Symantec Endpoint Encryption Removable Media Encryption (RME) uses the highest levels of encryption algorithms available for encryption of removable devices such as USB drives, DVDs or Blu-ray disks. The advantage of using this product is that you can copy data to devices and ensure the data is encrypted and secured.
Removable Media Encryption can be used with the current policies available on the SEE Management Server to cover just about any scenario and can even be integrated with Symantec Data Loss Prevention (DLP).
This article will go over some of the Frequently Asked Questions and General Information as it applies to RME.
Question 1: Can we use RME to prevent access to USB drives on systems?
Answer: Yes, RME can be used to block access to files when USB drives are plugged in. Many policies exist to be able to cover just about any scenario needed.
Question 2: We want to block all USB devices, but allow specific devices, does RME have the capability to allow this?
Answer: Yes, RME has the ability to block all devices, but allow or “exclude” some devices if the security policy allows and can be done on a granular level.
Question 3: How are files encrypted to USB devices, or other removable devices?
Answer: RME can use a regular password to encrypt files, as well as x.509 certificates. When using a password, there are many different types of passwords you can use, such as a session password, applicable to a particular Windows login session, to a “Default” password, or a combination of all these options. Password policies can even apply to these scenarios.
Question 4: Can I copy data from one encrypted RME drive to another USB drive?
Answer: This is not allowed.
Question 5: Can RME be used to enforce encryption of data copied to removable devices?
Answer: Yes, the policies that are built in can allow flexibility so that users determine if data gets encrypted all the way to the most secure environments where data must be encrypted when copied to devices. DLP integration can help with this enforcement. Refer to the Online Help for more information on this topic.
Question 6: Where do I find information on how to integrate RME with DLP?
Answer: See the following article for more information on this.
213405 - Flex Response Plug-in for Symantec Endpoint Encryption Removable Media Encryption
Question 7: I want to be able to encrypt some files with a password and allow someone else to decrypt the file with a password without installing any software, is this possible?
Answer: Yes, RME has the ability to encrypt individual files to a password. This feature is called the “Self-Decrypting Archive” part of SEE RME.
Question 8: Can I copy/paste files from SEE RME and do they decrypt when I do so?
Answer: You can copy and paste files from SEE RME and the end result is the files will remain encrypted.
SEE RME does not use the Windows Clipboard functionality to provide the most secure method to copy files. Because of this, special steps must be taken.
See the following article for information on how these copy/paste methods work:
See the following table for copy/paste functionality:
|Options||Removable Media Encryption||Other Drives|
|Copy encrypted files||Yes||No|
|Paste encrypted files||No||Yes|
|Attach encrypted files to email||Yes||No|
Question 9: I want to have a group of users be able to share items through Removable Media Encryption, but I don't want them to have to exchange passwords.
Answer: The RME Workgroup Key is part of the policy (not the SEE RME installer) so that when a machine is in a particular policy group on the SEE Management Server all data can get encrypted to this Workgroup Key and then anyone who is part of this key is automatically authenticated and can then read the data.
For more information on this topic, see the following online help file:
Question 1: If files are encrypted, can my organization recover the files if the user forgets the password to open the files?
Answer: RME can allow you to use a recovery certificate that is based on the policy. If the recovery certificate is uses, this can be used to decrypt the files.
Refer to the Online Help for more information on this topic.
Question 2: What sort of Certificate do I need to create for recovery?
Answer: A PKCS#7 (P7B) format should be used when you generate your certificate.
For more information on this topic, refer to the Online Help for more information on this topic.
Question 3: What are the Best Practices for RME when it comes to recovery?
Answer: When you generate your recovery certificate, make sure it won’t expire too quickly. For example, if you generate a certificate that expires in 1 year, after this time, users will not be able to encrypt to this certificate unless you allow encryption to expired certificates in policy, which is not generally recommended. Creating a certificate for as long as you think you’ll be using this version is recommended. Starting with 5 years may be good. If you get a new recovery certificate, you can embed this into the client when you generate a new SEE RME Client. So keep track of when the certificate will expire.
Question 4: If I need to use a recovery certificate, how can I do this?
Answer: The Encryption Administrator would have access to the recovery certificate. If any files need to be decrypted, this recovery certificate can be used as long as the password for this certificate is known.
Question 5: If I forgot my password, how can my administrator help me recover them?
Answer: In order to recover files, see the following article:
Question 6: How are certificates used for encryption with RME?
Answer: See the following article fore more information on this topic:
Question 7: Can a user reset their password if they forget it for SEE RME?
Answer: This is not currently possible. The Recovery Certificate can be used discussed in Question 1 above, but Symantec Enterprise Division is currently looking to include this functionality.
If you would like to be added to have this functionality, log a support case and provide the following IDs and Symantec Enterprise Support can assist with this.
Check out the following article for some great information on other product features available to you:
See the Documentation portal to review further information including the following: