I am setting up content encryption and i am wondering exactly how to set this up.
Here is the effect i want:
** When a flash drive is plugged into the USB port, i want it to encrypt any files on the drive as well as encrypt any files that are written to the drive.
** I also want the user to be able to right click the removable drive or any files on the drive and 'decrypt' or 'encrypt' them manually.
The problem i am having is this. In my policy settings, under Removable Media, if i chose to "Enable Removable Media Encryption Controls" it takes away the ability to manually decrypt these drives.
I assume these options are taken away because it is set by policy somewhere else to already encrypt these drives but i cant find where. If i leave this option unchecked, it gives my users the ability to manually decrypt. I guess to me this just seems contradictory but i am sure there is a good explanation for this but i just cant seem to find it lol.
Your policy is set to encrypt removable media and make sure you don't have the "ignore existing content" checked. You will also need to check the boxes "explicit encrypt" and "explicit decrypt" but keep in mind, when you explicitly decrypt ON the removable media, it will just re-encrypt it by policy. to decrypt something that was encrypted by way of moving to removable, you have to move the file off removable and then do a decrypt.
This is by design as we want to be policy driven, not user driven.
Where is my policy set to encrypt removable media? Are you refering to my CE policy or my DE policy? The only places in MEE at all that it mentions removable media is on the machine properties and the option i talked about in the original post.
I have the machine properties set to never encrypt removable media and then all the options you mentioned are set properly too. It just grays out the option to manually decrypt the drive unless i uncheck the option to "enable" removable media controls.
I guess the wording of the option is just a little tricky to me lol
Sorry, I had the wording wrong. I am refering to CE policy. You will not use the devices tab for CE, only the policies tab. you can't actually decrypt the "drive" under this CE policy, just the files on the drive. and yes, this will be grey'd out. You need to move the file to your local disk and right click / decrypt
I would set CE to encrypt new files pushed to the media, but ignore existing content. Any data they are taking off your corporate computers should therefore be considered company property. If they copy their kids pictures to the USB while at home, then bring them into work, fine. If they start their college paper at home, then try to edit it at work, it should encrypt it. Any data created or edited from a corporate asset, should then become property of the company.
At some point you have to tell your users to do their home stuff at home, because work time and resources is for cranking out work for the company. Once you get your upper management to agree to it and it is part of company policy, just forward that segment to anyone who cries about their encrypted homework or kids pictures.
If the company or organization has a mandate to encrypt and protect all data on removable media and EE Files and Folders policies are implemented I would set it up like this:
1. Set "Never encrypt" for Removable Devices under the Machine Group Properties. 2. Check "Allow creation of Self-Extractor" in the General properties of the EE Files and Folders Policy. No need to check "Allow explicit Encrypt (and Decrypt)" 3. In Removable Media properties check "Enable removable media encryption controls" and also check "Auto Create Self-Extractors of files put on media through the Explorer" 4. Leave the "Ignore Existing content on media" unchecked. The user will still have the option to make the existing files Self-Extracting.
Now you are faced with everything that is put on the removable media becoming a Self- Extractor. I suggest checking "Ask user if files put on media shall become Self-Extractors". This will give the user the option to create and set a password for the file to be shared on another pc or the user can choose "No" and the file is put on the thumb drive encrypted.
Now the biggest problem I see is user error. They will forget the passwords they set on the files they wish to share. As stated on previous posts that the users should just leave their personal stuff at home if possible. I agree with the statement you cannot have the cake and it too.
I think it depends on whether the policy is "encrypt all stuff on removable media (for legal reasons)", or "give the user the choice to store stuff on removable media protected or unprotected, depending on how they are feeling".