Call a Specialist Today! 833-335-0426

Symantec Drive Encryption
Easy Passphrase and Machine Recovery


Due to Broadcom acquisition of Symantec, orders may be delayed. Please contact us for details.

Sorry, this product is no longer available, please contact us for a replacement.

Click here to jump to more pricing!


Full disk encryption software

Symantec Drive Encryption provides organizations with comprehensive, high performance full disk encryption for all data (user files, swap files, system files, hidden files, etc.) on desktops, laptops, and removable media. This full disk encryption software protects data from unauthorized access, providing strong security for intellectual property, customer, and partner data. Protected systems can be centrally managed by Symantec Encryption Management Server simplifying deployment, policy creation, distribution, and reporting.

Introduction to Drive Encryption

If you're using a computer or a removable USB drive, chances are that you have sensitive data on these devices. Whether it's a home computer with family finances, a work computer with sensitive corporate information, or a thumb drive with government secrets, you need to ensure that there is no unauthorized access to that data should the device be lost or stolen.

Drive encryption, also known as disk encryption, protects this data, rendering it unreadable to unauthorized users. This paper describes the differences between drive and file encryption, details how drive encryption works, and addresses recovery mechanisms.

Key Features

  • Easy Passphrase and Machine Recovery - Local self-recovery, one-time-use token and other recovery options.
  • Built PGP Strong - High performance, optimized, and strong encryption, built with PGP Hybrid Cryptographic Optimizer (HCO) technology. FIPS 140-2 validated, CAPS-approved, DIPCOG-approved, CC EAL 4+ certification.
  • User-Friendly - Background encryption with throttle capabilities. Fewer passwords to remember with support for Windows single sign-on.

Key Benefits

  • Comprehensive Multi-Platform Coverage - Symantec Drive Encryption provides constant protection across laptops, desktops, and removable media. Compatible with PC, Mac, and Linux environments, Drive Encryption encrypts and decrypts data instantaneously with no disruption to an end-user’s normal workflows.
  • Optional Silent Deployment - To ease rollouts, Drive Encryption can be pushed down by administration with no need for end-user involvement.
  • High Performance - Utilizes AES-NI hardware in Windows, Mac OS X, and Linux operating systems for greater performance.
  • Part of a Long-Term Enterprise Security Strategy - Drive Encryption is a key component and building block for many security implementations, providing organizations Safe Harbor should a device be lost or stolen and protection against unauthorized access.

What is Drive Encryption:

Drive Encryption versus File Encryption

When it comes to encrypting data, there are various encryption strategies.

Drive encryption protects a disk in the event of theft or accidental loss by encrypting the entire disk including swap files, system files, and hibernation files. If an encrypted disk is lost, stolen, or placed into another computer, the encrypted state of the drive remains unchanged, ensuring only an authorized user can access its contents.

Drive encryption cannot however, protect your data when you have logged into the system during startup and leave your computer unattended. In this case, your system has been unlocked, and unauthorized users can access your system just as an authorized user could. This is where file encryption comes in.

Just like an alarm system protects an entire home and a safe provides additional security, drive encryption protects the entire system, and file encryption provides an additional layer of security.

File encryption encrypts specific files so that when a user successfully authorizes to an operating system, the contents of the file still remain encrypted. An application such as Symantec™ File Share Encryption can protect individual files and folders, prompting the user for a passphrase to permit access. File encryption requires user action while drive encryption automatically encrypts everything you or the operating system creates. File encryption can also be paired with an encryption policy server which allows IT administrators to create and deliver encryption rules across an organization, including automatically encrypting files from various applications and/or folders.

How it Works:

During the startup process of Microsoft Windows, Apple OS X, or Linux operating systems a boot sequence is executed. The boot system is the initial set of operations that the computer performs when it is switched on. A boot loader (or a bootstrap loader) is a short computer program that loads the main operating system for the computer. The boot loader first looks at a boot record or partition table, which is the logical area “zero” (or starting point) of the disk drive.

During the startup process of Microsoft Windows, Apple OS X, or Linux operating systems a boot sequence is executed. The boot system is the initial set of operations that the computer performs when it is switched on. A boot loader (or a bootstrap loader) is a short computer program that loads the main operating system for the computer. The boot loader first looks at a boot record or partition table, which is the logical area “zero” (or starting point) of the disk drive.

This modified pre-boot screen prompts the user for authentication credentials in the form of a passphrase (typically a longer password, often resembling a sentence). At this point, the computer may ask for additional credentials such as a smart card, token, or other two-factor authentication. After the user enters valid authentication credentials, the operating system continues to load as normal and the user can access the computer

Drive encryption software also provides the ability to encrypt removable storage media such as USB drives. When you insert an encrypted USB drive into a computer system, it prompts for passphrase, and upon successful authentication, you can use the USB drive.

Drive Encryption: Behind the Scenes

File System Basics

During the boot process, the system initializes the computer's file systems.

When a user requests access to a file (i.e., creates, opens, or deletes a file), the request is sent to the operating system input/output (I/O) manager, which forwards the request to the file system manager. The file system manager processes data in blocks.

Life with Encryption: Business as Usual

Most drive encryption software operates in conjunction with the file system architecture. It filters I/O operations for one or more file systems or file system volumes.

When a drive is encrypted with drive encryption for the first time, it converts unencrypted drive blocks into encrypted blocks one at a time. Drive Encryption allows users to continue working as normal during this initial encryption process by varying the amount CPU power assigned to the initial encryption process.

When a user accesses a file, Drive Encryption decrypts the data in memory before it is presented for viewing. If the user makes any changes to the file, the data is encrypted in memory and written back to the relevant disk drive block just as it would be without encryption. Decrypted data is never available on the disk.

The encryption/decryption process happens at such a speed that it appears completely transparent to the user

Drive Encryption: Recovery

Whole Disk Encryption: Recovery

The most common cause for data recovery is a lost or forgotten passphrase. Therefore, drive encryption software must include a recovery function. There are several ways to access an encrypted system in case of a forgotten passphrase with Symantec Drive Encryption including local self-recovery, a recovery token, and an administrator key among others.

Local self-recovery enables users to answer pre-defined and customizable questions at boot time to gain access to an encrypted system and reset the boot passphrase without ever calling IT.

The Drive Recovery Token (DRT) is a one-time, per-device, per-user temporary recovery set of alphanumeric characters to reset a passphrase.

The administrator key, held by administration, is stored on a tamper-proof smart card or token.

Another cause for data recovery, although rare, may be data corruption resulting from hardware failure or other factors such as a data virus. Corruption of a master boot record on a boot disk or partition protected by drive encryption can prevent a system from booting. To avoid these kinds of errors, it is best practice to create a recovery CD and then backup a drive before encrypting it with drive encryption. Drive encryption provides recovery options and does interoperate with popular backup tools. Ask your Symantec representative for more information about compatibility with existing backup systems.

System Requirments:

Supported Operating Systems


  • Microsoft Windows 8, 8.1 Enterprise (32- and 64-bit versions)
  • Microsoft Windows 8, 8.1 Pro (32- and 64-bit editions)
  • Microsoft Windows 7 (all 32- and 64-bit editions, including Service Pack 1)
  • Microsoft Windows Vista (all 32- and 64-bit editions, including Service Pack 2)
  • Microsoft Windows XP Home Edition (Service Pack 2 or 3)
  • Microsoft Windows XP Professional 64-bit (Service Pack 2)
  • Microsoft Windows XP Professional 32-bit (Service Pack 2 or 3)

Note: The above operating systems are supported only when all of the latest hot fixes and security patches from Microsoft have been applied.

Windows Server

  • Windows Server 2012 R2 64-bit Edition with internal RAID 1 and RAID 5
  • Windows Server 2012 64-bit Edition with internal RAID 1 and RAID 5
  • Microsoft Windows Server 2008 Service Pack 1 and 2 (64-bit edition) with internal system RAID 1 and RAID 5
  • Microsoft Windows Server 2008 R2 (64-bit edition) with internal system RAID 1 and RAID 5

Mac OS X

  • Apple Mac OS X 10.8.4, 10.8.5, 10.9


  • Ubuntu 10.04 LTS, 12.04, 12.04.1, 12.04.2, 12.04.3 (32- and 64-bit versions)
  • Red Hat Linux 5.7-6.4 (32- and 64-bit versions)

Note: Symantec Drive Encryption for Linux is command line only.

Supported Keyboard Languages

Symantec Drive Encryption for Windows

  • English (United States, United Kingdom,US-International)
  • Belgian (Belgium; Comma), Belgian (Belgium; Period)
  • Bosnian (Bosnia),Bosnian (Bosnia; Cyrillic)
  • Bulgarian (Bulgaria), Bulgarian (Bulgaria; Latin) , Bulgarian (Bulgaria; Typewriter)
  • Canadian Multilingual Standard (Canada)
  • Chinese Simplified (China, Singapore), Chinese Traditional (Hong Kong, Taiwan)
  • Croatian (Croatia)
  • Czech (Czech Republic; QWERTY)
  • Danish (Denmark)
  • Dutch (The Netherlands)
  • Estonian (Estonia)
  • Finnish (Finland)
  • French (Belgium), French (Canada) , French (France) , French (Switzerland)
  • German (Germany/Austria) , German (IBM) , German (Switzerland)
  • Hebrew (Israel)
  • Hungarian (Hungary) , Hungarian (Hungary; 101 keys)
  • Icelandic (Iceland)
  • Irish (Ireland)
  • Italian (Italy), Italian (Italy; 142 keys)
  • Japanese (Japan)
  • Korean (Korea)
  • Norwegian (Norway)
  • Polish (Poland; Programmers), Polish (Poland; 214 keyboard)
  • Portuguese (Brazil; ABNT keyboards), Portuguese (Brazil; ABNT2 keyboards)
  • Portuguese (Portugal)
  • Romanian (Romania)
  • Russian (Russia; Cyrillic)
  • Serbian (Serbia and Montenegro; Cyrillic), Serbian (Serbia and Montenegro; Latin)
  • Slovak (Slovakia)
  • Slovenian (Slovenia)
  • Spanish (Spain), Spanish (Latin America) , Spanish Variation
  • Swedish (Sweden)
  • Turkish (Turkey; F), Turkish (Turkey; Q)
  • Ukrainian (Ukraine)

Symantec Drive Encryption for Mac OS X

  • English (US-International)
  • Japanese (Japan)
  • German (Germany); German (Switzerland)
  • French (France); French (Switzerland)
  • Spanish (Latin America), Spanish (Spain; ISO)

Supported Disks

  • Desktop or laptop disks (partitions in the case of Windows, or the entire disk for Windows and Mac OS X)
  • External disks, excluding music devices and digital cameras
  • USB flash disks
  • Solid-state drives

Unsupported Disks


  • Dynamic disks
  • SCSI drives/controllers
  • Software RAID disks
  • Diskettes and CD-RW/DVD-RWs

Mac OS X

  • Disks formatted using the APM partition scheme
  • Any type of server hardware, including RAID disk drives and software RAID drives
  • Diskettes and CD-RW/DVD-RWs
  • exFAT formatted disks
  • Any configuration where the system partition is not on the same disk as boot partition

Authentication Options

  • OpenPGP RFC 4880 keys
  • X.509 keys

Symmetric Key Algorithms

  • AES 256-bit keys
  • AES 128-bit keys (enabled on Symantec Encryption Management Server)

Centralized Management Requirements

Symantec Drive Encryption is centrally managed by Symantec™ Encryption Management Server, Powered by PGP Technology, which requires a dedicated hardware server. For supported hardware and other information, please refer to the Symantec Encryption Management Server technical specifications.

Two-Factor Authentication (Windows Only)

Generic Smart Card Readers

Most CCID smart card readers are compatible. The following readers have been tested by Symantec Corporation:

  • OMNIKEY CardMan 3121 USB for desktop systems (076b:3021)
  • OMNIKEY CardMan 6121 USB for mobile systems (076b:6622)
  • ActiveIdentity USB 2.0 reader (09c3:0008)
  • SCM Microsystem Smart Card Reader model SCR3311
  • CyberJack smart card readers - Reiner SCT CyberJack pinpad (0c4b:0100).
  • ASE smart card readers - Athena ASEDrive IIIe USB reader (0dc3:0802)
  • Embedded smart card readers - Dell D430, D630, and D830
  • Embedded smart card readers - Dell E6410 and E6510 (Broadcom)

Compatible Smart Cards or Tokens for Symantec/Drive Encryption Authentication (Windows Only)

Symantec Drive Encryption is compatible with the following smart cards for pre-boot authentication:

  • ActiveIdentity ActivClientCAC cards, 2005 model
  • Aladdin eToken PRO 64K, 2048 bit RSA capable
  • Aladdin eToken PRO USB Key 32K, 2048 bit RSA capable
  • Aladdin eToken PRO without 2048 bit capability (older smart cards)
  • Aladdin eToken PRO Java 72K
  • Aladdin eToken NG-OTP 32K - Note: Other Aladdin eTokens, such as tokens with flash, should work provided they are APDU compatible with the compatible tokens. OEM versions of Aladdin eTokens, such as those issued by VeriSign, should work provided they are APDU compatible with the compatible tokens.
  • Athena ASEKey Crypto USB Token
  • Athena ASECard Crypto Smart Card - Note: The Athena tokens are compatible only for credential storage.
  • Axalto Cyberflex Access 32K V2
  • Charismathics CryptoIdentity plug 'n' crypt Smart Card only stick
  • EMC RSA SecurID SID800 Token (v1 and 2) - Note: This token is compatible only for key storage. SecurID is not compatible.
  • EMC RSA Smart Card 5200
  • Marx CrypToken USB token
  • Rainbow iKey 3000
  • S-Trust StarCOS smart card - Note: S-Trust SECCOS cards are not compatible.
  • SafeNet iKey 2032 USB token
  • SafeNet 330 smart card
  • T-Systems Telesec NetKey 3.0 smart card
  • T-Systems TCOS 3.0 IEI smart card
  • Personal Identity Verification (PIV) cards: - Oberthur ID-One Cosmo V5.2D PIV cards using ActivClient version 6.1 client software. - Giesecke and Devrient Sm@rtCafe Expert 3.2 PIV cards using ActivClient version 6.1 client software.

Symantec Drive Encryption for Windows also recognizes and works with smart cards from other vendors if the vendor includes a standards-based PKCS-11 library in its software drivers.


Symantec Drive Encryption on Windows Servers

Symantec Drive Encryption on Windows Servers is supported on:

  • Windows Server 2003 SP 2 (32- and 64-bit editions); Windows Server 2008 64-bit SP 1 and 2; Windows Server 2008 R2 64-bit
  • VMWare ESXi4 (supported Microsoft Windows Servers operating in a virtual environment)

For additional system requirements and best practices information, go to the Symantec Knowledgebase and search for TECH149613, "PGP Whole Disk Encryption on Windows Servers."

Symantec Endpoint Encryption Removable Storage Edition

Symantec Endpoint Encryption Removable Storage Edition provides policy-controlled encryption of data on removable media and provides organizations with a safe harbor from data breach notification if removable media is lost or stolen. This industry-leading laptop security software allows users to encrypt data according to policy on most any form of removable storage ensuring that users can safely transport and use sensitive data on portable media.

Note: Removable Storage Edition requires Symantec Endpoint Encryption Management Server for policy control and management.

Symantec Endpoint Encryption Device Control

Symantec Endpoint Encryption Device Control software enables organizations to monitor device usage and file transfer activity, control access to ports, devices, and wireless networks, as well as to restrict user’s ability to copy protected information to removable media. When implemented with Symantec Endpoint Encryption Removable Storage Edition, the combination provides protection for enterprise data on endpoints from the risks associated with USB security, as well as other portable devices and media.

Note: Device Control requires Symantec Endpoint Encryption Management Server for policy control and management.

Pricing Notes: