Using the SEE RME Recovery Certificate with Symantec Endpoint Encryption
search cancel

Using the SEE RME Recovery Certificate with Symantec Endpoint Encryption

book

Article ID: 151432

calendar_today

Updated On:

Products

Endpoint Encryption Desktop Email Encryption Drive Encryption Encryption Management Server File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

Content that is encrypted to user's removable devices is always accessible to the user, or the user who knows the password. 

In the unfortunate event that a user forgets their password, a recovery certificate can be used within the organization and can be assigned as in individual policies on the SEE Management Server.

This article will cover how the Recovery Certificate is used for SEE Removable Media Encryption.

Resolution

 

When a SEE Client is created, a Recovery Certificate can be used and embedded into the configuration.  When this is done, even if a system does not communicate with the SEE Management Server, data encrypted to removable devices can be recovered.  When a SEE Client is configured, and the SEE Client does not have a chance to check in with a server, the "Local Policy" will be used.   Any files encrypted by SEE RME will be encrypted to the user's password or certificate, in addition to the Recovery Certificate. 

When a SEE Client checks in with the SEE Management Server, the Recovery Certificate associated to the machine's Group policy will then be used to encrypt any content going forward. 

The Recovery Certificates in these scenarios will then be used whenever files are encrypted to the device as they are copied and provides another way to access data when should the user's certificate and/or password that the user used to encrypt the file be lost.


Caution: The holders of the Recovery Certificate should take great effort to safeguard these recovery files as they can be used to decrypt content associated to the SEE Client Local Policy or Server policies.
These Recovery Certificates should be stored in a physical location that is not generally accessible and should be carefully backed up.



Section 1 of 3: Copy the Recovery Certificate to the Machine you will Perform SEE RME Recovery on

Step 1: First, the Recovery Certificate should be done on a machine where the Recovery Certificate Keypair/private key resides. 


In this example, we have a Recovery Certificate that was placed on a USB drive and subsequently stored in a physical safe within the organization.  The digital file does not reside anywhere else.  Access to the safe is provided to only certain individuals and the password is recorded in a secure method that only authorized users have access to.

Due to these strict security protocols, access to the physical safe and physical USB drive needed to be provided.  


Step 2: The USB drive is then plugged in to the system where the recovery will be taking place.  The certificate should then be imported into the certificate store for the user performing the recovery.

In this example, we will use the Certificate Import Wizard:

Note the name of the file is "RME-Recovery-Cert-Primary-KEYPAIR.pfx" (PFX denoted this is a keypair):

Next, to use the Recovery Certificate, the password must be entered:

In this example, we will import to the "Personal" keystore:

Review the information and click Finish to import the Recovery Certificate:

The certificate should then import:


You can check your certificate store for the Recovery Certificate (certmgr.msc):

With the Keypair in place, you can now start decrypting files as needed with the SEE RME Access Utility

 



Section 2 of 3: Use the RemovableMediaAccessUtility or Full SEE RME Application and Recovery Certificate to recover data encrypted on removable devices

Step 1: Copy the files to be recovered to the workstation which also has the SEE Removable Storage Access utility

If the full SEE RME program is installed on the system to perform recovery, these steps will be very similar. 


Tip: You could protect your Recovery Certificate by placing it on a Smartcard, such as an Axalto smart card.  Smart cards are typically a very secure method to store digital certificate because policies can be in place to not allow exportation of the keypair. This article will not use the smartcard recovery method, but if you are, you will then use the Recovery Certificate (including the associated private key) that is stored on the smart card, and the recovery workstation has been configured with the Axalto software and a smart card reader.

Step 2: Launch the RemovableMediaAccessUtility application.  In this example, we have two files we will be decrypting (testingRMEPolicy.txt and testingRMEPolicy2.txt):

 

Step 3: We will highlight and right-click the two files we want to decrypt in this example, and choose "Decrypt to location...":

 

Step 4: Next, choose the location you want the decrypted files to be saved to.  In this example, the name of the Windows User is "RMERecover", so we will save to the user's home folder:

Step 5: Click OK to the above dialog and the following message will be displayed indicating the files have been decrypted:

As you can see, there was no need to enter a passphrase.  Because the Recovery Certificate has been imported, and these files were also encrypted to this recovery certificate, they are decrypted immediately and placed in the designated output location.

Now you should be able to access the decrypted content:

 

Tip: If you are using a smartcard, you will be prompted for your PIN.  Enter the PIN and then decryption should take place. 

 

Step 6: Now that we have decrypted the files needed, we will delete the Recovery Certificate keypair from the certificate store.  

In this example, we imported the Recovery Certificate into the "Personal" key store so we will browse to that location again in the certificate manager.

Right-click on the Recovery Certificate and select "Delete". The following message will appear:

The certificate should now be removed from the Personal keystore:

Note: It is okay to leave the Organization Root CA in the certificates as only the public portion exists here, but to be thorough, you can also delete this from your Personal Store.


Step 7: Now take the USB drive that has the Recovery Certificate and put it back in the organization's safe.

 

Section 3 of 3: Use the RemovableMediaAccessUtility and Recovery Certificate to (Remotely) recover data encrypted from encrypted devices


In this scenario the user has some data on a USB drive, but the administrator is not able to have the user provide the USB drive to them to decrypt.  In this case, you can do a "Remote" recovery in which the user copies the data needing to be decrypted to a location the administrator has access to, and the administrator then decrypts the content and provides back to the user.


Step 1:
In this example, we have files on the user's USB drive "E:" that have been encrypted and the user is unable to decrypt.
On the user's machine where SEE RME is installed (Not just the Access utility), highlight all the data they wish to recover.
From the context menu select "Symantec Encryption", and "Copy encrypted files".

The reason you will use this special context menu is this will perform a copy in a secure-copy method directly from the SEE RME application.


Step 2: Have the user then copy the data to a remote location the administrator will have access to. 

In this example, the admin has a folder designated "Remote RME Recovery" and the user has access to copy to this location. 

The user right-clicks in the "Remote RME Recovery" folder, and selects "Symantec Encryption", and then "Paste encrypted files":

Again, this will paste the encrypted files in a secure-paste method directly from the SEE RME Application.

 

Step 3: The SEE Administrator then locates the folder "Remote RME Recovery".


In this case, the admin decided to make a copy of all the data before attempting to decrypt and will be performed on the "copy" of the data. 

Step 4: Now with the copy, open the RemovableMediaAccessUtility application and then drag-and-drop the folder into the left pane:

If the administrator has not yet setup a Default password, this may prompt to enter one.  Once entered, the copy will take place with the access utility.
Once this is finished, the folder will appear in the RemovableMediaAccessUtilty shelf as shown in the screenshot above.

Step 5: Now the administrator can right-click all the files needing to be decrypted, and select the option to "Decrypt to location...":

In this case, we'll decrypt to the "DecryptHere" folder:

Once finished, the administrator can then provide to the user.

 

For additional information, see the following RME FAQs article:

222689 - Symantec Endpoint Encryption Removable Media Encryption FAQs - General Information