There are 2 types of Encryption provided by the Removable-Storage Policy:
- Full USB disk encryption (Formatting normal USB disk into IP-guard encrypted disk in Console).
- File based file encryption (Encrypt/Decrypt when write files to USB disk/hard disk).
We can choose to use only 1 kind of encryption,
Mixed using 2 kinds of encryption together.
- 1. Full USB disk encryption
To let the encrypted disk to be able to access, we first need to add a policy to allow ‘read’ for the encrypted disk on all agent PC.
Then all PC with agent installed within the same company(under same SN license) is able to access the encrypted disk and read the file. (Of course we can specify the target (computer/user group) to be the only one which able to access.)
As the USB disk is encrypted, the agent itself will act as middle layer for decryption.
After setting the policy for allow ‘read’ to the target(agent computer/user group), the target can directly read the file inside the encrypted USB.
- Plug-in the USB disk into Console computer.
- In Console, select Categories->Removable Storage
- In the popup window, select Opearation->View Local Removable Storage Info..
- In the Local Removable Storage Info window, you can select the USB disk, and click the third (3rd) button->Format as Encrypted Disk
- Choose the File Format you want, click OK. Answer ‘Yes’ to format.
- Wait it finish formatting, and the Finish formatting message box will come up.
- Save the information by clicking the second (2nd) button-Save button.
- Now the whole USB disk become an encrypted disk.
- You need to set a Removable Storage policy to allow encrypted disk(or ALL disk) to read (or/and write), save the policy.
- Then only the agents can be allowed to read (or/and write) the encrypted disk.
- 2. File based file encryption
The file based encryption can protect files from viewing by users in plain text.
File based file encryption is controlled by the ‘Auto Decrypt’ and the ‘Auto Encrypt’ option in the removable policy.
By default(no additional policy), all PC with agent installed within the same company(under same SN license) can access any USB disk.
If we check the ‘Auto Decrypt’ and the ‘Auto Encrypt’ option in the removable policy for a target (agent computer/user group), then the USB disk of that target will use the File based file encryption/decryption.
For file-based encryption/decryption, setting the access rights Auto Encrypt, the file will be encrypted when copy to USB disk. Then the file in USB disk can still be opened but with un-readable text, you are not able read the file content directly on the USB disk.
With the access rights Auto Decrypt, if you want to read the file, you have to copy that file from USB disk to your hard disk. The file will be decrypted when copy to the hard disk, then you will be able to read the file on the hard disk.
For file based file encryption, no one can directly read the document on the USB disk. Even for the target we check the ‘Auto Decrypt’ and the ‘Auto Encrypt’ option in the removable policy, the target cannot directly read the document on the USB disk. It is because the encryption/decryption is done via the process explorer process. The user on those PC need to copy the files to the hard disk (perform decryption) first before they can read the document. Anyway, you are not able to read the file directly in plain text in USB disk.
a) In Console, select the target agent/group in the left, and the choose the Tab Advanced Policy->Removable Storage
b) Add a new Removable Storage policy by clicking the read + button
c) In the Properties window of the policy, select:
Readable: Allow to read
-Auto Decrypt: Will Auto Decrypt the file which copy/cut from the target USB drive into the local hard disk folder
Writeable: Allow to write
-Auto Encrypt: Will Auto Encrypt the file which copy/cut from the local hard disk folder into the target USB drive
d) Save the policy afterward.