Is it possible to change the encryption algorithm on a fully encrypted disk, without need to decrypt it first? Is it possible to re-encrypt the disk on-the-fly?
A.
Changing the encryption algorithm is only supported on machines with legacy BIOS firmware. EFI or UEFI Firmware is not supported.
B.
Changing the encryption algorithm is supported on all machines, but you must first decrypt it, change encryption algorithm, and encrypt it again with new encryption algorithm.
C.
Changing the encryption algorithm is supported on all machines, no matter which firmware they have.
D.
Changing the encryption algorithm is only on machines that have EFI or IJEFI firmware. BIOS Firmware is not supported.
Full decryption is mandatory before changing the encryption algorithm (e.g., switching from AES-128 to AES-256).
Re-encryption occurs after algorithm selection, with no on-the-fly conversion supported.
Firmware Agnostic:
Applies uniformly to BIOS, UEFI, and legacy systems (no firmware-based exceptions).
Documentation Source:
*Check Point Full Disk Encryption Administration Guide R81.10+*:
"To modify the encryption algorithm, the disk must be fully decrypted first. After decryption, deploy a new policy with the updated algorithm to trigger re-encryption."
⚠️ Critical Note:
Attempting to change algorithms without decryption corrupts data and requires recovery tools.
Why Other Options Fail:
A/D: Incorrectly link algorithm changes to firmware (BIOS/UEFI), which is unsupported.
C: On-the-fly re-encryption is technologically infeasible for FDE solutions due to cryptographic key hierarchy constraints.
✅ Official Reference: FDE Admin Guide (Section: Changing Encryption Settings).
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit