|SafeGuard Data Exchange / Best practice|
Bob wants to use his encrypted removable media on his home computer, where SafeGuard Enterprise is not installed. On his home computer, Bob decrypts files using SafeGuard Portable. By defining one media passphrase for all of Bob's removable media, he only has to open SafeGuard Portable and enter the media passphrase. Afterwards, Bob has transparent access to all encrypted files regardless of the local key used to encrypt them.
Personal use on 3rd party computers
Bob plugs in the removable media on Joe's (external partner) computer and enters the media passphrase to get access to the encrypted files stored on the device. Bob can now copy the files, either encrypted or unencrypted, to Joe's computer.
Behavior on endpoint:
Bob plugs in the removable media for the first time.
The Media Encryption Key, which is unique for each device, is created automatically.
Bob is prompted to enter the media passphrase for offline use with SafeGuard Portable.
There is no need to bother the user with knowledge about the keys to be used or the key ring. The Media Encryption Key will always be used for data encryption without any user interaction. The Media Encryption Key is not even visible to the user, but only the centrally defined group/domain key.
Bob and Alice within the same group or domain have transparent access since they share the same group/domain key.
If Bob wants to access encrypted files on a removable media device on a computer without SafeGuard Data Exchange, he can use the media passphrase within SafeGuard Portable.
You have to specify the settings in a policy of the type Device Protection\Removable media:
Media encryption mode: File-based
Key to be used for encryption: Defined key on list
User may define a media passphrase for devices: Yes
The user defines one media passphrase on their computer which is valid for all their removable media.
Copy SG Portable to target: Yes
SafeGuard Portable gives the user access to all encrypted files on the removable media by entering a single media passphrase on the system without SafeGuard Data Exchange.
If the company policies additionally define that all files on removable media have to be encrypted in any situation, add the following settings:
Initial encryption of all files: Yes
Ensures that files on removable media are encrypted as soon as the media is connected to the system for the first time.
User may cancel initial encryption: No
The user cannot cancel initial encryption, for example to postpone it.
User is allowed to access unencrypted files: No
If plaintext files on removable media are detected, access to them will be denied.
User may decrypt files: No
The user is not permitted to decrypt files on removable media.
At work, Bob and Alice have transparent access to encrypted files on removable media. At home or on 3rd party computers, they can use SafeGuard Portable to open encrypted files. The users only have to enter the media passphrase to access all encrypted files. This is a simple but effective way to encrypt data on all removable media. The goal of this configuration is to reduce user interaction to a minimum while encrypting each and every file on removable media and giving the user access to the encrypted files in offline mode. The user is not permitted to decrypt files on removable media.
Copy SG Portable to removable media: No.
As long as data on removable media are shared in the workgroup SafeGuard Portable is not necessary. Also, SafeGuard Portable would allow to decrypt files without SafeGuard Enterprise.
At work, the user has transparent access to encrypted files on removable media. At home, they use SafeGuard Portable to open encrypted files. The user only has to enter the media passphrase to access all encrypted files, regardless of the key used for encrypting them.