3.3 Data Encryption

When activated by policy, the Endpoint Security Client 4.0 manages the encryption of files placed in a specific directory on the endpoint and placed in removable storage devices.

The following instructions will assist you in using ZENworks Endpoint Security on the endpoint.

3.3.1 Managing Files on Non-System Volumes

Fixed disks are defined as all non-system volume drives installed on the computer, as well as any partitions of a hard-disk drive. Each fixed disk on the endpoint has a “Safe Harbor” folder (by default the folder is called Encrypted Files) and exists on each non-system volume or drive off the root directory. All files placed in this folder are encrypted, using the current encryption key. Only authorized users on the computer can decrypt these files.

When saving a file, select the Safe Harbor folder from the available folders on the desired drive.

3.3.2 Managing Files on Removable Storage

Removable storage is defined as any storage device that is “connected” to a computer. This includes (but is not limited to) USB thumb drives, flash memory cards, and PCMCIA memory cards, along with traditional Zip, floppy, and external CDR drives, digital cameras with storage capacity, and MP3 players.

When you are running ZENworks Endpoint Security, files stored on these devices are encrypted as they are accessed by the operating system or the user. Files copied to the device are immediately encrypted. When the removable storage device is connected to a computer not managed by the ZENworks Endpoint Security system, the files remain encrypted and cannot be decrypted.

Encryption of removable storage occurs at the insertion of the device (see What If I Don’t Want the Device Encrypted?). However, files added to an encrypted removable storage device on another machine are not encrypted, and must be encrypted manually.

The following sections contain more information:

Encrypting Files

To encrypt added files on a removable storage device:

  1. Plug the storage device into the appropriate port on your computer.

  2. Right-click the Endpoint Security Client icon in the taskbar.

  3. Select Encryption from the menu.

  4. Click Encrypt RSD. This encrypts all files on the removable storage device with the current encryption key.

    The amount of time needed to encrypt the files depends upon the amount of data stored on the device.

What If I Don’t Want the Device Encrypted?

When you insert a removable storage device, the Endpoint Security Client prompts, asking if you want the drive encrypted, or if you prefer to remove it and not encrypt all files.

Figure 3-1 Encryption Warning when a New Device is Inserted

WARNING:To prevent encryption, remove the drive before clicking Continue. Click Continue to either encrypt the drive or to close the window after removing the device.

Password Encrypting Files

Your administrator can enable the Security client to create a Password Encrypted Files folder on any removable device that connects to your computer. This folder is named by your administrator; therefore, it might be named Password Encrypted Files or some other name.

When you add files to this folder, they are encrypted with a password that you supply. You can then access the files from any device that is not running the Security client. To decrypt the files, you need the ZENworks File Decryption utility and the encryption password. You must get the utility from your administrator.

For example, assume that you are working on encrypted files at work. You want to take the files home to work on them, but your home computer does not have the Security client installed. You copy the files to the Password Encrypted Files folder on your USB thumb drive, take the files home, then access them using the ZENworks File Decryption utility you got from your administrator.

To use the Password Encrypted Files folder:

  1. Move or save a file to the folder.

  2. At the password prompt, enter a password and confirmation password.

  3. Enter a hint for the password.

The Security client remembers the password and applies it to any new files that you add to the folder until you reboot your computer. Any time your computer reboots, the first time you add a file to the folder you are again prompted to supply a password.

Changing the Password to Files in the Shared Files Folder

You can use the Encryption control to change passwords for files added to the Password Encrypted Files folder. This does not change any existing passwords, just the password for future files.

To change the password:

  1. Plug the storage device into the appropriate port on your computer.

  2. Right-click the Endpoint Security Client icon in the taskbar.

  3. Select Encryption from the menu.

  4. Click Clear Password.

  5. Drag a file to the Shared Files folder and enter the new password and hint.

All new files added to the folder now require the new password for access.

Using the File Decryption Utility

To use the File Decryption utility:

  1. Plug the storage device into the appropriate port on your computer.

  2. Open the File Decryption Utility (stdecrypt.exe).

  3. Click the Advanced button.

  4. In the Source panel, select Password Protected Only.

  5. In the Source panel, click Browse, navigate to the storage device’s Password Encrypted Files directory, select the desired file, then click Save.

    or

    To decrypt the entire Password Encrypted Files directory rather than a single file, select Directories, then browse to and select the appropriate directory.

  6. In the Destination panel, click Browse to select the folder on the local machine where the decrypted files will be stored.

  7. Click Decrypt.

  8. Enter the password to decrypt the file.

    If you selected the entire directory, not all files may have the same password. You are prompted each time the utility attempts to open a file that has a different password.

The transaction can be monitored by clicking the Show Progress button.