|SafeGuard Data Exchange / Best practice|
Behavior on the computer
Bob plugs in the removable media for the first time. The Media Encryption Key, which is unique for each device, is created automatically.
Bob is prompted to enter the media passphrase for offline use.
The Media Encryption Key is used for data encryption without any user interaction, but…
Bob can now create or select a local key (for example JoeKey) for the encryption of specific files that shall be exchanged with Joe.
Bob and Alice within the same group or domain have transparent access since they share the same group/domain key.
If Bob wants to access encrypted files on a removable media device on a computer without SafeGuard Data Exchange, he can use the media passphrase within SafeGuard Portable.
Joe can access the specific files by entering the passphrase of the JoeKey without having access to the whole removable media.
You have to specify the settings in a policy of the type Device Protection\Removable Media:
Media encryption mode: File-based
Key to be used for encryption: Any key in user key ring
Allows the user to choose different keys for encrypting files on their removable media
User may define a media passphrase for devices: Yes
The user defines one media passphrase on their computer which is valid for all their removable media.
Copy SG Portable to target: Yes
SafeGuard Portable gives the user access to all encrypted files on the removable media by entering a single media passphrase on the system without SafeGuard Data Exchange.
If the company policies additionally define that all files on removable media have to be encrypted in any situation, add the following settings:
Initial encryption of all files: Yes
Ensures that files on removable media are encrypted as soon as the media is connected to the system for the first time.
User may cancel initial encryption: No
The user cannot cancel initial encryption, for example to postpone it.
User is allowed to access unencrypted files: No
If plaintext files on removable media are detected, access to them will be denied.
User may decrypt files: No
The user is not permitted to decrypt files on removable media.
At work, Bob and Alice have transparent access to encrypted files on removable media. At home, they can use SafeGuard Portable to open encrypted files by entering the media passphrase. If Bob or Alice wants to hand out the removable media to a 3rd party computer that does not have SafeGuard Data Exchange installed, they can use local keys to ensure that the external party can access only some specific files. This is an advanced configuration, which means more interaction for the user by allowing them to create local keys on their computer.