These best practices can help overcome issues with folders that fail to encrypt, become corrupted, or take long periods of time to finish re-encrypting.
- Reencryption when files are unencrypted
File Share Encryption will always encrypt the files when copied to the folder where protected files reside as long as file creation to these shares is done on a machine that has File Share Encryption installed. If there are others who copy/create files in these protected folders and do not have File Share Encryption stored, then you will need to reencrypt these manually. You can go through a regular reencryption routine.
Alternatively, a Feature Request to have these folders automatically encrypted has been logged. If you would like this automatic Reencryption functionality, please log a support ticket and we can add you to the list:
- Exclusions/Safe List
Add all the Symantec Encryption program binaries as discussed in the following article:
200696 - Symantec Encryption Services - Add Symantec Encryption programs to safe list or exclusions in security software
- Group Keys
Use a File Share Encryption Group Key, which makes managing File Share folders much faster, as it will no longer have to modify all of the metadata for the encrypted files when adding or removing users to a group.
In a Symantec Encryption Management Server managed environment, the use of Group Keys allow you to protect shared files and folders to easily add or remove group members without affecting the File Encryption metadata associated with the protected files and folders.
- Filesystem Integrity
Before encrypting, make sure the file system is scanned and defragmented on the system hosting the encrypted folder.
- Where to run File Share Encryption operations?
Run the File Share encryption process from a computer other than the one used to store the encrypted folder.
- Avoid third-party application interference
Try to limit the programs running on the computer doing the encryption or the one hosting the files during the encryption process (e.g., backups, virus scans).
- Sufficient System Requirements
Ensure adequate resources on the server/computer hosting the Symantec File Share. As it may be an intensive process for a computer's CPU, Memory, and hard disk.
- NTFS File Permissions
Make sure that the folder permissions are set correctly to allow editing by group members and also to inherit permissions from the parent folder.
- Allow Files to be Modified for Encryption
Make sure that the files to be encrypted are not in use (it may be best to wait until after normal business hours before encrypting).
- Folder Structures for Reencryption and User Access Lists with PGP Keys
If you have a Root folder directory that has been encrypted to a specific list of keys, all the subfolders will be encrypted using the same keys. If you have a need to have subfolders encrypted to a different set of keys, such as different Group Keys, it is recommended to move these subfolders out of the root and be designated as their own root directories. This is so that if there are any reencryption routines that run, access does not get blocked as a reencryption event can update the subfolders ACLs to match that of the root. For this reason, it's best to organize the root directories in advance so that the proper keys can be used so reencryption routines will not cause loss of access.
- Excel Shared Workbooks (Contact Support if you would like this feature)
Using some of the shared features of Microsoft Office products may not work, so avoid using these features if you can. For example, Shared Workgbooks for Excel Spreadsheets is not tested or supported:
150173 - File Share Encryption does not support the Excel Shared Workbook feature
- Legacy Filter Driver VS Minifilter
File Share Encryption offers a very unique way to automatically, and seamlessly encrypt files and make them easily accessible by authorized users. When an authorized user has the key needed to authenticate, the file is automatically opened and does not behave any differently, making it very easy for end users to be able to work on documents very easily and without the inconvenience of having to reencrypt each time the file is modified. In order to do this, File Share Encryption uses a "Legacy Filter Driver" to encrypt/authenticate data in real time and anything that is encrypted/authenticated goes through this filter driver to allow this seamless access. Contrary to some reports, using Legacy Filter Drivers are still supported by Microsoft, although the recommendation is to move to using a "minifilter" driver due to better system stability (not related to security). Symantec Enterprise Division conducts regular security reviews on all aspects of the software and the Legacy Filter Driver used to encrypt data continues to be secure. All encryption algorithms being used by File Share Encryption are also the highest available. Although Symantec Enterprise Division has plans to move to a minifilter driver in a future release, using the filter driver in its current design is both secure and sanctioned to encrypt data.
The Group key functionality began with version 3.2.0 of PGP Universal Server and continue on with all versions of Symantec Encryption Management Server.