Symantec File Share Encryption behavior when moving files causing automatic decryption

book

Article ID: 153694

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction


This article details what happens to a file when moving encrypted file(s) from a Symantec File Share Encrypted folder (formerly known as PGP NetShare encrypted folder).

 

Resolution


If a file is moved out of the Symantec File Share Encrypted folder, the file will remain encrypted except in the following circumstances:

 

  • The file is sent via FTP or other non-CIFS based protocols.
     
  • The file is sent in an email message.
     
  • The file is saved or copied using a different name in another folder outside of the PGP NetShare protected folder.
     
  • Burning a Symantec File Share Encrypted file to CD\DVD or other optical media.
     
  • When copying File Share Encrypted files to Microsoft Encrypted EFS shares (This scenario is unsupported.   EFS Encryption should not be used with File Share Encryption).

  • When copying File Share Encrypted files from an RDP session to a local machine via direct copy\paste.  This method requires copying a file, then minimizing the RDP session, and then pasting to the local machines's system, such as the Desktop and not through the NTFS shares.

  • When encrypting File Share-encrypted files via the Self-Decrypting Archive (SDA) feature. 

 There are numerous other ways files will be prompted to decrypt as it goes outside the purview of the File Share Encryption filter driver.

Generally, when moving files within the same hard drive, or even external HDDs, the files will remain encrypted.  Even moving Symantec File Share Encrypted files to other non-encrypted locations in a File Share will keep the encryption.  It is always recommended to test scenarios within your own environment to understand which scenarios may apply to you, and which precautions should be taken when moving files around.

 

Keymodes also play a role in when files are decrypted, and the behavior of decryption.   For example, when a user's key is using Server Key Mode or SKM, the passphrase is automatically authenticated when the user logs in to Windows.  In this scenario, when a file is decrypted, there is no passphrase needed in order for decryption to take place.  This scenario also applies to Server-Client Key Mode, or SCKM, in which the Key is automatically authenticated.  This makes decrypting files for users easy.

Guarded Key Mode or GKM requires a user passphrase to be entered in order for the decryption to take place.  For example, if a user is attaching a file to an email, and the file is encrypted with File Share encryption, the user will be prompted to enter the passphrase before decryption takes place.

Even if users are not Symantec File Share Administrators, files can be decrypted in the instances mentioned above, so it is important to understand which scenario applies to your environment.

An example of keeping files encrypted when attaching to emails using Microsoft Outlook, adding "outlook.exe" as well as "fixmapi.exe" as programs to prevent decryption.  For more information on this, see article TECH181705.

Whitelisting/Blacklisting:
In order to prevent decryption of files, use the "Prevent the automatic decryption of files..." feature of Symantec File Share Encryption which can be configured on Symantec Encryption Management Server.  For more information on Blacklisting, please consult the Administrators Guide.

Conversely, there is a Feature on Symantec Encryption Management Server, which can be used to cause automatic decryption by copying files into a folder, which has been designated as a folder that should not be encrypted.  The setting “Prevent the encryption of files in the following folders”, can also be used to ensure files copied to this location will be automatically decrypted.  In order for this to happen, you must be an Admin, or Group Admin and have the File Share Encryption permissions to do so--regular File Share users cannot do this (Etrack 3019776).


Feature Requests
Several Feature Requests have been logged surrounding this behavior and to prevent the automatic decryption behavior.  For more information on these requests, please visit the following articles:

TECH229057 - FEATURE REQUEST: Prevent any applications from automatically decrypting File Share Encrypted files when handled by third-party applications
TECH181705 - FEATURE REQUEST: Encryption is not maintained when sending a Symantec File Share Encryption (previously PGP NetShare) protected file as an email attachment
INFO3482 - FEATURE REQUEST: Add feature Parity for Symantec File Share Encryption Standalone clients for White and Blacklisting applications.