search cancel

Symantec File Share Encryption behavior when moving files causing automatic decryption

book

Article ID: 153694

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction


This article details what happens to a file when moving encrypted file(s) from a Symantec File Share Encrypted folder (formerly known as PGP NetShare encrypted folder).

 

Resolution

Section 1: - Preventing files from getting automatically decrypted when moving with specific applications

To be able to prevent decryption of files, login to the Symantec Encryption Management Server, go to the Consumer Policy in question, and then click on the File Share Encryption tab.

In the field, "Prevent the automatic decryption of files by the following applications", add "explorer.exe", outlook.exe, fixmapi.exe, and any other programs you wish to prevent this decryption behavior from happening as shown in the following example, we have all of the above, as well as "thunderbird.exe", because in this scenario, we want to prevent files from being decrypted when attaching to a thunderbird email.

 

Example:

We've checked all the other boxes in this example as well to ensure this is the most limited scenario possible and to limit this decryption behavior when moving filies around. 

 

Important Note:  If a file is moved out of the Symantec File Share Encrypted folder, the file will remain encrypted except in the following circumstances:

 

    • The file is sent via FTP or other non-CIFS based protocols.
       
    • The file is sent in an email message.
       
    • The file is saved or copied using a different name in another folder outside of the PGP NetShare protected folder.
       
    • Burning a Symantec File Share Encrypted file to CD\DVD or other optical media.
       
    • When copying File Share Encrypted files to Microsoft Encrypted EFS shares (This scenario is unsupported.   EFS Encryption should not be used with File Share Encryption).

 

    • When copying File Share Encrypted files from an RDP session to a local machine via direct copy\paste.  This method requires copying a file, then minimizing the RDP session, and then pasting to the local machines's system, such as the Desktop and not through the NTFS shares.

 

  • When encrypting File Share-encrypted files via the Self-Decrypting Archive (SDA) feature. 

 There are numerous other ways files will be prompted to decrypt as it goes outside the purview of the File Share Encryption filter driver.

Generally, when moving files within the same hard drive, or even external HDDs, the files will remain encrypted.  Even moving Symantec File Share Encrypted files to other non-encrypted locations in a File Share will keep the encryption.  It is always recommended to test scenarios within your own environment to understand which scenarios may apply to you, and which precautions should be taken when moving files around.

 

Keymodes also play a role in when files are decrypted, and the behavior of decryption.   For example, when a user's key is using Server Key Mode or SKM, the passphrase is automatically authenticated when the user logs in to Windows.  In this scenario, when a file is decrypted, there is no passphrase needed in order for decryption to take place.  This scenario also applies to Server-Client Key Mode, or SCKM, in which the Key is automatically authenticated.  This makes decrypting files for users easy.

Guarded Key Mode or GKM requires a user passphrase to be entered in order for the decryption to take place.  For example, if a user is attaching a file to an email, and the file is encrypted with File Share encryption, the user will be prompted to enter the passphrase before decryption takes place.

Even if users are not Symantec File Share Administrators, files can be decrypted in the instances mentioned above, so it is important to understand which scenario applies to your environment.

An example of keeping files encrypted when attaching to emails using Microsoft Outlook, adding "outlook.exe" as well as "fixmapi.exe" as programs to prevent decryption.  For more information on this, see article TECH181705.

Safelisting/Prevent Decryption
In order to prevent decryption of files, use the "Prevent the automatic decryption of files..." feature of Symantec File Share Encryption which can be configured on Symantec Encryption Management Server as was mentioned above.


Conversely, there is a Feature on Symantec Encryption Management Server, which can be used to cause automatic decryption by copying files into a folder, which has been designated as a folder that should not be encrypted.  The setting “Prevent the encryption of files in the following folders”, can also be used to ensure files copied to this location will be automatically decrypted.  In order for this to happen, you must be an Admin, or Group Admin and have the File Share Encryption permissions to do so--regular File Share users cannot do this (Etrack 3019776).

 

Section 2 - Data copied to Encrypted Shares are not getting encrypted
If files are copied to a folder that is encrypted with File Share Encryption, but are not encrypted, we need to look at what the situation is.  If File Share Encryption is *not* installed on the system where you are copying from, then the files will not end up encrypted. The reason for this is the File Share Encryption service running on the system is what will be encrypting the data from the source machine.  Even if Files Share Encryption is installed on the system where the encrypted share is installed, the source machine must also have the software installed, otherwise, the data will get copied unencrypted.

Running a reencryption task will be needed in order to pick up unencrypted content and ensure they are encrypted.  To do this, open the File Share Encryption client, and then click on the encrypted folder in question in the File Share application "shelf", and then click the "Check Folder Status" icon:

If the result is "All folders and files are encrypted.", then the whole share is encrypted. 

If there are any folders that are not encrypted, click the "Apply" button on the bottom right-hand corner of the screen and File Share Encryption will encrypt the share.

 

 

Additional Information

Several Feature Requests have been logged surrounding this behavior and to prevent the automatic decryption behavior.  For more information on these requests, please visit the following articles:

161837 - FEATURE REQUEST: Prevent any applications from automatically decrypting File Share Encrypted files when handled by third-party applications
155943 - FEATURE REQUEST: Encryption is not maintained when sending a Symantec File Share Encryption (previously PGP NetShare) protected file as an email attachment
150324 - FEATURE REQUEST: Add feature Parity for Symantec File Share Encryption Standalone clients for Exclusions\Safe Lists for applications applications.

EPG-23710, ISFR-1908

Attachments