Encrypt Removable Media without Certificate Authority
You can encrypt removable storage media without a Microsoft Certification Authority®.
Prerequisites
For encryption to work successfully, the following conditions must be met:
- Use Microsoft Windows Active Directory domains for:
- Microsoft Windows 2003®R2
- Microsoft Windows 2008®
- Microsoft Windows Server 2012®R2
- The administrator must have administrative rights for the computer where encryption takes place.
- An Ivanti Device and Application Control client is installed on the same computer as the Management Console where encryption takes place.
- Attach the removable storage media to the client computer and use the Device Explorer to add the device to the database. See Manage Devices for additional information about adding removable storage media to the database.
- Close all applications that are accessible to the removable storage medium.
During encryption, a unique cryptographic identifier is written to the device that encrypts the device.
- In the Management Console select View > Modules > Device Explorer > Add/Modify Permissions.
The Permissions dialog opens. - In the Permissions dialog, select the following options:
- Encrypt - A user or user group can encrypt devices.
- Export to media - The passphrases or public keys from user certificates are used to create the symmetric key used to encrypt a device can be exported to the encrypted device when the Self Contained Encryption option is selected.
- In the Management Console select View > Modules > Media Authorizer > Users by Medium tab.
- Click Add Removable.
The Add Removable Media dialog opens. - From the Drive drop-down list, select the letter corresponding to the drive you are encrypting.
- In the Description field, enter a free text description.
- In the Label field, enter a label (maximum 11 alphanumeric characters) that will be used after the medium is formatted.
- From the Encryption drop-down list, select one of the following options:
- Encrypts the media and preserves any existing data stored on the device.
- Encryption is applied to all free sectors of the media.
- All data is encrypted.
- Requires using the Stand-Alone Decryption tool (SADEC) for access to the media from non-Ivanti Device and Application Control computers.
- Encrypts the media and removes all existing stored data.
-
All data stored on the device is erased.
-
Requires using the Stand-Alone Decryption tool (SADEC) for access to the media from non-Ivanti Device and Application Control computers.
- Encrypts the media quickly and removes all existing stored data.
- Allows access to the media from non-Ivanti Device and Application Control computers. The encryption is done in a single file or multiple files (depending on removable media capacity) using a FAT structure.
- Click OK.
The removable storage medium is encrypted, added to the database, and the encryption key is exported to the removable storage medium. - In the Management Console select View > Modules > Media Authorizer > Users by Medium tab.
- Click Remove Media.
A dialog opens prompting you to confirm deletion of the medium from the database. - Click Yes.
- In the Management Console, select View > Modules > Device Explorer > Add/Modify Permissions.
- In the Permissions dialog, select the following options:
- Read - A user or user group has read access.
- Write - A user or user group has write access.
- Import - The user or user group can import an external encryption key when the Self Contained Encryption option is selected.
Encryption Method |
Description |
---|---|
Full & Slow (secure for existing data) |
This method is the most secure for encryption and can be very slow. |
Quick Format (insecure for existing data) |
This quick encryption method is not recommended for media containing sensitive data. |
Easy Exchange (insecure for existing data) |
Tip: When you encrypt media using the client (decentralized encryption) you may opt to retain existing data during encryption. |
Users assigned permission to use the removable storage medium can access the medium using the password generated during encryption.