Using File Share Encryption to send encrypted files to Group Keys (Shared Key Method)

book

Article ID: 225452

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

There are some scenarios where it is required to send encrypted files so that recipients can decrypt where the key being used is not the individual's key, but a "shared key".  This can be achieved by using Symantec File Share Encryption to incorporate it's Group Key logic and seamlessly encrypt to these recipients.

The goal is to encrypt a file to a recipient and the recipient can easily access the encrypted content without the worry of having a private key to decrypt.  The other goal is to be able to use a key that has access, but access can be easily revoked if needed, and there is no local access to the key to decrypt files using this "Shared Key" (The key is not technically shared, but provided access to in a seamless way that multiple users can use).

Using File Share Group keys can achieve the goal of a shared key and this article will cover this scenario using Symantec Encryption Management Server (SEMS) where a File Share group key functionality can be extended for email groups.

Environment

Prerequisites:
*Recipients have already enrolled and have Symantec Encryption Desktop managed by Symantec Encryption Management Server. 
*Symantec File Share Encryption is already enabled for use for these users.
*A Group Key has been configured for a group on SEMS.
*The recipients are also a part of the group for which the group key was created. 

Resolution

To be able to achieve access to the Group keys there are two things that should be done on the server and client:

 

On Symantec Encryption Management Server:
*Disable automatic decryption for Explorer.exe, fixmapi.exe, and Outlook.exe
Note: The above are for Microsoft Outlook, but if any other mail programs are being used, add the primary executables to the exclusion list.
*Create groups and a group key for the mail-enabled AD security group or distribution lists.

 

On Symantec Encryption Desktop :
*Open the “PGP Options”, then click the “File Share” tab.  Check the box for “Protect Individual Files”.
*Encrypt any file to the desired group key or use a file from any folder already encrypted to the group key.
*Use this encrypted file as an attachment and send to the group.
*The recipients will be able to transparently decrypt.

 

For more information on Symantec File Share Encryption Group Keys, see the following article, which will link to several other articles on this topic:

180791 - Symantec File Share Encryption Group Key FAQ's.

Additional Information

209776 - Integrating a shared PGP Key for multiple users on Symantec Encryption Management Server