A.3 Data Encryption Policy

The following instructions assume that you are on the Configure Data Encryption Settings page in the Create New Data Encryption Policy Wizard (see Section 9.0, Creating Security Policies) or that you are on the Details page for an existing Data Encryption policy (see Section 13.0, Editing a Policy’s Details).

The Data Encryption policy lets you configure the data encryption settings applied to a device. You can enable encryption for one or more locations on the device’s fixed disk, enable encryption of removable storage devices (RSDs) attached to the device, and provide additional security through passwords.

Refer to the following sections for policy details:

Watch a video that demonstrates how to create a Data Encryption policy.

A.3.1 General Information

As you configure Date Encryption policies and apply them to devices, be aware of the following:

  • The Data Encryption policy is a device-only policy. It cannot be assigned to users.

  • The Data Encryption policy does not support inheritance. The Data Encryption policy that is assigned closest to the device becomes the effective policy for the device. For example, if a Data Encryption policy is assigned to a device and to a group in which the device is a member, the device-assigned policy becomes the effective policy and the policy assigned to the device group is ignored.

  • The first time a Data Encryption policy is applied to a device, the device must be rebooted to enable the encryption drivers. Data encryption does not occur until after this reboot. Subsequent updates to the same policy do not require a reboot. In addition, if you remove the policy from a device and apply a new (different) Data Encryption policy before the device reboots, no reboot is required because the encryption drivers are still loaded. However, if a reboot occurs between removal of the first policy and application of the second policy, the encryption drivers are disabled and a reboot is required to enable the drivers again.

    When facilitating the reboot, the Endpoint Security Agent applies the reboot behavior defined for the ZENworks Adaptive Agent feature installation (ZENworks Control Center > Configuration > Management Zone Settings > Device Management > ZENworks Agent > Reboot Behavior). The one difference is that the forced reboot for a Data Encryption policy occurs after 2 minutes rather than after the 5 minutes stated for agent feature installation.

  • If you decide to remove a Data Encryption policy from a device, it is strongly recommended that the device’s user decrypt files prior to removal of the policy. For more information, see Section 21.0, Removal Best Practices.

  • If the policy is removed from a device, the device must be rebooted to disable the encryption drivers. The reboot behavior is determined the same way as stated in list item 3 above.

A.3.2 Enable Policy Password to Allow Decryption

By default, any user who successfully logs in to Windows on a device can access the encrypted files on the device. Select this option to require users to also enter a decryption password when the Endpoint Security Agent starts (typically at Windows startup). This password provides an extra layer of security that applies to encrypted files both in fixed disk locations and on removable storage devices.

After you enable the option, the following settings are available:

  • Administrative Decryption Password: Click Change to specify the decryption password. This password enables users to decrypt files on any device to which the policy is applied. You should use a strong password that meets the following requirements:

    • Seven or more characters

    • At least one of each of the four types of characters:

      • Uppercase letters from A to Z

      • Lowercase letters from a to z

      • Numbers from 0 to 9

      • at least one special character ~ ! @ # $ % ^ & * ( ) + { } [ ] : ; < > ? ,. / - = | \ ”

    For example: y9G@wb?

  • Allow User Defined Secondary Decryption Passwords: Select this option to allow a user to specify a personal decryption password for the device. This password supplements the administrative password. When prompted for the decryption password, a user can enter his or her personal password or the administrative password.

    For best security practices, we recommend that you enable the secondary decryption password. The administrative decryption password can be used on all devices to which this policy is applied. If you distribute it to users, they can decrypt files on their own device and on any other devices covered by this policy. A user’s personal (secondary) decryption password can only be used on his or her device.

    IMPORTANT:If you change a published Data Encryption policy and republish it, the user’s secondary decryption password is reset and the user is prompted to define the password again.

  • Require strong password: Select this option to force users to define a password that meets the following requirements:

    • Seven or more characters

    • At least one of each of the four types of characters:

      • Uppercase letters from A to Z

      • Lowercase letters from a to z

      • Numbers from 0 to 9

      • at least one special character ~ ! @ # $ % ^ & * ( ) + { } [ ] : ; < > ? ,. / - = | \ ”

    For example: qZG@3b!

A.3.3 Enable “Safe Harbor” Encryption for Fixed Disks

Select this option to enable encryption of data on a device’s fixed disks. A fixed disk is any hard disk installed on the device. If a hard disk is partitioned, each partition is considered a fixed disk.

The Endpoint Security Agent does not encrypt entire fixed disks. Instead, it encrypts files that are stored in designated folders on the fixed disks. These folders are called Safe Harbor folders, or Safe Harbors.

  • Safe Harbor Locations: Specify the fixed disk locations (folders) that you want encrypted. The Endpoint Security Agent encrypts all files stored in a Safe Harbor folder. If the folder already exists, the Endpoint Security Agent turns it in to a Safe Harbor folder and encrypts any files that already reside in the folder. If the folder doesn’t exist, the agent creates the folder.

    Be aware of the following when designating Safe Harbors:

    • It is strongly recommended that you do not define folders such as My Documents, My Music, My Pictures, and My Videos as Safe Harbor folders. These folders are the default folders for many applications. Making them Safe Harbors could result in the encryption of many files that you don’t want encrypted, negatively impacting the overall performance of your applications and computer.

    • The Windows and Program Files folders (and subfolders) are blocked by the Endpoint Security Agent from being included as Safe Harbors. If you specify them in the policy, they are not added as Safe Harbors on the device.

    • If you specify a folder path that contains an invalid directory, the Safe Harbor folder is not created. For example, con is a reserved directory name and is therefore invalid. If you specify encrypted_files\con\documents, the Safe Harbor folder is not created.

    To specify a location, click Add, specify the location in the Folder Location field, then click OK. The path is relative to the root of any fixed disk partitions.

    For example, if you specify Encryption Protected Files as a Safe Harbor folder, the Endpoint Security Agent creates the folder on each fixed disk (C, D, and so forth) on the device.

  • Allow users to specify Safe Harbor locations: Select this option to allow users to specify folders that they want to use as Safe Harbor locations. This applies to folders on the local fixed disk only, not removable devices or network drives.

  • Integrate Safe Harbor locations with Windows Explorer: Select this option to provide users with better access to their Safe Harbors by exposing the Safe Harbor locations in Windows Explorer. The locations appear in the Favorites list and in the Send to list.

    In the Favorites list, all Safe Harbor locations are displayed under a single ZENworks Encrypted Folders entry in the list; users click the ZENworks Encrypted Folders link to access the Safe Harbor locations.

    In the Send to list, each Safe Harbor location is displayed in the list.

A.3.4 Enable Encryption for Removable Storage Devices

Select this option to enable data encryption on removable storage devices (RSDs). When the policy is applied to a device, the Endpoint Security Agent encrypts all data stored on any removable storage device connected to the device.

Removable storage devices include, but are not limited to, USB thumb drives, flash and PCMCIA memory cards, ZIP drives, floppy drives, external CDR drives, digital cameras, and MP3 players.

A device can access encrypted files on any removable storage devices encrypted by other devices in the same ZENworks Management Zone. This is because all devices within a zone receive all encryption keys for the zone. For example, if Laptop1 and Laptop2 are in the same zone, any files encrypted to a removable storage device on Laptop1 can be accessed on Laptop2.

After you enable encryption for removable storage devices, the following options are available:

  • Enable encryption via user-defined password: Files are always key-encrypted; key encryption enables them to be read on any managed device within your ZENworks Management Zone. You can select this option to enable password encryption of the files as well. Each user supplies their own password to use for the encryption.

    The advantage to password-encrypted files is that they can be read on non-managed devices (no Endpoint Security Agent installed) by using the ZENworks File Decryption utility and supplying the encryption password. To distribute the ZENworks File Decryption utility, you can have it automatically added to each removable storage device (see Copy standalone decryption tool to removable storage devices below).

    You can enable password encryption of all files added to a removable storage device, or you can specify that only files added to a specific folder are password encrypted. Select one of the following options:

    • Apply password encryption to the entire device: All files saved to the removable storage device are password encrypted.

    • Apply password encryption to this folder only: Only files saved to the specified folder are password encrypted. Specify the folder name without a drive letter (for example, EncryptedFiles). The specified folder is created on the root of the removable storage device. Folder paths are not supported (for example, documents\EncryptedFiles).

  • Require strong password: Select this option to force users to define a password that meets the following requirements:

    • Seven or more characters

    • At least one of each of the four types of characters:

      • Uppercase letters from A to Z

      • Lowercase letters from a to z

      • Numbers from 0 to 9

      • at least one special character ~ ! @ # $ % ^ & * ( ) + { } [ ] : ; < > ? ,. / - = | \ ”

    For example: y9G@wb?

  • Copy standalone decryption tool to removable storage devices: The ZENworks File Decryption utility is required to decrypt the password-encrypted files on non-managed devices. Select this option to have the decryption utility copied to removable storage devices so that it is readily available to users.