Initial encryption on network shares

On network shares initial encryption cannot be automatically triggered by means of a policy setting. As a security officer you can run initial encryption for network shares from a computer that has the SafeGuard Enterprise endpoint software installed and has access to these shares using the SGFileEncWizard.exe command line tool.

On a computer with SafeGuard Enterprise you can find the tool in <SYSTEM>:\Program Files (x86)\Sophos\SafeGuard Enterprise\Client\

Before you start initial encryption on network shares consider what follows:

Requirements for performing initial encryption on network shares

Perform initial encryption with SGFileEncWizard

You can call SGFileEncWizard.exe with the following parameters:

SGFileEncWizard.exe [<startpath>] [%POLICY] [/V0 | /V1 | /V2 | /V3] [/X] [/L<logfile>]

  • <startpath>: Process the specified paths and their subfolders. Several paths must be separated by blanks.

For initial encryption on network shares, you must explicitly specify every network share to be encrypted. Only these paths will be processed. Specify the paths in UNC notation to avoid issues with different drive letters for mapped network shares. Only absolute paths are allowed.

  • Parameter /V0: Do not report any messages.

  • Parameter /V1: Log errors only.

  • Parameter /V2: Log modified files.

  • Parameter /V3: Log all processed files.

  • Parameter /L<path+logfile name>: Write the output to the specified log file.

  • Parameter /X: Hide the wizard's window.


SGFileEncWizard.exe \\my-filer-1\data1\users \\my-filer-1\data2 %POLICY /V3 /X /LC:\Logging\mylogfile.xml

Initial encryption is performed for files in \\my-filer-1\data1\users and \\my-filer-1\data2. The wizard will not be displayed and information on all processed files is written to mylogfile.xml.