How To Disable HP Drive Encryption?
Introduction
HP Protect Tools Security Manager (PT SMS) ships with the ability to encrypt partitions on your hard drive. The encryption is done using XTS-AES 128 Encryption (XEX-based tweaked Cipher Feedback Mode (CFB8), as standardized by NIST).
This “feature” of HP ProtectTools is enabled by default, but might pose some problems for many users. It’s not only an additional hassle during deployment and ongoing management of systems, it also has certain limitations in compatibility with some system images/tools that cause boot failures if the encrypted volume is attached (known issues are e.g.: VMware View Client / USB passthrough). Further, this additional security feature can be considered somewhat obsolete given how easy full disk encryption is to implement using readily available open source tools on several platforms.
Benefits of HP Drive Encryption:
a) Secure boot support.
b) Less administrative overhead (no need to enter passwords or handle/store/backup encryption keys).
c) Support for pre-boot authentication and PBA via TPM 2.0.
d) Improved security. Full volume encryption prevents access to unencrypted data if the computer is lost or stolen, and it provides more secure methods for storing and erasing data, which could otherwise be recoverable using freely available tools. HP Drive Encryption protects against unauthorized access – so your data is protected from hackers and thieves – even when a laptop or other mobile device is left unattended or physically seized by an attacker.
Limitations of HP Drive Encryption:
a) New encryption standard not widely supported yet (e.g.: Linux). If the system is encrypted, full disk encryption on boot might be tricky if you want to use Linux during deployment or for ongoing management tasks. Also, depending on your chosen passphrase length/complexity, it can take some time to decrypt the hard drive during boot.
b) Requires USB Key / Smartcard / TPM support in BIOS. Some BIOS implementations do not support all these options out of the box – so enabling Bitlocker on these systems will fail due to lack of TPM support, but one could still try enabling eDrive instead if their hardware supports it. It’s also more difficult to enable eDrive support in BIOS without TPM if the system is UEFI-based.
c) HP Protect Tools must be installed and configured before you can enable Drive Encryption. This means that the administrator needs to enter a boot PIN during Windows OS installation, or at any other time when an OS cannot boot due to lack of encryption keys or USB/TPM configuration – making deploying Windows 7 images somewhat more difficult.
d) Bitlocker is more widely supported than HP Drive Encryption (eDrive). For example, Microsoft Bitlocker requires only TPM 1.2 for pre-boot authentication – while HP Drive Encryption requires both TPM 2.0 & USB key / smartcard together for this purpose. If your hardware does not support TPM 2.0 (and is not upgradable) – it means that you cannot use HP Drive Encryption to protect the system partition, and hence would have to fall back to using Microsoft Bitlocker instead with TPM 1.2.
Disable HP Drive Encryption
Method 1: Using BIOS And HP ProtectTools Security Manager
If you do not use Drive Encryption, you can disable it completely in the BIOS. This is a good option if you insist on having a system that does not encrypt anything at all. If you want to selectively encrypt certain partitions while using unencrypted volumes for other purposes, please continue with method 2 below.
Method 1: Enter BIOS and go to Startup > Boot and set “HP Drive Key Setting” to Disabled or Removable device (removable device might be possible only on some models). Here is an example how this setting looks like:
Method 2: Only Un-Encrypted Volumes Without Disabling The Entire Drive Encryption Capability In The Software
If you want to disable the whole Drive Encryption capability of HP ProtectTools, but still want to selectively encrypt certain partitions, follow these steps:
Go to C:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager and delete all files in this folder. Also delete the following Registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\DigitalPersona HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Protect HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services \WPROEvent HKEY_LOCAL_MACHINE\SYSTEM \ControlSet \services WPROEvent This should (at least partially) disable the drive encryption capability and the Drive Key icon should disappear from Security Manager:
Please note: HP strongly discourages users to disable or uninstall any of its security products. If you do not use Drive Encryption, we suggest either switching off your system or enabling HP ProtectTools Security Manager (Ctrl-Esc). With enabled Security Manager, all access to encrypted drives will be blocked. This ensures that no data can be cryptographically accessed by attackers using compromised pre-boot environments after bypassing other security mechanisms such as BIOS passwords, BitLocker PINs etc.
Conclusion
HP Drive Encryption seems to be the only software component which is not compatible with UEFI-based systems. For this reason, HP does not support booting of Windows 7 on UEFI-based hardware with BitLocker enabled. This means that Windows 7 installations protected by HP Drive Encryption will fail in most cases when installing or upgrading onto UEFI-based hardware. If you need to encrypt your system partition using tools other than HP ProtectTools – eDrive might be an option for you if your hardware already supports TPM 2.0 and USB Key / Smartcard together (or just USB Key if you do not need pre-boot protection). Please note that Microsoft Bitlocker works perfectly fine even without these additional requirements, but Microsoft’s implementation is also more susceptible to some forms of hacking attacks.
To avoid compatibility issues, you can disable HP Drive Encryption completely using the Security Manager or uninstall it completely. If you want to switch off HP Drive Encryption while retaining its capability on a system which does not support TPM 2.0, please contact your local reseller for further assistance.
