This is an article that will discuss all the frequently asked questions for Symantec File Share Encryption Group Keys, a critical feature to ensure ease of encryption and management of your encrypted shares (especially in scenarios where the share is very large).
For information on other topics for File Share Encryption, see the following articles:
155519 - Best Practices for Creating and Managing Symantec FileShare Encrypted Folders
180789 - How do I create a new Group with a File Share Encryption Group Key on Symantec Encryption Management Server?
155582 - Adding a Group Key to an Existing Group on the Symantec Encryption Management Server
161242 - Encrypting network file shares to Group Keys with Symantec File Share Encryption
225452- Using File Share Encryption to send encrypted files to Group Keys (Shared Key Method)
Question 1: What is a Group Key?
A: A Group Key is a server-managed keypair associated to a specific group that contains users. This group can have manually assigned users or Active Directory users assigned to it dynamically via Directory Synchronization and AD Matching. AD Matching allows membership in the Active Directory security group to be modified and having the group membership in the SEMS group to change automatically, leaving Active Directory as the sole group management tool for any particular group.
Question 2: What are the advantages of a Group Key?
- The users don't have to be added or removed manually to encrypted shares.
- The folder does not need to be re-encrypted whenever you add or remove users.
- The header of the files is not as large as with regular PGP keys.
- No need to edit the File Share encrypted folder when a new user joins, the new user only needs to be added to the Group on Symantec Encryption Management Server.
Question 3: Is there a Best Practices guide for creating and managing Symantec File Share Group Keys?
For more information on Best Practices, see article 155519.
Question 4: What if I already have a Group on the Symantec Encryption Management Server and want to add a Group Key to an existing Group?
A: It is possible to add a Group Key to an existing group on the PGP Server.
For more information on how to set up a Group Key for an existing group on the Symantec Encryption Management Server, see article 155582.
Question 5: What do I need to do if I want to create a new Group Key and a new group on the Symantec Encryption Management Server?
For more information on how to create a New Group Key on the Symantec Encryption Management Server, see article 180789.
Question 6: I have new Symantec File Share Encryption users in the company. How can I add the new users to the encrypted share so they can also use the Group Key?
A: The new user only needs to be added to the Group on Symantec Encryption Management Server (or to the AD group, if Directory Sync is used). The file share itself does not need to be modified.
Question 7: Where is the private key of the Group Key stored?
A: The private key is only on the Symantec Encryption Management Server. The private key never leaves the server. The public key is copied to the clients.
Question 8: Are there any limitations for the Group Key?
A: The end users must have access to the Symantec Encryption Management Server. This means that offline mode will not work. This is typically not seen as a limitation because if you are accessing an encrypted share, this usually means you are also accessing the share on an internal resource, and would also have access to other resources on the network, such as Symantec Encryption Management Server.
Once the File Share encrypted file/folder is unlocked, the data remains unlocked for the duration of the Windows session, subsequent access to protected data can be offline (no connectivity to Symantec Encryption Management Server) until user logs out.
Question 9: Is there a workaround so the user can use the encrypted Symantec File Share Encryption in an offline mode?
A: For users that need to access the data in the offline mode, include their individual keys with the Group Key and copy the encrypted files to a local PGP NetShare folder that is encrypted to local keys.
This option is not recommended if you can avoid it, because it also means that when the user attempts to access the share, the user's key will always be used, instead of the Group Key, which is more convenient.
Question 10: What happens if I add a new Group Key?
A: If you add a new Group Key the old Group Key will be revoked first. The old files will be accessible, but all new files added to the folder will be encrypted to the new key.
It is not recommended to add new group keys to existing Groups on Symantec Encryption Management Server. The only scenario to replace a key is if you feel the key was compromised. Because the private portion of the Group Key is held only on the Symantec Encryption Management Server, this scenario is highly unlikely.
Question 11: Can the Symantec File Share user roles be used the same way with the Group Key?
A: Yes, Symantec File Share user roles can also be used with a Group Key.
Question 12: Are Symantec File Share Group Keys compatible with ADKs?
A: Yes, Group keys are fully compatible with additional decryption keys (ADKs).
Question 13: What is the difference between using Active Directory groups and the Symantec File Share Encryption Group Key?
A: Group keys are different than using Active Directory groups. Using a Group Key adds only the single key to a protected folder. Using an Active Directory group adds every key found for members of that group.
Question 14: I've added users to an Active Directory Security group and they're properly showing up in that group, but on the PGP server, none of the users are matching the group properly. Because of this, they are not getting access to the Group Key for File Share and can't unlock the share encrypted to this corresponding Group key.
A: This is most likely due to the LDAP Syntax being wrong for the Attributes or Values, Double-check to make sure the syntax is correct so that the users will then match the proper AD groups associated to the Group on the PGP server. Additionally, make sure Directory Synchronization is working for other users to make sure it's not broken for everyone.