Application-based encryption with multiple keys on endpoints

The endpoint has the SafeGuard Enterprise Encryption software installed, but no policy applied.

When you click Synchronize on the SafeGuard Enterprise system tray, the endpoint receives the updated policies. The policy changes include the list of applications for which all new files must be encrypted. This list includes Microsoft Office, so all new Microsoft Office files are encrypted.

As you turn on initial encryption for all local drives, all files that are already on the computer are encrypted as well.

Note When you create an application list, you have to specify explicitly the file extensions of files to be processed by initial encryption. The Template application list includes the most common extensions for each application.
  • Files in the Documents folder are encrypted with the users' Personal Key.
  • All other files that need to be encrypted according to the application list are encrypted with the Synchronized Encryption key.

Encryption scope Everywhere vs. Defined Locations

You chose to use the Synchronized Encryption key everywhere and made an exception for the <Documents> folder where the users' Personal Key should be used.

Moving or copying a file changes the encryption key. The new location is part of the Everywhere rule and therefore the Synchronized Encryption key is used.

Moving a plain or already encrypted file to the <Documents> folder encrypts the file with the user's Personal Key.

Folder without encryption

In the policy, you set the <Documents>\unencrypted folder as a location where you do not want to have files encrypted.

When you move a file to the unencrypted folder, it is decrypted.

SafeGuard Enterprise automatically decrypts files only if you put one or more individual files to a location without encryption. If you move a folder to an exclude folder or if you rename a folder to the name of an exclude folder, files are not decrypted automatically to avoid accidental decryption. You can then decrypt the files manually or use the Encrypt according to policy option from the folder's SafeGuard Enterprise context menu.