Best Practices for Creating and Managing Symantec FileShare Encrypted Folders

book

Article ID: 155519

calendar_today

Updated On:

Products

Encryption Management Server File Share Encryption

Issue/Introduction

This article provides suggested best practices for Symantec File Share Encryption (Formerly PGP NetShare).

 

For information on other topics for File Share Encryption, see the following articles:
180791 - Symantec File Share Encryption Group Key FAQ's.
180789 - How do I create a new Group with a File Share Encryption Group Key on Symantec Encryption Management Server?
155582 - Adding a Group Key to an Existing Group on the Symantec Encryption Management Server
161242 - Encrypting network file shares to Group Keys with Symantec File Share Encryption

Resolution

These best practices can help overcome issues with folders that fail to encrypt, become corrupted, or take long periods of time to finish re-encrypting.

  1. Reencryption when files are unencrypted
    File Share Encryption will always encrypt the files when copied to the folder where protected files reside as long as file creation to these shares is done on a machine that has File Share Encryption installed.  If there are others who copy/create files in these protected folders and do not have File Share Encryption stored, then you will need to reencrypt these manually.  You can go through a regular reencryption routine. 

    Alternatively, a Feature Request to have these folders automatically encrypted has been logged.  If you would like this automatic Reencryption functionality, please log a support ticket and we can add you to the list:

    ISFR-1908

  2. Exclusions/Safe List
    Add all the Symantec Encryption program binaries as discussed in the following article:

    200696 - Symantec Encryption Services - Add Symantec Encryption programs to safe list or exclusions in security software

  3. Group Keys
    Use a File Share Encryption Group Key, which makes managing File Share folders much faster, as it will no longer have to modify all of the metadata for the encrypted files when adding or removing users to a group.

    In a Symantec Encryption Management Server managed environment, the use of Group Keys allow you to protect shared files and folders to easily add or remove group members without affecting the File Encryption metadata associated with the protected files and folders.

  4. Filesystem Integrity
    Before encrypting, make sure the file system is scanned and defragmented on the system hosting the encrypted folder.

  5. Where to run File Share Encryption operations?
    Run the File Share encryption process from a computer other than the one used to store the encrypted folder.

  6. Avoid third-party application interference
    Try to limit the programs running on the computer doing the encryption or the one hosting the files during the encryption process (e.g., backups, virus scans).

  7. Sufficient System Requirements
    Ensure adequate resources on the server/computer hosting the Symantec File Share. As it may be an intensive process for a computer's CPU, Memory, and hard disk.

  8. NTFS File Permissions
    Make sure that the folder permissions are set correctly to allow editing by group members and also to inherit permissions from the parent folder.

  9. Allow Files to be Modified for Encryption
    Make sure that the files to be encrypted are not in use (it may be best to wait until after normal business hours before encrypting).

  10. Folder Structures for Reencryption and User Access Lists with PGP Keys
    If you have a Root folder directory that has been encrypted to a specific list of keys, all the subfolders will be encrypted using the same keys.  If you have a need to have subfolders encrypted to a different set of keys, such as different Group Keys, it is recommended to move these subfolders out of the root and be designated as their own root directories.  This is so that if there are any reencryption routines that run, access does not get blocked as a reencryption event can update the subfolders ACLs to match that of the root.  For this reason, it's best to organize the root directories in advance so that the proper keys can be used so reencryption routines will not cause loss of access.

  11. Excel Shared Workbooks (Contact Support if you would like this feature)
    Using some of the shared features of Microsoft Office products may not work, so avoid using these features if you can.  For example, Shared Workgbooks for Excel Spreadsheets is not tested or supported:

    150173 - File Share Encryption does not support the Excel Shared Workbook feature

  12. Legacy Filter Driver VS Minifilter
    File Share Encryption offers a very unique way to automatically, and seamlessly encrypt files and make them easily accessible by authorized users.  When an authorized user has the key needed to authenticate, the file is automatically opened and does not behave any differently, making it very easy for end users to be able to work on documents very easily and without the inconvenience of having to reencrypt each time the file is modified.  In order to do this, File Share Encryption uses a "Legacy Filter Driver" to encrypt/authenticate data in real time and anything that is encrypted/authenticated goes through this filter driver to allow this seamless access.  Contrary to some reports, using Legacy Filter Drivers are still supported by Microsoft, although the recommendation is to move to using a "minifilter" driver due to better system stability (not related to security).  Symantec Enterprise Division conducts regular security reviews on all aspects of the software and the Legacy Filter Driver used to encrypt data continues to be secure.  All encryption algorithms being used by File Share Encryption are also the highest available.  Although Symantec Enterprise Division has plans to move to a minifilter driver in a future release, using the filter driver in its current design is both secure and sanctioned to encrypt data.  




The Group key functionality began with version 3.2.0 of PGP Universal Server and continue on with all versions of Symantec Encryption Management Server.

Additional Information

EPG-24297

For information on other topics for File Share Encryption, see the following articles:
180791 - Symantec File Share Encryption Group Key FAQ's.
180789 - How do I create a new Group with a File Share Encryption Group Key on Symantec Encryption Management Server?
155582 - Adding a Group Key to an Existing Group on the Symantec Encryption Management Server
161242 - Encrypting network file shares to Group Keys with Symantec File Share Encryption