Symantec Endpoint Encryption Removable Media Encryption (RME) uses the highest levels of encryption algorithms available for encryption of removable devices such as USB drives, DVDs or Blu-ray disks.  The advantage of using this product is that you can copy data to devices and ensure the data is encrypted and secured.

Removable Media Encryption can be used with the current policies available on the SEE Management Server to cover just about any scenario and can even be integrated with Symantec Data Loss Prevention (DLP).

This article will go over some of the Frequently Asked Questions and General Information as it applies to RME.

Section 1 of 3: General Functionality of SEE RME:

Section 1 Question 1: Can we use RME to prevent access to USB drives on systems?
Answer: Yes, RME can be used to block access to files when USB drives are plugged in.  Many policies exist to be able to cover just about any scenario needed.

Section 1 Question 2: We want to block all USB devices, but allow specific devices, does RME have the capability to allow this?
Answer: Yes, RME has the ability to block all devices, but allow or “exclude” some devices if the security policy allows and can be done on a granular level.

Section 1 Question 3: How are files encrypted to USB devices, or other removable devices?
Answer: RME can use a regular password to encrypt files, as well as x.509 certificates.  When using a password, there are many different types of passwords you can use, such as a session password, applicable to a particular Windows login session, to a “Default” password, or a combination of all these options.  Password policies can even apply to these scenarios. 

Section 1 Question 4: Can I copy data from one encrypted RME drive to another USB drive?
Answer: This is not allowed.

Section 1 Question 5: Can RME be used to enforce encryption of data copied to removable devices?
Answer: Yes, the policies that are built in can allow flexibility so that users determine if data gets encrypted all the way to the most secure environments where data must be encrypted when copied to devices.  DLP integration can help with this enforcement. Refer to the Online Help for more information on this topic.

Section 1 Question 6: Where do I find information on how to integrate RME with DLP?
Answer: See the following article for more information on this.

213405 - Flex Response Plug-in for Symantec Endpoint Encryption Removable Media Encryption

Section 1 Question 7: I want to be able to encrypt some files with a password and allow someone else to decrypt the file with a password without installing any software, is this possible?
Answer: Yes, RME has the ability to encrypt individual files to a password.  This feature is called the “Self-Decrypting Archive” part of SEE RME.

Section 1 Question 8: Can I copy/paste files from SEE RME and do they decrypt when I do so?
Answer: You can copy and paste files from SEE RME and the end result is the files will remain encrypted. 
SEE RME does not use the Windows Clipboard functionality to provide the most secure method to copy files.  Because of this, special steps must be taken.
See the following article for information on how these copy/paste methods work:

222692 - How can I Recover Files Encrypted with Symantec Removable Media Encryption (RME)?

See the following table for copy/paste functionality:

ISFR-1600/EPG-22844

Section 1 Question 9: I want to have a group of users be able to share items through Removable Media Encryption, but I don't want them to have to exchange passwords.
Answer: The RME Workgroup Key is part of the policy (not the SEE RME installer) so that when a machine is in a particular policy group on the SEE Management Server all data can get encrypted to this Workgroup Key and then anyone who is part of this key is automatically authenticated and can then read the data.

For more information on this topic, see the following online help file:

Configuring the Removable Media Encryption - Workgroup Key policy options

Section 1 Question 10: Why are text files not getting encrypted when I edit them with Notepad.exe?
Answer: Notepad.exe uses basic text viewer logic which does not get captured by our filter driver.  Use something like Notepad++ or Wordpad instead. 
For more information on this issue, see the following article:

236865 - Removable Media Encryption does not encrypt files modified by Windows Notepad

Section 1 Question 11: What is a "Default Password" and why does it prompt me to enter one when I plug in a USB Drive?
Answer: A default password is a password that is established for the removable media.  For example, plug in a USB drive, and it will set a "Default Password".
This same Default Password is used to encrypt any other files written to the removable media, such as the USB Drive.  This prompt is typically a one-time event per USB Device.
EPG-31089

Section 1 Question 12: Can I build a report for SEE RME that would list all the devices currently being managed by SEE RME that were plugged in to systems?
Answer: For guidance on this functionality, please reach out to Symantec Encryption Support and mention the following ID: EPG-25934.

Section 1 Question 13: Can SEE RME be used on macOS?
Answer: SEE RME is available for macOS.  For more information on this topic, see the following article:

273164 - Using Symantec Endpoint Encryption Removable Media Encryption on macOS to Open and Modify Encrypted Files

Section 1 Question 14: Which filesystems can SEE RME be used with?
Answer: SEE RME is able to work with many filesystems that are available for Windows or macOS.  The RME client is fairly filesystem agnostic.
It is always best to test the USB drives before deploying to all systems as a best practice. 

Section 2 of 3: Shared Workgroup Keys for SEE RME:

Section 2 Question 1: Can "shared" access to configured for SEE RME so that everything encrypted will be usable to other users without having to share a "password"?
Answer: Yes! SEE RME allows for the use of a collaborative feature called "Workgroup Keys".  This allows machines part of a group policy to be able to access all data written to removable devices to be accessible from any other device part of this group policy.  For more information on this topic, see the following article:

252268 - Workgroup Key for Symantec Endpoint Encryption Removable Media Encryption

Section 3 of 3: Recovery Options of SEE RME:

Section 3 Question 1: If files are encrypted, can my organization recover the files if the user forgets the password to open the files?
Answer: RME can allow you to use a recovery certificate that is based on the policy.  If the recovery certificate is used, this can be used to decrypt the files.

Refer to the Online Help for more information on this topic.

Section 3 Question 2: What sort of Certificate do I need to create for recovery?
Answer: A PKCS#7 (P7B) format should be used when you generate your certificate.  

For more information on this topic, refer to the following KB article or the Online Help for more information on this topic:

171224 - Creating a Recovery certificate for Endpoint Encryption Removable Media Encryption

Section 3 Question 3: What are the Best Practices for RME when it comes to recovery?
Answer: When you generate your recovery certificate, make sure it won’t expire too quickly.  For example, if you generate a certificate that expires in 1 year, after this time, users will not be able to encrypt to this certificate unless you allow encryption to expired certificates in policy, which is not generally recommended.  Creating a certificate for as long as you think you’ll be using this version is recommended.  Starting with 5 years may be good.  If you get a new recovery certificate, you can embed this into the client when you generate a new SEE RME Client. So keep track of when the certificate will expire.

Section 3 Question 4: If I need to use a recovery certificate, how can I do this?
Answer: The Encryption Administrator would have access to the recovery certificate.  If any files need to be decrypted, this recovery certificate can be used as long as the password for this certificate is known.

For more information on the actual recovery process, see the following article:

151432 - Using the SEE RME Recovery Certificate for recovery with Symantec Endpoint Encryption

Section 3 Question 5: If I forgot my password, how can my administrator help me recover them?
Answer: In order to recover files, see the following article:

222692 - How can I Recover Files Encrypted with Symantec Removable Media Encryption (RME)?

Section 3 Question 6: How are certificates used for encryption with RME?
Answer: See the following article fore more information on this topic:

203389 - How certificates are used for file encryption by Endpoint Encryption Removable Media Encryption

Section 3 Question 7: Can a user reset their password if they forget it for SEE RME?
Answer: This is not currently possible.  The Recovery Certificate can be used discussed in Question 1 above, but Symantec Enterprise Division is currently looking to include this functionality.
If you would like to be added to have this functionality, log a support case and provide the following IDs and Symantec Enterprise Support can assist with this.

ISFR-1600/EPG-22844

Check out the following article for some great information on other product features available to you:

205088 - What's New with Symantec Endpoint Encryption 11.3.1

See the Documentation portal to review further information including the following:

Symantec Endpoint Encryption Drive Encryption Administrator Command Line Guide

Symantec Endpoint Encryption Installation Guide

Symantec Endpoint Encryption Upgrade Guide

Symantec Removable Media Encryption Burner Application Command Line Guide

Symantec Endpoint Encryption Policy Administrator Guide