|Policy types and their fields of applications|
Policies of type Device Protection cover the settings for data encryption on different data storage devices. Encryption can be volume- or file-based with different keys and algorithms. Policies of type Device Protection also include settings for SafeGuard Data Exchange, SafeGuard Cloud Storage and SafeGuard Portable. For further information, see SafeGuard Data Exchange and Cloud Storage. For further details on SafeGuard Data Exchange, SafeGuard Cloud Storage and SafeGuard Portable on the endpoint, refer to the SafeGuard Enterprise user help.
When creating a policy for device protection, you first have to specify the target for device protection. Possible targets are:
For each target, create a separate policy.
|Media encryption mode||Used to protect devices (PCs, notebooks and so on)
and all types of removable media.
Note: This setting is mandatory.
The primary objective is to encrypt all data stored on local or external storage devices. The transparent operating method enables users to continue to use their usual applications, for example Microsoft Office.
Transparent encryption means that all encrypted data (whether in encrypted directories or volumes) is automatically decrypted in the main memory as soon as it is opened in a program. A file is automatically re-encrypted when it is saved.
The following options are available:
Note: For policies with White Lists, only No encryption or File-based can be selected.
|Algorithm to be used for encryption||Sets the encryption algorithm.
List of all usable algorithms with respective standards:
AES256: 32 bytes (256 bits)
AES128: 16 bytes (128 bits)
|Key to be used for encryption||Defines which key is used for encryption. You can
define specific keys (for example machine key or a defined key) or
you can allow the user to select a key. You can also restrict the
keys which a user is allowed to use.
The following options are available:
If the option Defined machine key is used:
If only SafeGuard Data Exchange is installed on an endpoint (no SafeGuard POA, no volume-based encryption), a policy defining the Defined machine key as the key to be used for file-based encryption will not become effective on this endpoint. The defined machine key is not available on an endpoint of this type. The data cannot be encrypted.
Policies for unmanaged endpoint protected by SafeGuard Enterprise (standalone):
Note: Note that only the Any key in user key ring option can be used when creating policies for unmanaged endpoint computers. In addition, creating local keys must be allowed for this type of endpoint computer.
If the media passphrase feature is activated for unmanaged endpoints, the Media Encryption Key is automatically used as Defined key for encryption, since no group keys are available on unmanaged endpoints. Selecting another key under Defined key for encryption when creating a removable media policy for unmanaged endpoints will have no effect.
|Defined key for encryption||This field only becomes active, if you have selected
the option Defined key on list in the
Key to be used for encryption field.
Click [...] to display the Find
Keys dialog. Click Find now,
to search for keys and select a key from the list displayed.
In case of a policy of the type Device protection with target Removable Media this key is used to encrypt the Media Encryption Key when the media passphrase functionality is enabled (User may define a passphrase for devices set to Yes).
For Device Protection policies for removable media the settings
therefore must be specified independently from each other.
Policies for unmanaged endpoints protected by SafeGuard Enterprise (standalone):
If the media passphrase feature is activated for unmanaged endpoints, the Media Encryption Key is automatically used as Defined key for encryption, since no group keys are available on unmanaged endpoints.
|User is allowed to create a local key||This setting determines whether users can generate a
local key on their computers or not. The default setting is
Yes, users are allowed to create local
Note: A policy that forbids users to create local keys (User is allowed to create a local key set to No) will only be applied on Windows endpoints.
Local keys are generated on the endpoint based on a passphrase entered by the user. The passphrase requirements can be set in policies of the type Passphrase.
These keys are also saved in the database. The user can use them on any endpoint they are logged on to.
Local keys can be used for secure data exchange with SafeGuard Data Exchange (SG DX). For more information, see Local keys.
|Users may add or remove keys to or from encrypted volume||Yes: Endpoint users may
add/remove keys to/from a key ring. The dialog is displayed from the
context menu command Properties/Encryption
No: Endpoint users may not add additional keys.
|Reaction to unencrypted volumes||Defines how SafeGuard Enterprise handles unencrypted
The following options are available:
|User may decrypt volume||Allows the user to decrypt the volume with a context menu command in Windows Explorer.|
|Fast initial encryption||Select this setting to enable the fast initial
encryption mode for volume-based encryption. This mode reduces the
time needed for initial encryption on endpoints.
Note: This mode may lead to a less secure state. For further information, see Fast initial encryption.
|Proceed on bad sectors||Specifies whether encryption should proceed or be stopped if bad sectors are detected. The default setting is Yes.|
|Initial encryption of all files||Automatically starts initial encryption for a volume after user logon. The user may need to select a key from the key ring beforehand.|
|User may cancel initial encryption||Enables the user to cancel initial encryption.|
|User is allowed to access unencrypted files||Defines whether a user may access unencrypted data on a volume.|
|User may decrypt files||Enables the user to decrypt individual files or whole directories (with the Windows Explorer extension <right-click>).|
|User may define a media passphrase for devices||Enables the user to define a media passphrase on their computers. The media passphrase makes it possible to easily access all local keys used on computers without SafeGuard Data Exchange with SafeGuard Portable.|
Copy SafeGuard Portable to target
|If this option is selected, SafeGuard Portable is
copied to any removable media connected to the endpoint and any
synchronization folder defined in a Cloud Storage Definition for
SafeGuard Cloud Storage as soon as content is written to the
encrypted media or folder.
SafeGuard Portable enables the exchange of encrypted data with removable media or cloud storage without the recipient having SafeGuard Enterprise installed.
The recipient can decrypt and re-encrypt the encrypted files using SafeGuard Portable and the corresponding passphrase. The recipient can re-encrypt files with SafeGuard Portable or use the original key for encryption.
SafeGuard Portable does not have to be installed or copied to the recipient's computer but can be used directly from the removable media or cloud storage synchronization folder.
|Default initial encryption key||This field offers a dialog for selecting a key which
is used for file-based initial encryption. If you select a key here,
the user cannot select a key when initial encryption starts. Initial
encryption starts without user interaction.
The key selected will always be used for initial encryption.
Prerequisite: A default key for initial encryption has been set.
When the user connects a USB device to the computer, initial encryption automatically starts. The key defined is used. The user does not have to interfere. If the user afterwards wants to re-encrypt files or save new files on the USB device, they can select any key (if allowed and available). If the user connects a different USB device, the key defined for initial encryption will be used again. This key will also be used for all encryption processes that follow until the user explicitly selects a different key.
Note: If the media passphrase feature is activated, this option will be deactivated. The Defined key for encryption will be used.
|Plaintext folder||The folder specified here will be created on all removable media, mass storage devices and cloud storage synchronization folder. Files that are copied to this folder will always stay plaintext.|
|User is allowed to decide about encryption||You can allow the user to decide about encryption of
files on removable media and mass storage devices: