5.7 Using the ZENworks Storage Encryption Solution

The ZENworks Storage Encryption Solution provides complete, centralized security management of all mobile data by actively enforcing a corporate encryption policy on the endpoint itself.

The ZENworks Storage Encryption Solution lets you do the following:

The following sections contain additional information:

5.7.1 Understanding the ZENworks Storage Encryption Solution

Data encryption is enforced on fixed disk volumes and removable storage devices through the creation and distribution of data encryption security policies.

When a data encryption policy is activated on an endpoint device, an encrypted Safe Harbor folder is added to the root directory of any fixed disk volumes on the endpoint. Any data stored in a Safe Harbor folder is encrypted. Attempts to read the data by anyone who is not an authorized user for that endpoint device are unsuccessful.

Any removable storage device connected to the device is encrypted. Data placed on the removable storage device is immediately encrypted and can only be read on endpoint devices in the same policy group. If desired, you can configure the policy to provide a sharing folder (the default name is Password Encrypted Files) on the removable storage devices. This folder enables users to share the folder’s files with persons outside their policy group via a password (see Data Encryption).

5.7.2 Sharing Encrypted Files

Each Management Console contains its own encryption key. Users assigned policies created by the same Management Console can access encrypted files created by each other. For example, if User A and User B are assigned data encryption policies created with the same Management Console, User A can log in to User B’s machine (as User A) and access User B’s encrypted files. User A can also read any files on an encrypted removable storage device supplied by User B.

Users assigned policies created by different Management Consoles cannot access each other’s fixed disk encrypted files unless you share (export and import) encryption keys between consoles. The same is true of files on an encrypted removable storage device, with the exception of files located in the Password Encrypted Files (shared) folder. For files located in the shared folder, the user must provide the access password.

If an endpoint device does not have the Security client installed, users of the device can access shared folder files from an encrypted removable device if 1) they have the ZENworks File Decryption Utility and 2) they know the file access password. For information about the File Decryption Utility, see Section 9.1, Using the ZENworks File Decryption Utility.