Endpoint Encryption Removable Media Access Utility does not encrypt to the recovery certificate

book

Article ID: 172509

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

The primary purpose of the Endpoint Encryption Removable Media Access Utility is to let you share USB flash drives and other removable media with third parties and colleagues who do not have Endpoint Encryption RME (Removable Media Encryption) installed.

Depending on the Endpoint Encryption RME policy, the Access Utility is automatically copied to removable media attached to a Windows machine as RemovableMediaAccessUtility.exe.

The Access Utility will prompt for the password to decrypt the files on the USB drive. If the files were encrypted to a personal certificate, the Access Utility user will need the RME user's private certificate. However, it is not advisable to provide third parties with your personal private certificate.

If the files were encrypted to an organization's recovery certificate, the Access Utility user will need the organization's recovery certificate. This would be highly inadvisable unless an administrator was decrypting files on behalf of RME users who had lost their passwords.

The Access Utility can store a default password but this default password is session based; it is cleared when the Access Utility is closed.

You can also use the Access Utility to encrypt files stored on your hard drive or network share and add them to the removable media. Simply open the Access Utility and drag and drop files to it. If no default session password has been set, you will be prompted for the password to use for encryption.

However, in organizations that use a recovery certificate, when a user who does not have RME installed uses the Access Utility to encrypt files, the files will not be encrypted to the recovery certificate; only to a password.

This means that if a user forgets their password for files encrypted with the Access Utility, the administrator will not be able to decrypt them using the private recovery certificate.

Cause

This is by design. The recovery certificate is configured as part of the Endpoint Encryption RME policy. The Access Utility is standalone and is not configured by the Endpoint Encryption RME policy.

Environment

  • Windows 7 and above.
  • Endpoint Encryption 11.0 and above.
  • Removable Media Access Utility 11.0 and above.

Resolution

When a recovery certificate is configured in policy, provide users who need to encrypt files to removable media with the Endpoint Encryption RME (Removable Media Encryption) client rather than having them use only the Removable Media Access Utility.