Keys for data encryption

Users are assigned keys for the encryption of specific volumes when defining policies of the type Device Protection.

In a policy of the type Device Protection, you can specify the setting Key to be used for encryption for each media.

Here you decide which keys a user can or must use for encryption:

• Any key in user key ring

  After users have logged on to Windows, they can select the keys they would like to use to encrypt a particular volume. A dialog is displayed in which users can select the required key.

• Any key in user key ring, except user key

  Users may not use their own personal key to encrypt data.

• Any group key in user key ring

  Users may only select one of the group keys in their user key ring.

• Defined machine key

  The defined machine key is the unique key generated exclusively for this computer by SafeGuard Enterprise during the first startup. The user has no other options. A defined machine key is typically used for the boot and system partition and for drives on which Documents and Settings are located.

• Defined key on list

  This option allows you to define a specific key which the user must use for encryption. To specify a key for a user in this way, you must define a key under Defined key for encryption. This option is displayed once you select Defined key on list.

  Click the [...] button next to Defined key for encryption to display a dialog in which you can specify a key. Make sure that the user also has the corresponding key.

  Mark the selected key and click OK. The selected key will be used for encryption on the endpoint computer.