10.7 Data Encryption

The Data Encryption settings determine whether file encryption is enforced on the endpoint device and what type of encryption is available. Data can be encrypted to permit file sharing (with password protection) or can set encrypted data to be read-only on computers running the Storage Encryption Solution.

Encryption is available only on supported releases of Windows XP, Windows Vista*, and Windows 7 (see Client Requirements in the ZENworks Endpoint Security Management 4.1 Installation Guide. The encryption portion of the security policy is ignored on devices that do not meet the requirement.

WARNING:If you enable encryption on an endpoint device and subsequently want to disable it, make sure that all data stored in encrypted folders is extracted by the user and stored in another location before you disable encryption. In addition, you should export the encryption keys in case any orphaned encrypted files remain; the encryption keys can be used with the decryption utility to decrypt the files. For help exporting the encryption keys, see Section 7.1, Exporting Encryption Keys. For help using the decryption utility, see Section 24.0, ZENworks File Decryption Utility.

10.7.1 Configuring the Data Encryption Settings

  1. Make sure the policy you want to configure is open in the Management Console (see Section 10.1, Accessing the Global Settings).

  2. On the Global Policy Settings tab, click Data Encryption.

  3. Configure the settings as desired:

    • Enable Data Encryption: Select this option to enable data encryption on a device.

      Encryption keys are distributed to all machines that receive security policies regardless of whether data encryption is enabled or not. However, this option instructs the Security Client to activate its encryption drivers, which allows users to read files sent to them without requiring the File Decryption utility. See Section 24.0, ZENworks File Decryption Utility for more details.

      • Policy password to allow decryption: Specify a password if you want to require users to enter the password prior to decrypting any encrypted files stored in their Safe Harbor folders. This is an optional setting. Leave it blank to not require the password.

    • Enable “Safe Harbor” encrypted folder for fixed disks: Generates a folder, named Encryption Protected Files, at the root of all volumes on the endpoint. All files placed in this folder are encrypted and managed by the Security Client. Data placed in this folder is automatically encrypted and can only be accessed by authorized users on this machine.

      The folder name can be changed by clicking in the Folder Name field, selecting the current text, and specifying the name you want.

      • Encrypt User’s “My Documents” Folder: Select this option to encrypt all files in the user’s My Documents folder. As with the Safe Harbor folder, data placed in this folder is automatically encrypted and can only be accessed by the authorized user on the machine. If multiple users share the same machine, only the owner of the My Document’s folder can access the folder’s documents.

      • Allow user specified folders: Select this option to allow users to select which folders on their computer are encrypted. This is for local folders only; no removable storage devices or network drives can be encrypted.

    • Enable encryption for removable storage devices: All data written to removable storage devices from an endpoint protected by this policy is encrypted. Users with this policy on their machines are able to read the data; therefore, file sharing via removable storage device within a policy group is available. Users outside this policy group can not read the files encrypted on the drive, and can only access files within the Password Encrypted Files folder (if activated) with a provided password.

      • Enable encryption via user-defined password: This setting gives the user the ability to store files in a Password Encrypted Files folder on the removable storage device (this folder is generated automatically when this setting is applied).

        When a user adds files to this folder, the files are encrypted with a password that the user supplies. The user can then access the files from any device that is not running the Security client. To decrypt the files, the user needs the File Decryption utility and the encryption password. You must supply this utility to the user; it is not part of the Security client. See Section 24.0, ZENworks File Decryption Utility.

        For example, assume that John is working on encrypted files at work. He wants to take the files home to work on them, but the home computer does not have the Security Client installed. John copies the files to the Password Encrypted Files folder on a USB thumb drive, takes the files home, then accesses them through the ZENworks File Decryption utility you provided.

        If desired, you can change the default folder name (Password Encrypted Files) to another name.

      • Require strong password: This setting forces the user to set a strong password for the Password Encrypted Files folder. A strong password requires the following:

        • Seven or more characters

        • At least one of each of the four types of characters:

          • Uppercase letters from A to Z

          • Lowercase letters from a to z

          • Numbers from 0 to 9

          • At least one special character ~!@#$%^&*()+{}[]:;<>?,./

        For example: y9G@wb?

    • Force client reboot when required: On Windows XP, the endpoint must reboot to enable encryption and then reboot a second time to place designated safe harbors into encryption. Any subsequent changes to the safe harbors (adding or removing) also require a reboot. On Windows Vista and Windows 7, no reboots are required.

      Select this option to force the required reboots by displaying a countdown timer, warning the user that the machine will reboot in the specified number of seconds. The user has that amount of time to save work before the machine reboots.

  4. Click Save Policy to save your changes.

10.7.2 Data Encryption Performance Impact

Encrypting and decrypting data on a fixed disk or removable storage device adds additional time to standard file operations such as saving and copying. For example, users can expect the following operations to require more time with encryption enabled:

  • Copying files or folders to an encrypted removable storage device.

  • Saving files from an application to an encrypted removable storage device.

  • Copying files or folders from an encrypted removable storage device to a safe harbor on a fixed disk (and vice-versa).