PGP File Share enables specific users to share protected files in a shared space, such as on a corporate file server, in a shared folder, or on removable media such as a USB drive.
File Protection Rules
Question 1: When do my files retain protection?
Answer: Whenever you work within a protected folder your files will retain their protection. If you wish to move or copy a protected folder to a new area, you must first protect the destination folder to ensure continued folder protection. While all the files are protected, you will also want the folder to be protected. If you move a file to a non-protected folder then the file will retain its protection on copy but some applications will decrypt the file after you make modifications (examples are: Word, Excel and PowerPoint, these application work with a temporary file that results in the final save being unencrypted). Thus it is a best practice to work within protected folders.
When you copy a protected folder, all the files in the folder will retain their protection. Under certain conditions the folder may not retain its encryption policy file. Thus, when copying folders, it's best to always check that the folder copy resulted in the new folder having the visual lock icon. One way to always ensure this is to first create a folder with your appropriate PGP File Share access list, then copy the folder or its contents to that folder. If you already copied the folder and notice the icon is missing, either drag the relevant folder (and its contents) to a new parent folder with the appropriate PGP File Share access or run the PGP File Share create folder function from the PGP Desktop and encrypt the folder.
As stated above, while the files copied are encrypted, it is best to keep them in a protected folder environment. If you are changing the file name (such as copy to new_name or save as new_name or copy file/folder to same folder forces the file to change names), outside of a protected folder will need to re-encrypt to ensure future updates remain encrypted.
Question 2: When I copy files, what permissions will it have?
Answer: If you copy a file from one protected folder that is protected to group finance_group_A and copy it to a folder that is protected to group finance_full_group then the file will inherit the new folder's protection policy and become encrypted to the finance_full_group. This assumes you had file access to both folders and are a member of both groups.
Question 3: What happens when a file server user (without any PGP File Share software) accesses a PGP File Share file?
Answer: Because that user has no access to PGP File Share's ability to transparently decrypt, the file will remain encrypted through all actions. Thus the file server administrator can backup and move files around without effecting file contents and without the ability to view the unencrypted contents. Only users with PGP File Share client software and the appropriate keys needed to access a give file will have access to the decrypted contents.
Question 4: When a file is opened directly from a File Share folder, is there any instance of that file saved in the temporary folder or cached? Example: A Microsoft Word document opened directly from File Share folder - apart from the instance in the shared folder and the opened document, is there any other instance of the file stored on the workstation?
Answer: Each application varies: Word save the temporary file in the working folder. When working in a PGP File Share folder, the temp file is encrypted. If the application stores in a non-File Share area, then it will be clear text. Best practice is to: 1) Use with PGP WDE for full laptop protection. 2) Use within a File Share folder for consistent protection of temp files.
Question 5: Is there any auditing capability in PGP File Share to monitor who accessed which File Share folder/file and when? Is there an Activity Log? Isn't there a feature in Windows Server that audits such information? If so, what is it and is it fully compatible with File Share?
Answer: Symantec Encryption Management Server tracks who has the ability to update membership. When a folder's membership is updated, the config file for that folder is signed by the last updating user's key. Only those who have the ability to update folders are audited in Symantec Encryption Management Server. When a user unlocks (enters a folder for the first time) a message is sent to the PGP DT messaging log signifying that the folder was entered, not that a file was modified.
For file access, it's best to utilize existing Windows file auditing. You can set up the file system to audit read/write access. You will need to know which folders you wish to track.
Question 6: Can I use a "shared" key when using Symantec File Share Encryption so that files encrypted to a folder can be accessed easily by other File Share Encryption users in my environment?
Answer: This is possible by using Group Keys. For more information, see the following KB:
180791 - Symantec File Share Encryption Group Key FAQ's.
Question 7: How can I encrypt individual files with Symantec File Share Encryption, rather than entire folders?
Answer: For more information on this topic, see the following KB:
252240 - Unable to encrypt files with Symantec File Share Encryption with error "Protect individual files"