Workgroup Key for Symantec Endpoint Encryption Removable Media Encryption
search cancel

Workgroup Key for Symantec Endpoint Encryption Removable Media Encryption

book

Article ID: 252268

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

Workgroup Key for Symantec Endpoint Encryption Removable Media Encryption (SEE RME) allow excellent collaboration between machines so data can be seamlessly shared.

When a Workgroup Key has has been configured, it is possible to share data encrypted to Removable Devices and only the machines designated authorized to use the workgroup key will gain access.

Resolution

In order to designate a Workgroup key, edit the Group Policy associated to where you want this to be enabled.

Note: Workgroup Keys are Policy-based only.  They are not included into the SEE RME Client installer.

 

Once you login to the SEE Management Server , go to the policy you would like to modify and click through the policy screens until you see the following page:

Once this is configured, and the SEE Client checks in to the SEE server, everything encrypted to their Removable Devices will also be encrypted to the Workgroup Key.

 

If you would like to provide access to other machines for use with this same Workgroup Key, simply move the machine into the applicable policy.

Tip: For New installs, you can specify any group you would like the SEE Client to fall into to ensure they obtain the desired policy right away.  For information on this topic, see the following article:

214037 - Symantec Endpoint Encryption Preferred Policy Group Assignment

 

 


Scenario 1: Multiple Machines
*A Workgroup Key has been configured for the Policy called "WorkgroupAccounting"
*Three Machines Exist: Machine1, Machine2, Machine3
*Machine1 and Machine2 are in the "WorkgroupAccounting" group. 
*Machine3 is in a different Group Policy.


Expected Results:
*Data is copied to USB1 drive on Machine1 and it is automatically encrypted to the Workgroup Key.
*USB1 Drive is taken to Machine2 and the data can be opened seamlessly 
*USB1 Drive is taken to Machine3 - Password prompt will appear and access to the Workgroup Key is not granted.

 

 

If you would like to provide access to Machine3 to the "WorkgroupAccounting" group, you can do so using one of two methods:

Method 1: Move Machine3 into the Group Policy for "WorkgroupAccounting" so that it will inherit the Workgroup Key. 
This is the most secure method to get this done and is the recommended method.

 

Method 2: Copy the Workgroup Key from "WorkgroupAccounting" and insert into the Group Policy that Machine3 is part of.
This option should be used only with extreme care.  Once this is done, access to any data encrypted to this workgroup key will be accessible to any users who are also part of the additional group polices.
Before choosing this method, be sure to work with your security teams to determine if this is the best option.

 


Scenario 2: One Machine - Multiple Users Sharing the same machine

*A Workgroup Key has been configured for the Policy called "WorkgroupAccounting"
*One machine exists called Machine1
*Machine1 is in the "WorkgroupAccounting" group policy. 
*Multiple users use this same machine, UserA, UserB, and UserC
*UserA copies data to USB1 and it encrypts.
*UserB copies data to USB2 and it encrypts.
*UserC copies data to USB3 and it encrypts.


Expected Results:
*All data are copied to USB1, USB2, and USB3 to the Workgroup Key.
*UserA, UserB, and UserC can then open all data encrypted to USB1, USB2, and USB3 because all data was encrypted to the Workgroup key.

 

When in doubt, reach out to Symantec Encryption Support for further guidance.

 

Additional Information

222689 - Symantec Endpoint Encryption Removable Media Encryption FAQs - General Information