1213 Device Integrity Protection - How to handle the loss or theft of an encrypted device

  • Updated on Feb 6, 2026
  • 3 minute(s) read
  • VN
 Prev Next

Device Integrity Protection - How to handle the loss or theft of an encrypted device.

While SecureDoc performs an invaluable service ensuring that data is protected by encryption, and that user access to SecureDoc-protected devices is locked down and governed by permitting only specific users to authenticate at Pre-Boot, there are other risks that any security-conscious organization should be aware of and include in its overall security design.

How to handle the loss or theft of an encrypted device.

In the event that a device is lost or stolen, there are several procedural steps that WinMagic can recommend as a starting point for mitigating the risks attendant with such a loss.

The User that has noticed the loss or theft of the device must:

a) Notify his/her Manager and the IT Department head immediately.  These should, with the assistance of the SES Administrator determine which other users had credentials-based access to the device through a local key file on the device.  This list of users will feed into point b), below.

b) Change his or her own Password on the domain;  if necessary, this can be done through another user's computer by logging on to the domain, then changing the password. (NOTE: This applies to each of the users of the lost or stolen device (determined in step a) above), since each user of the device will have cached credentials on that device).  This will help ensure that if the stolen computer should be used to attempt to attack other equipment on the domain, the cached credentials for the user(s) on that laptop will no longer be usable to gain access to the domain.

c) Notify the Domain Administrator of the loss/theft. The Domain Administrator should inactivate the device record in the Computers list.

d) Notify the SES administrator of the loss/theft. The SES Administrator should a) immediately issue a Crypto-erase command against the device, so that when the device is next able to communicate with the SES server, it will lock itself against any possible future authentication; b) mark the device as lost or stolen in the SES console; c) remove it from any device group relationships that could define access through PBConnex; d) create a relationship in the GROUPs tab to deny access to ALL users to this one device (this could most easily be done by creating a device group called "Lost/Stolen devices", and add this device to that group, then associate that group with the All Users group and set a DENY access policy.
e) If the device had been or must be presumed to have been subsequently stolen, the organization should then follow whatever its standard procedures are for notifying and cooperating with the police in the theft of any company asset, as well as to contact the management of the locations where the device may have been lost to arrange for return once located if a "good samaritan" may have returned it to a lost and found department.

f) Upon retrieval of the device, it should be checked for physical access violation (see article on Tamper Labels).   If not tampered with, WinMagic recommends creating a Key File for the device on a USB stick, and then booting the device from a WinPE disk (with the SecureDoc kernel injected into it), then authenticating to the Key File on the USB stick.  This should ONLY be done in an isolated area (e.g. disconnected from the company LAN, and ideally shielded from, or so remote from the company WIFI that if any malware or additional hardware had been installed, these cannot find a vector to attack other company assets.  The WinPE boot environment is very restricted, so the above precautions are extremely conservative.  This will allow exploration of the computer's disk through the WinPE environment with no risk of infection or broadcast of information.  If desired, pertinent information can be 'pumped out' of the computer to USB-connected media such as an external hard drive, for further checking.

g) The computer itself should be checked for possible add-on risks, such as the insertion of additional hardware, devices connected to ports, etc.

h) If the device can be considered to have a clean bill-of-health, it would be wise to crypto-erase the disk after any vital documents have been sequestered, then reformatted and re-imaged with a new operating system, after which SecureDoc should again be installed to provide cryptographic protection of data at rest.

Related articles