Symantec Endpoint Encryption Removable Media Encryption Policies and Passwords
search cancel

Symantec Endpoint Encryption Removable Media Encryption Policies and Passwords

book

Article ID: 220843

calendar_today

Updated On:

Products

Endpoint Encryption PGP Encryption Suite PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK Desktop Email Encryption Drive Encryption Encryption Management Server File Share Encryption Gateway Email Encryption

Issue/Introduction

Symantec Endpoint Encryption Removable Media Encryption allows users to encrypt files so that nobody else can view the files without proper access.

Policies can be configured on the SEE Management Server so that every file is encrypted when copied to the drive or allow users to make the decision to encrypt.  There are many scenarios to offer flexibility for any environment.

Resolution

 

SEE RME Policies

Symantec Endpoint Encryption is quite granular in what is possible to encrypt on removable media encryption and can enabled many possibilities. 

For example, consider the policies in the following screenshot below:

Read Only Access:
The top option "Read Only Access" is to simply lock out the device to writing data.  You are able to read the data, but you are not able to write to any removable devices, such as USB devices.

Encrypt files as per Symantec Data Loss Prevention:
The next option "Encrypt files as per Symantec Data Loss Prevention" allows the encryption to take place and happen based on DLP policies. 
DLP could be configured, for example, to look for files with keyword data and ensure they are encrypted, while not encrypting other files.

User Driven Encryption
The last option "User Driven Encryption" when selected, will open up two encryption options:
"Default to encrypt new files" - This option will always encrypt new files copied to removable media encryption.
"Default to do not encrypt" - This option will not encrypt files written to USB drives, but the "On-Demand Encryption" will give end users the ability to choose.


Note: It is recommended to use "Automatic Encryption" or "User Driven Encryption" so that encryption can take place.  It is recommended to "...encrypt new files".
Special care should be taken to ensure files are not getting copied to devices that are not encrypted. 

 

 

 

 

Session Passwords

SEE RME by default will encrypt to a "Default" password, that is, a password the user configures one time, and that same password works for that USB device.
Session passwords are great for "one-time-use" files, meaning, the user will use the file one time, and delete it afterwards.

SEE RME also has the ability to encrypt files to a "Session Password".  A Session Password will work only for a specific session.
There are two types of sessions:

1. Windows Session password
When using the Windows Session password, this provides users the ability to copy files to the USB drive, and all those files will use a single password during that Windows Session.
Once the user logs off the system, the next time they login, they will establish a new windows session password.

2. Device Session password
Like the Windows Session password, the Device session password will allow the user to copy files to a USB device and will use the same password for all those files while the USB device is plugged in.

Once the user removes the USB drive, even in the same Windows password, when it is re-inserted into the system, a new "device" session password will be established.
This means that if you have a single USB device, and remove it, each time you plug it back in, a new password will need to be used.
The scenario this is best suited for are "one-time-use" files.  Files that you would use only one time, and then delete/shred them.
Because this option means the most passwords will be used, choose this option wisely.

Server Commands:

If you are trying to decrypt via server commands, you may encounter the following.

Step 1: Right-click the machine you want to decrypt:

Step 2: Select Decrypt All Drives and the following screen pops up

If the following error message pops up, this means you are attempted to decrypt a machine that does not have SEE Drive Encryption (SEE Native Drive Encryption) installed:

 

As mentioned, the above error message will happen if "SEE RME Only" is installed, if "SEE RME + SEE Bitlocker" is installed, or if a machine has only "SEE Bitlocker" installed.   The remote decryption command works only for Drive Encryption so when this is issued on the server for SEE Drive Encryption, only DE will decrypt the drive, but RME devices will not decrypt.

Due to the nature of USB drives and how fluid their use is from one machine to the other, and not always being plugged in, etc., it is not possible to decrypt RME drives from the server.  As a result, decrypting data on RME drives is done manually.

 

To decrypt USB drives that are encrypted with SEE RME, perform the following:

 

Step 1: First make sure the policy on SEE Management Server allows users to decrypt their data:

 

Step 2: Once the policy has been updated, the user can right-click the content they wish to decrypt and decrypt it on the USB device:

Step 3: The user will possibly be prompted to enter a password:

Enter the passphrase and the files will decrypt.


If the user is not sure about the passphrase, decrypting with a recovery certificate is available.

See our Help File for more information on Server commands.

See our  Help File for more information on the Recovery Certificate.

222689 - Symantec Endpoint Encryption Removable Media Encryption FAQs - General Information



Powered by Wolken Software