.

Figure 25: Client installation progress

Figure 25: Client installation progress

After installation press “Finish” to complete the client setup.

Figure 26: Completed client setup

Figure 26: Completed client setup

To activate the pre-boot-authentication system of CryptoPro Secure Disk for BitLocker you need to reboot your client.

Figure 27: Mandatory client reboot

Figure 27: Mandatory client reboot

In the Windows notifications of the Secure Disk for BitLocker client you will see if the client receives its policy from the CryptoPro Secure Disk central administration service.

Figure 28: Client notifications

Figure 28: Client notifications

On the next reboot you see the CryptoPro Secure Disk pre-boot-authentication screen. The system will boot to Windows and capture the next user authentication for pre-boot-authentication.

Figure 29: Pre-boot-system with active self-init mode

Figure 29: Pre-boot-system with active self-init mode

Logon to Windows as you always do.

Figure 30: User capturing

Figure 30: User capturing

On the next reboot the captured user credentials will be used for CryptoPro Secure Disk pre-boot-authentication.

Figure 31: Pre-boot authentication with captured user credentials

Figure 31: Pre-boot authentication with captured user credentials

Activation of Secure Disk Drive Encryption

After complete installation and initialization of CryptoPro Secure Disk client and server, please activate the encryption of disk drive.

  • Therefor start the central administration console and press the “Encryption” button.
  • Switch from “all plain” to “encrypt all”
  • Press “Apply” button
Figure 32: Activate encryption in client setting

Figure 32: Activate encryption in client setting

After a few minutes your Secure Disk clients will receive the updated setting and will start encryption of the disk drives. Until the encryption is completed the color of the client node will change to red. Successful encrypted and compliant clients will me marked in green color.


Gratulation!

Your Secure Disk server and client installation should be up and running now. There are multiple options and feature you now can evaluate.

This include:

  • Smartphone authentication for iOS and Android
  • Smart card / X.509 authentication
  • Multi-user support
  • 802.1X authentication support in pre-boot phase
  • Online and offline helpdesk support
  • Our user convenient network-friendly-mode
  • Compliance reports

​Do you need help?

noticeable

That's what our customers encrypted for:

Compliance

​How will state-of-the-art security will help your GDPR compliance?

​Security

​If you skip encryption because of complexity, we have the best solution!

​Regain Control

​​See the top 5 actions how to regain control on your confidential data.