Device Protection

Policies of type Device Protection cover the settings for data encryption on different data storage devices. Encryption can be volume- or file-based with different keys and algorithms. Policies of type Device Protection also include settings for SafeGuard Data Exchange, SafeGuard Cloud Storage and SafeGuard Portable. For further information, see SafeGuard Data Exchange and Cloud Storage. For further details on SafeGuard Data Exchange, SafeGuard Cloud Storage and SafeGuard Portable on the endpoint, refer to the SafeGuard Enterprise user help.

When creating a policy for device protection, you first have to specify the target for device protection. Possible targets are:

For each target, create a separate policy.

Note: Removable media: A policy that specifies volume-based encryption of removable drives and allows the user to choose a key from a list (for example Any key in user key ring) can be circumvented by the user by not choosing a key. To make sure that removable drives are always encrypted, either use a file-based encryption policy, or explicitly set a key in the volume-based encryption policy.
Policy Setting Explanation
Media encryption mode Used to protect devices (PCs, notebooks and so on) and all types of removable media.
Note: This setting is mandatory.

The primary objective is to encrypt all data stored on local or external storage devices. The transparent operating method enables users to continue to use their usual applications, for example Microsoft Office.

Transparent encryption means that all encrypted data (whether in encrypted directories or volumes) is automatically decrypted in the main memory as soon as it is opened in a program. A file is automatically re-encrypted when it is saved.

The following options are available:

  • No encryption

  • Volume-based (= transparent, sector-based encryption)

    Ensures that all data is encrypted (incl. boot files, swapfiles, idle files/hibernation files, temporary files, directory information etc.) without the user having to change normal operating procedures or consider security.

  • File-based (= transparent, file-based encryption, Smart Media Encryption)

    Ensures that all data is encrypted (apart from Boot Medium and directory information) with the benefit that even optical media such as CD/DVD can be encrypted or data can be swapped with external computers on which SafeGuard Enterprise is not installed (provided policies permit).

Note: For policies with White Lists, only No encryption or File-based can be selected.
General Settings
Algorithm to be used for encryption Sets the encryption algorithm.

List of all usable algorithms with respective standards:

AES256: 32 bytes (256 bits)

AES128: 16 bytes (128 bits)

Key to be used for encryption Defines which key is used for encryption. You can define specific keys (for example machine key or a defined key) or you can allow the user to select a key. You can also restrict the keys which a user is allowed to use.

The following options are available:

  • Any key in user key ring

    All keys from a user's key ring are displayed and the user can select any one of them.

    Note: This option has to be selected, if you define a policy for file-based encryption for an unmanaged endpoint protected by SafeGuard Enterprise (standalone).
  • Any key in user key ring, except user key

    All except user keys from a user's key ring are displayed and the user can select any one of them.

  • Any group key in user key ring

    All group keys from a user's key ring are displayed and the user can select any one of them.

  • Defined machine key

    The machine key is used - the user CANNOT select a key

    Note: This option has to be selected, if you define a policy for volume-based encryption for an unmanaged endpoint protected by SafeGuard Enterprise (standalone mode). If you nevertheless select Any key in user key ring and the user selects a locally created key for volume-based encryption, access to this volume will be denied.
  • Any key in key ring, except locally created keys

    All except locally generated keys from a key ring are displayed and the user can select any one of them.

  • Defined key on list

    The administrator can select any available key when setting policies in the Management Center.

The key has to be selected under Defined key for encryption.

If the option Defined machine key is used:

If only SafeGuard Data Exchange is installed on an endpoint (no SafeGuard POA, no volume-based encryption), a policy defining the Defined machine key as the key to be used for file-based encryption will not become effective on this endpoint. The defined machine key is not available on an endpoint of this type. The data cannot be encrypted.

Policies for unmanaged endpoint protected by SafeGuard Enterprise (standalone):

Note: Note that only the Any key in user key ring option can be used when creating policies for unmanaged endpoint computers. In addition, creating local keys must be allowed for this type of endpoint computer.

If the media passphrase feature is activated for unmanaged endpoints, the Media Encryption Key is automatically used as Defined key for encryption, since no group keys are available on unmanaged endpoints. Selecting another key under Defined key for encryption when creating a removable media policy for unmanaged endpoints will have no effect.

Defined key for encryption This field only becomes active, if you have selected the option Defined key on list in the Key to be used for encryption field. Click [...] to display the Find Keys dialog. Click Find now, to search for keys and select a key from the list displayed.

In case of a policy of the type Device protection with target Removable Media this key is used to encrypt the Media Encryption Key when the media passphrase functionality is enabled (User may define a passphrase for devices set to Yes).

For Device Protection policies for removable media the settings

  • Key to be used for encryption

  • Defined key for encryption

therefore must be specified independently from each other.

Policies for unmanaged endpoints protected by SafeGuard Enterprise (standalone):

If the media passphrase feature is activated for unmanaged endpoints, the Media Encryption Key is automatically used as Defined key for encryption, since no group keys are available on unmanaged endpoints.

User is allowed to create a local key This setting determines whether users can generate a local key on their computers or not. The default setting is Yes, users are allowed to create local keys.
Note: A policy that forbids users to create local keys (User is allowed to create a local key set to No) will only be applied on Windows endpoints.

Local keys are generated on the endpoint based on a passphrase entered by the user. The passphrase requirements can be set in policies of the type Passphrase.

These keys are also saved in the database. The user can use them on any endpoint they are logged on to.

Local keys can be used for secure data exchange with SafeGuard Data Exchange (SG DX). For more information, see Local keys.

Volume-Based Settings
Users may add or remove keys to or from encrypted volume Yes: Endpoint users may add/remove keys to/from a key ring. The dialog is displayed from the context menu command Properties/Encryption tab.

No: Endpoint users may not add additional keys.

Reaction to unencrypted volumes Defines how SafeGuard Enterprise handles unencrypted media.

The following options are available:

  • Reject (= text medium is not encrypted)

  • Accept only blank media and encrypt

  • Accept all media and encrypt

User may decrypt volume Allows the user to decrypt the volume with a context menu command in Windows Explorer.
Fast initial encryption Select this setting to enable the fast initial encryption mode for volume-based encryption. This mode reduces the time needed for initial encryption on endpoints.
Note: This mode may lead to a less secure state. For further information, see Fast initial encryption.
Proceed on bad sectors Specifies whether encryption should proceed or be stopped if bad sectors are detected. The default setting is Yes.
File-Based Settings
Initial encryption of all files Automatically starts initial encryption for a volume after user logon. The user may need to select a key from the key ring beforehand.
User may cancel initial encryption Enables the user to cancel initial encryption.
User is allowed to access unencrypted files Defines whether a user may access unencrypted data on a volume.
User may decrypt files Enables the user to decrypt individual files or whole directories (with the Windows Explorer extension <right-click>).
User may define a media passphrase for devices Enables the user to define a media passphrase on their computers. The media passphrase makes it possible to easily access all local keys used on computers without SafeGuard Data Exchange with SafeGuard Portable.

Copy SafeGuard Portable to target

If this option is selected, SafeGuard Portable is copied to any removable media connected to the endpoint and any synchronization folder defined in a Cloud Storage Definition for SafeGuard Cloud Storage as soon as content is written to the encrypted media or folder.

SafeGuard Portable enables the exchange of encrypted data with removable media or cloud storage without the recipient having SafeGuard Enterprise installed.

The recipient can decrypt and re-encrypt the encrypted files using SafeGuard Portable and the corresponding passphrase. The recipient can re-encrypt files with SafeGuard Portable or use the original key for encryption.

SafeGuard Portable does not have to be installed or copied to the recipient's computer but can be used directly from the removable media or cloud storage synchronization folder.

Default initial encryption key This field offers a dialog for selecting a key which is used for file-based initial encryption. If you select a key here, the user cannot select a key when initial encryption starts. Initial encryption starts without user interaction.

The key selected will always be used for initial encryption.

Example:

Prerequisite: A default key for initial encryption has been set.

When the user connects a USB device to the computer, initial encryption automatically starts. The key defined is used. The user does not have to interfere. If the user afterwards wants to re-encrypt files or save new files on the USB device, they can select any key (if allowed and available). If the user connects a different USB device, the key defined for initial encryption will be used again. This key will also be used for all encryption processes that follow until the user explicitly selects a different key.

Note: If the media passphrase feature is activated, this option will be deactivated. The Defined key for encryption will be used.
Plaintext folder The folder specified here will be created on all removable media, mass storage devices and cloud storage synchronization folder. Files that are copied to this folder will always stay plaintext.
User is allowed to decide about encryption You can allow the user to decide about encryption of files on removable media and mass storage devices:
  • If you set this option to Yes, users are prompted to decide whether data should be encrypted. For mass storage devices, the prompt is displayed after each logon, for removable media the prompt is displayed when they plug in removable media.
  • If you set this option to Yes, remember user settings, users can select the option Remember this setting and do not show this dialog again to have their choice remembered for the relevant device. In this case, the dialog will not be displayed for the relevant device again.
If the user selects No in the dialog displayed on the endpoint, neither initial nor transparent encryption occurs.