1 2 Previous Next 11 Replies Latest reply on Sep 15, 2009 9:56 AM by SafeBoot

    Removable Media and Content Encryption

    mwilke
      I am running the newest build 5500

      I am setting up content encryption and i am wondering exactly how to set this up.

      Here is the effect i want:

      ** When a flash drive is plugged into the USB port, i want it to encrypt any files on the drive as well as encrypt any files that are written to the drive.

      ** I also want the user to be able to right click the removable drive or any files on the drive and 'decrypt' or 'encrypt' them manually.

      The problem i am having is this. In my policy settings, under Removable Media, if i chose to "Enable Removable Media Encryption Controls" it takes away the ability to manually decrypt these drives.

      I assume these options are taken away because it is set by policy somewhere else to already encrypt these drives but i cant find where. If i leave this option unchecked, it gives my users the ability to manually decrypt. I guess to me this just seems contradictory but i am sure there is a good explanation for this but i just cant seem to find it lol.

      Any ideas?
        • 1. RE: Removable Media and Content Encryption
          Your policy is set to encrypt removable media and make sure you don't have the "ignore existing content" checked. You will also need to check the boxes "explicit encrypt" and "explicit decrypt" but keep in mind, when you explicitly decrypt ON the removable media, it will just re-encrypt it by policy. to decrypt something that was encrypted by way of moving to removable, you have to move the file off removable and then do a decrypt.

          This is by design as we want to be policy driven, not user driven.
          • 2. RE: Removable Media and Content Encryption
            mwilke
            Where is my policy set to encrypt removable media? Are you refering to my CE policy or my DE policy? The only places in MEE at all that it mentions removable media is on the machine properties and the option i talked about in the original post.

            I have the machine properties set to never encrypt removable media and then all the options you mentioned are set properly too. It just grays out the option to manually decrypt the drive unless i uncheck the option to "enable" removable media controls.

            I guess the wording of the option is just a little tricky to me lol
            • 3. RE: Removable Media and Content Encryption
              Sorry, I had the wording wrong. I am refering to CE policy. You will not use the devices tab for CE, only the policies tab. you can't actually decrypt the "drive" under this CE policy, just the files on the drive. and yes, this will be grey'd out. You need to move the file to your local disk and right click / decrypt

              • 4. RE: Removable Media and Content Encryption
                I don't think what you want is permitted - if you set removable media encrypt on, it encrypts the removable media (thus giving you safe harbor protection).

                if the user had the chance to store stuff on the stick unprotected, you wouldn't be able to claim safe harbor any more as you wouldn't know if the data was protected or not?

                If you need to be able to share secret data with third parties, why not use the option to create self-decrypting files instead?
                • 5. RE: Removable Media and Content Encryption
                  mwilke
                  I can see where you are coming from on this one SafeBoot.

                  In the past, we have had people who plug in their thumb drives and then it encrypts the files on the thumbdrive and then they would raise all kinds of havoc saying they needed their files bla bla bla.

                  managment wouldnt let us disable the usb ports because people needed to use them but at the same time wanted us to encrypt files that went off the laptop onto said thumb drives.

                  I guess managment needs to understand that they cant have their cake and eat it too huh? lol
                  • 6. RE: Removable Media and Content Encryption
                    I would set CE to encrypt new files pushed to the media, but ignore existing content. Any data they are taking off your corporate computers should therefore be considered company property. If they copy their kids pictures to the USB while at home, then bring them into work, fine. If they start their college paper at home, then try to edit it at work, it should encrypt it. Any data created or edited from a corporate asset, should then become property of the company.

                    At some point you have to tell your users to do their home stuff at home, because work time and resources is for cranking out work for the company. Once you get your upper management to agree to it and it is part of company policy, just forward that segment to anyone who cries about their encrypted homework or kids pictures.
                    • 7. RE: Removable Media and Content Encryption


                      Don't forget there's a policy option to only encrypt new files, leaving existing stuff unprotected. You can also make the sticks read only if that helps.
                      • 8. RE: Removable Media and Content Encryption
                        If the company or organization has a mandate to encrypt and protect all data on removable media and EE Files and Folders policies are implemented I would set it up like this:

                        1. Set "Never encrypt" for Removable Devices under the Machine Group Properties.
                        2. Check "Allow creation of Self-Extractor" in the General properties of the EE Files and Folders Policy. No need to check "Allow explicit Encrypt (and Decrypt)"
                        3. In Removable Media properties check "Enable removable media encryption controls" and also check "Auto Create Self-Extractors of files put on media through the Explorer"
                        4. Leave the "Ignore Existing content on media" unchecked. The user will still have the option to make the existing files Self-Extracting.

                        Now you are faced with everything that is put on the removable media becoming a Self- Extractor. I suggest checking "Ask user if files put on media shall become Self-Extractors". This will give the user the option to create and set a password for the file to be shared on another pc or the user can choose "No" and the file is put on the thumb drive encrypted.

                        Now the biggest problem I see is user error. They will forget the passwords they set on the files they wish to share. As stated on previous posts that the users should just leave their personal stuff at home if possible. I agree with the statement you cannot have the cake and it too.
                        • 9. RE: Removable Media and Content Encryption
                          I think it depends on whether the policy is "encrypt all stuff on removable media (for legal reasons)", or "give the user the choice to store stuff on removable media protected or unprotected, depending on how they are feeling".
                          1 2 Previous Next