Configuring encryption rules in location-based File Encryption policies

You define the rules for file-based encryption on network locations in a policy of the type File Encryption.

Note Certain folders (for example C:\Program Files) may prevent the operating system or applications from running when encrypted. When you define encryption rules, make sure that these folders are not encrypted.
  1. In the Policies navigation area, create a new policy of the type File Encryption or select an existing one.
    The File Encryption tab is displayed.
  2. Select Location-based from the Encryption type drop-down list.
    The table to specify locations where location-based file encryption is applied on the endpoint computer is displayed.
    Note SafeGuard Enterprise did not have the Encryption type setting until version 8.0. If you updated your Management Center, already existing File Encryption policies will be converted to File Encryption policies of type Location-based. For Encryption type > No encryption, see Policies of type No encryption.
  3. In the Path column, set the path (that is the folder) to be handled by File Encryption:
    • Click the drop-down button and select a folder name placeholder from the list of available placeholders.

      By hovering your cursor over the list entries, you can display tooltips telling you how a placeholder is typically presented on an endpoint. You can only enter valid placeholders. For a description of all available placeholders, see Placeholders for paths in location-based File Encryption rules.

      Important Encrypting the whole user profile with the placeholder <User Profile> may result in an unstable Windows desktop on the endpoint.
    • Click the Browse button to browse the file system and select the required folder.
    • Alternatively, just enter a path name.

    For useful information on configuring paths in File Encryption rules, see Additional information for configuring paths in location-based File Encryption rules.

  4. In the Scope column, select one of the following:
    • Only this folder to apply the rule only to the folder indicated by the Path column.
    • Include subfolders to also apply the rule to all its subfolders.
  5. In the Mode column, define how File Encryption should handle the folder indicated in the Path column:
    • Select Encrypt to encrypt new files in the folder. The contents of the existing encrypted files are decrypted transparently when a user with the required key accesses them. If the user does not have the required key, access is denied.
    • If you select Exclude, new files in the folder are not encrypted. You might use this option to exclude a subfolder from encryption if the parent folder is already covered by a rule with the Encrypt option.
    • If you select Ignore, files in the folder are not handled by File Encryption at all. New files are saved in plaintext. If a user accesses already encrypted files in this folder, the encrypted content is displayed, regardless whether the user has the required key or not.
  6. In the Key column, select the key to be used for the Encrypt mode. You can use keys created and applied in Users and Computers:
    • Click the Browse button to open the Find Keys dialog. Click Find now to display a list of all available keys and select the required key.
      Note Machine keys are not shown in the list. They cannot be used by File Encryption as they are only available on a single computer and can therefore not be used to enable groups of users to access the same data.
    • Click the Personal Key button with the key icon, to insert the Personal Key placeholder in the Key column. On the endpoint, this placeholder will be resolved to the active Personal Key of the logged on SafeGuard Enterprise user. If the relevant users do not have active Personal Keys yet, they are created automatically. You can create Personal Keys for single or multiple users in Users and Computers. For further information, see Personal Keys for file-based encryption by File Encryption.
  7. The System type (Windows, macOSor All systems for Windows and macOS systems) will be assigned automatically.
  8. Add further encryption rules as required and save your changes.
    Note All File Encryption rules that are assigned by policies and activated for users/computers at different nodes in Users and Computers are cumulated. The order of encryption rules within a File Encryption policy is not relevant for their evaluation on the endpoint. Within a File Encryption policy, you can drag the rules into order to gain a better overview.