Full disk encryption software protects the contents of laptops and other computers by requiring password or multi-factor authentication to be successfully completed before the system can boot, as noted in our full disk encryption guide.

To use full disk encryption software in a business context, you need a solution which can manage encrypted devices, and provide key recovery and other enterprise-friendly features.

Read on for details on these seven full disk encryption solutions worthy of making a short list for consideration:

  • Microsoft BitLocker Administration and Monitoring (MBAM)
  • Check Point Full Disk Encryption Software Blade
  • Dell Data Protection|Encryption Enterprise Edition
  • McAfee Complete Data Protection Advanced
  • Sophos SafeGuard Encryption
  • Symantec Endpoint Encryption
  • WinMagic SecureDoc Enterprise

Microsoft BitLocker Administration and Monitoring (MBAM)

Microsoft's BitLocker full disk encryption software is the native encryption system that is supplied with the Ultimate, Enterprise and Pro versions of Microsoft's Windows Vista and later. It can be used as a full disk encryption system for personal use, but for enterprise deployment centralized management is provided by Microsoft BitLocker Administration and Monitoring (MBAM). BitLocker can also be managed by third-party full disk encryption systems such as Symantec Endpoint Encryption and Sophos SafeGuard Enterprise.

MBAM allows security officers to quickly determine the compliance state of individual computers and enables administrators to automate the process of encrypting volumes on client computers.

Microsoft's System Center Configuration Manager facilitates centralized management and reporting. MBAM enforces the BitLocker encryption policy options, monitors the compliance of client computers with those policies and reports on the encryption status of enterprise and individuals' computers.

MBAM also allows end users to recover encrypted devices independently by using the self-service portal, or through a help desk.

Check Point Full Disk Encryption Software Blade

Check Point offers centrally managed full disk encryption software for endpoints as a security "blade," a module that is part of its overall security suite.

Users can only boot and access an encrypted laptop or other endpoint after authentication, and multi-factor authentication options include certificate-based smartcards and dynamic tokens. The full disk encryption solution supports multiple pre-boot authentication languages for global deployments.

The Full Disk Encryption Software Blade is centrally managed by Check Point's Endpoint Policy Management Software Blade, enabling central policy administration, enforcement and logging from a single console. Centralized management offers control of security policies and offers multiple deployment options.

Remote Password Change and One-Time Login remote help options are available for users who may have forgotten their passwords or lost access tokens. Web-based remote help options are available.

Supported client operating systems:

  • Microsoft Windows 8.1 32/64-bit, with or without Update 1
  • Microsoft Windows 8 32/64-bit
  • Microsoft Windows 7 Enterprise, Professional, Ultimate editions 32/64-bit, with or without SP1
  • Microsoft Windows XP Professional 32-bit, SP3
  • Mac OS X 10.8, 10.9, and 10.10

Certifications: Common Criteria EAL4 FIPS 140-2

Dell Data Protection|Encryption Enterprise Edition

Dell Data Protection|Encryption offers full disk encryption software for both Dell and non-Dell endpoints. Selected Dell hardware can make use of built-in "Hardware Crypto Accelerators."

The Dell solution can be run via the Enterprise Edition Server for large deployments or the Virtual Edition Server for more simple deployments. It integrates with existing authentication processes including Windows password, RSA, fingerprint and smartcard.

A centralized console allows for encryption management including encryption based on end user profiles and groups, and also provides for management of Microsoft BitLocker encryption and self-encrypting drives (SEDs).

Dell Data Protection|Encryption comes with pre-set policy templates to help address compliance regulations such as PCI DSS, Sarbanes Oxley, HIPAA and EU Data Protection Directive 95/46/EC.

Supported client operating systems:

  • Microsoft Windows 7 Ultimate, Enterprise and Professional
  • Microsoft Windows 8 and 8.1, Enterprise and Professional
  • Microsoft Windows 10 Enterprise, Professional and Education
  • Microsoft Windows XP Professional
  • Mac OS X Lion, Mountain Lion, Mavericks and Yosemite on Intel-based hardware

Certifications: FIPS 140-2 validated for ES 128, AES 256, 3DES, Rijndael 128, Rijndael 256, Blowfish

McAfee Complete Data Protection Advanced

McAfee Complete Data Protection Advanced provides a full disk encryption solution with pre-boot two factor authentication using McAfee-implemented encryption or through Microsoft's BitLocker and Apple's FileVault native encryption systems. The software makes use of Intel's AES-NI instruction set for faster encryption operations.

Encryption can be managed centrally via McAfee's ePolicy Orchestrator (ePO) management suite, which also manages other McAfee endpoint products.

ePO can also control policy and patch management, recover lost passwords and demonstrate regulatory compliance. It can also synchronize security policies with Microsoft Active Directory, Novell NDS, PKI, and other systems.

Supported client operating systems:

  • Microsoft Windows 7, 8 and 10 (32/64-bit versions)
  • Microsoft Vista (32/64-bit versions)
  • Microsoft Windows XP (32-bit version only)
  • Microsoft Windows Server 2008
  • Apple Mac operating systems
  • Mac OS X El Capitan, Yosemite, Mountain Lion and Mavericks

Certifications: FIPS 140-2 and Common Criteria EAL2+

Sophos SafeGuard Encryption

Sophos SafeGuard Encryption can be deployed onto endpoints centrally without any end user involvement, and encryption can be accelerated using Intel's AES-NI instruction set.

A single console provides management for all enterprise devices, including hard disks encrypted with Microsoft's BitLocker, Apple's FileVault 2 and Opal self-encrypting drives. This includes encryption status and reporting and auditing to ensure compliance with internal policies and external regulations.

The software's authentication system supports biometric and cryptographic token support, and multiple users can share encrypted computers without sharing passwords. If a user forgets a password, it can be recovered quickly using a challenge/response system accessed over the phone or via a web portal.

Supported client operating systems:

  • Windows XP SP3 Professional
  • Windows Vista SP2 Business, Enterprise, Ultimate Edition
  • Windows 7 SP1 Home Premium, Professional, Enterprise, Ultimate Edition
  • Windows 8, 8.1 Pro, Enterprise Edition
  • Windows 10 Pro, Enterprise Edition

Certifications: Common Criteria EAL 3+, Common Criteria EAL 4, uses FIPS 140-2 validated cryptography

Symantec Endpoint Encryption

Symantec Endpoint Encryption software can be deployed and managed centrally from a single console, offering full disk encryption for Windows and OS X-based devices.

As well as managing its own endpoint encryption, the console can also be used to manage systems encrypted with Microsoft BitLocker and Apple FileVault, as well as Opal-compliant self-encrypting drives.

The solution provides a choice of self-recovery and help-desk support for employees that forget their passwords and cannot access their systems.

For ease of use, authentication can be integrated with Microsoft's Active Directory. The full disk encryption solution also offers automated policy controls and compliance-based reporting. It can be integrated with Symantec Data Loss Prevention for additional security and consistency.

Supported client operating systems:

Microsoft Windows 7, 8, 8.1, 10

Certification: 140-2 validated

WinMagic SecureDoc Enterprise

SecureDoc Enterprise Server (SES) places all security-related management under one centralized enterprise server. This includes policies, key management and recovery, password rules and the management of encryption. Administrators can also manage encrypted systems from a web console.

Supported encryption ranges from SecureDoc's full disk encryption for PC, Mac or Linux, to native OS encryption for Windows (BitLocker) and OS X (FileVault 2) to the management of hardware-based encryption with SEDs.

SES offers pre-boot authentication (including network-based authentication) using smartcards, readers, tokens or LDAP/Active Directory integration.

Supported client operating systems:

  • Windows XP and later
  • OS X
  • Linux

Certification: FIPS 140-2 compliant

[Read about a popular open source encryption tool: VeraCrypt a Worthy Truecrypt Alternative]

Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.