Creating a multi-key file encryption policy

  1. In the Management Center, select the (Default) File Encryption policy and select Application-based (Synchronized Encryption) under Encryption type.
  2. Under Application list, select Template.
    The default application list is called Template. It contains the most commonly used applications.
  3. Under Encryption scope, select Everywhere. This is the most secure option, generally used for Windows endpoints.
    This creates a rule to encrypt files in all locations with the Synchronized Encryption key. The rule is added to the list of locations where application-based encryption is applied.

    You can now add specific rules for locations that you want to be encrypted with different encryption keys. These locations can be local or on the network. You can use predefined values to specify them.

    In our example, we want to encrypt the users' Documents folder.

  4. To add a rule click in the Path edit field and select <Documents> from the drop-down menu.
    Note You cannot change the encryption scope.

    The default key is the Synchronized Encryption Key, but you can choose any other encryption key. For example, the domain key, or the key of an organizational unit. You can also select the Personal Key which is unique to every user.

  5. Click the Personal Key symbol in the Key edit field to select the users' personal keys to encrypt the Documents folder. You can hover over the key symbols to display their function.

    To have an unencrypted folder you need to define an exception rule for that specific folder.

  6. Click in the Path edit field, select <Documents> from the drop-down menu and enter \unencrypted after the <Documents> placeholder.
  7. In the Mode column, select Exclude from the drop-down menu.
  8. To turn on initial encryption on the endpoints, set the Stored on local disks option under Initial encryption: Automatically encrypt existing files to Yes.
  9. Save the policy and deploy it.
Note When you assign such a policy, with only specific rules for locations and different keys, to endpoints that have SafeGuard Enterprise 8.0 installed, these rules are applied correctly. All specified locations are encrypted with the selected keys. However, if a rule with Encryption scope set to Everywhere is part of the policy, only the Synchronized Encryption Key is used. Files in all specific locations are encrypted with the Synchronized Encryption Key as well.