Information Centric Security Module (ICSM) | End of Life (EOL) Notification and Instructions

book

Article ID: 189357

calendar_today

Updated On:

Products

Information Centric Encryption Information Centric Tagging Information Centric Security

Issue/Introduction

What’s Happening?

On May 3, 2021, Symantec will end of life the following Information Centric Security Module (ICSM) products

  • Information Centric Encryption Service 
  • Information Centric Encryption Key Store Virtual Appliance
  • Information Centric Tagging

This also impacts customers using the Data Loss Prevention Plus Suite, as ICE is part of this product bundle.

Resolution

What does it mean for you?

  • All ICE-encrypted files will continue to be accessible until May 3, 2021. Additionally, ICE will continue to encrypt new files through this period if you allow it to do so.
  • You should begin planning to move to a new security solution immediately so that the transition will be smooth when ICE is no longer available.
  • Any files still encrypted by ICE remain encrypted and access restricted, and cannot be opened once ICE is no longer available. You can provide access to individual files after this date using the ICE Offline Decryption Utility. 
  • While Information Centric Tagging (ICT) will continue to work beyond May 3, 2021, its use is at your own discretion and risk. As of the EOL date, Symantec will no longer be able to provide Technical Support, defect fixes, product updates, or any other product assistance.
  • Symantec recommends that customers discontinue the use of the ICT product on or before the EOL date. After the EOL date is reached:
    • Perpetual license holders may find the product working for some time but with no new platform support. The product may stop functioning at some point in time.
    • Subscription license holders will find that the ICT console UI elements are not visible upon reaching the license expiry date.

What do you need to do?

You have multiple options, based on the level of security you wish to maintain over sensitive or confidential files currently encrypted with ICE. You can use different options for different groups of users. For example, you might provide access to all files for some users, but restrict access to all files for other users. For Information Centric Tagging, customers should seek an alternate tagging solution.

Option 1: Provide access to all files

  1. Reset your policies so that any file opened with the ICE Reader or the VIP Access app automatically removes any encryption and access restrictions.
  2. Notify your users to access any previously encrypted files that they need to keep. ICE decrypts the files, removes any access restrictions, and stores them on the user’s local device.
  3. After you have implemented a replacement solution, have your users open any confidential or sensitive files in the new system to protect them.
  4. If your users still have individual files that are ICE-encrypted after May 3, 2021, use the ICE Offline Decryption Utility to decrypt them.

Option 2: Restrict access to all files

  1. Reset your policies to restrict access to all files for your users. All ICE-encrypted files remain encrypted and access restricted, and cannot be opened once ICE is no longer available. 
  2. If your users have individual, ICE-encrypted files that they must access, use the ICE Offline Decryption Utility to decrypt them.

ICE Offline Decryption Utility

If your users still have files that are ICE-encrypted after May 3, 2021, you can use the ICE Offline Decryption Utility to decrypt them. Download the ICE Offline Decryption Utility from the Downloads page of the ICE Cloud Console. You will also need to download the private key that your version of ICE originally used to encrypt the files. Refer to the instructions included in the download package for details on how to run the utility.

Important: The download links for the ICE Offline Decryption Utility and the private key will not be available after the ICE EOL date.  In order to use this utility, you must download the ICE Offline Decryption Utility and the private key before May 3, 2021.  

Important: This private key can decrypt any files that your ICE account originally encrypted. Store this private key in a secure place. You have the option of setting a password for this private key when you download it from the ICE Cloud Console. If you set a password, store it in a safe place separate from the private key. You will need the password to decrypt any ICE-encrypted file with the ICE Offline Decryption Tool and the private key.

Decrypting files with the ICE Offline Decryption Utility

The ICE Offline Decryption Utility lets you decrypt any files originally encrypted by your implementation of ICE. To decrypt a file that your implementation of ICE encrypted, you need the following:

  • ICE-encrypted file
  • ICE Offline Decryption Tool
  • The private key for your implementation of ICE.

The ICE Offline Decryption Tool and your ICE private key are available from the Downloads page of your ICE Cloud Console.

The ICE Offline Decryption Utility is a Windows-based, command line utility. Complete the following steps to decrypt an ICE-encrypted file:

  1. Place the ICE-encrypted file in the same physical directory as the ICE Offline Decryption Utility and your private key.
  2. Run the following command:

icedecryptor.exe --decrypt <input-file> --output <output-file> --key <private-key-file> --password <password>

Where:

  • <input-file> is the name of the ICE-encrypted file to decrypt.
  • <output-file> is the name to assign to the decrypted file. If left blank, the utility defaults to the name of the original file before it was encrypted by ICE.
  • <private-key-file> is the pem-encoded private key that ICE originally used to encrypt the input file. 
  • <password> is the password for the private key file, if any was set. If no password is set, do not include this flag.

For example: 

icedecryptor.exe --decrypt 2019_marketing_press_release.html -–output 2019_marketing_press_release.txt –-key colossal_corp_key.pem –-password W34R!t88g

The utility decrypts the file and writes it to the same directory, using the file name that you provided.

Viewing file details with the ICE Offline Decryption Utility

The ICE Offline Decryption Utility can provide details about an ICE-encrypted file without decrypting it. Complete the following steps to use the utility to view file details:

  1. Place the ICE-encrypted file in the same physical directory as the ICE Offline Decryption Utility and your private key.
  2. Run the following command:

icedecryptor.exe --show-info <input-file>

Where <input-file> is the name of the ICE-encrypted file.

icedecryptor.exe --show-info 2019_marketing_press_release.html

The utility displays the following information about the file:

  • Version of ICE used to encrypt the file 
  • Original file name
  • File creation date
  • File encryption date
  • Encryption algorithm
  • Customer ID and domain ID
  • Authentication and KMS server address (if any)
  • ID of the ICE private key