If you want to strengthen the security of your endpoint device, you can deploy strong device encryption that is derived from a user password. The encryption is applied to all partitions that can contain user data, e.g. browser history or Custom Partitions.



Menu path: Security > Device Encryption

Device encryption mode

Possible options:

  • Keep: The default encryption scheme is maintained. If a password has been set, it will remain unchanged.
  • Activate: The device will be re-encrypted using strong encryption methods when the user enters the password for the first time. It is strongly recommended to enforce the use of a strong password; see Minimum Password Length and the subsequent password settings. The re-encryption may take about 10 to 60 seconds; the duration depends on the hardware performance and the size of the Custom Partition.
  • Deactivate: The device will be re-encrypted back to the default device encryption scheme on the next boot. The re-encryption may take about 10 to 60 seconds.

    If you want to switch back to the default device encryption, you must have the password. If the password gets lost, you must reinstall IGEL OS 11 on the device, e. g. via OSC (see Installation).

Change password

Only applicable if device encryption is enabled. The user can change the password for device encryption.

Authentication type

Possible options:

  • PW: Password authentication. In this version of IGEL OS, this is the only available authentication type.

Security level

Possible options:

  • Auto, constant-time: The password aggregation function that fits best with the defined Target time delay (ms) is selected.
  • Auto, at least level: The security level will be at least as high as the value selected by Password aggregation function; if the Target time delay (ms) allows for a higher security level, the higher security level will be used.
  • Manual: The Password aggregation function can be set manually, irrespective of the delay time specified by Target time delay (ms).

Target time delay (ms)

Maximum time that should be consumed by the password aggregation function. This delay is effective when the user enters the device encryption password on boot or changes the device encryption password.

Password aggregation function

Security level of the encryption. 

Possible options:

  • I: Argon2id, 8M/7 ops
  • II: Argon2id, 128M/3 ops
  • III: Argon2id, 256M/3 ops
  • IV: Argon2id, 512M/3 ops
  • V: Argon2id, 1024M/4 ops
  • VI: Argon2id, 128M/4 ops

Minimum password length

Minimum number of characters the password must be composed of

Unwanted strings in password (comma separated)

Comma-separated list of strings that must not be contained in the password

The password must contain

Defines whether all of the subsequent minimum requirements (minimum amount of lower case letters etc.) must be fulfilled, or 2, or 3 of them.

  • all
  • 2 of
  • 3 of

Minimum amount of lower case letters

The minimum amount of lower case letters

Minimum amount of upper case letters

The minimum amount of upper case letters

Minimum amount of numbers

The minimum amount of numbers

Minimum amount of special characters

The Minimum amount of special characters

Special characters allowed

List of all non-alphanumerical characters that are allowed in the password, without separators