Encrypting Removable Storage Devices
Device Control creates encrypted files in virtual memory, and then writes the files to physical media available in various formats, such as removable storage devices and CD/DVDs. Centralized and decentralized encryption provide an administrator with the flexibility to centrally encrypt removable media, enable users to encrypt removable media using the client, and enforce the use of encrypted media.
Device Control supports centralized (from the Management Console) and decentralized (from the client) encryption methods for ciphering data copied to removable storage media. The following methods are available for encrypting removable storage devices and CD/DVD media using:
- Easy Exchange encryption, which encrypts devices for portable use. Portable use means that a user can use the encrypted device with a password and the encryption key, without having to connect to the network through a computer running the client.
- Full and slow encryption, which encrypts devices for non-portable use. Non-portable use means that a user can only use the encrypted device with a password when connected to the network through a computer running the client.
Easy Exchange Encryption
Easy Exchange encryption is volume-based. The entire volume of the removable storage media is used for ciphering existing data and all sectors on the volume and installing the Secure Volume Browser (SVolBro.exe) deciphering program.
Devices encrypted using the Easy Exchange method do not require a password or encryption key when attached to a computer running the client. These encrypted devices are transparently deciphered when users attach the device to a computer running the client, and there is a Microsoft® Certificate Authority (CA) available from the network for authentication.
Important: When there is no Microsoft Enterprise CA installed in the network, users can only access encrypted data using a password and a public encryption key.
When a user is working outside your network, they must use the installed Secure Volume Browser to access encrypted data. The Secure Volume Browser does not require local administrative rights, however a password and a public encryption key are required. The Secure Volume Browser program is automatically copied on to the media when it is encrypted.
The administrator also has an option during encryption to export the public key to the media or to an external file, depending on enterprise network security policies and procedures.
Important: If the encryption key is not exported to the encrypted media, then an administrator must send the key in a separate file to the user before the decryption process can start.
The Easy Exchange encryption method is used for centralized and decentralized encryption because this method uses the Secure Volume Browser to unlock the medium for user access.
Encrypting Media
Encrypting media from the client uses the Encrypt Medium utility. The rules governing the behavior of the encryption options depend upon the Export permissions assigned by the administrator for user access.
Encryption from the client offers both portable encryption and encryption for external use options. These options offer control over exporting the medium encryption key.
Standard User Options Rules
The default behavior for the Encrypt Medium utility options is governed by the following rules.
- When a user selects encryption for external use, the Windows user option is disabled when selecting Add to add users, user can only have one passphrase.
- When a user selects encryption for external use, the Erase unused space and Retain existing data on device options are enabled and selected by default, unless Erase unused space on media is forced by the administrator through the Management Console. When selecting an option, the remaining option is deselected.
For the list of users granted access:
- When a user does not have valid certificate, the user name is displayed in red and disabled.
- When a user is added, the domain and account name are displayed to distinguish between users having similar names in different contexts.
- When a user selects encryption for external use the user can add only one passphrase user.
When a user selects portable encryption:
- User can add any number of Passphrase users.
- User can add any number of Windows users.
When a user selects encryption for external use a user may not add users.
Encryption options for portable encryption are:
- Enabled when the device size is less than 128GB. Encryption options for encryption for external use are:
- Enabled when the device size is greater than or equal 128GB.
Data options are set as follows:
- The Retain existing data on device is not selected and is disabled if no recognized file system has been found on the media.
- The Erase unused space on media option is selected and disabled if this option is set by the administrator in the Management Console.
Centralized Encryption
Centralized encryption is encryption performed at the Management Console by a network administrator. Centralized encryption offers users that have a Microsoft Enterprise Certificate Authority installed transparent device use within the network.
A user encrypting a removable storage device, ciphered using centralized encryption does not perceive that the device is encrypted. Users can freely use their removable storage device with any computer on the enterprise network, with delegated permission. There is no need for the user to have the encryption key or know the password. Authentication automatically takes place in the background, between the client and the certification authority. Even if the user loses the device, data protection is ensured.
Decentralized Encryption
Decentralized encryption enables a user to perform device encryption at a computer workstation without requiring network administrator rights. The user is forced to cipher and administer their removable storage devices, based on user access and device permissions established centrally by the network administrator.
Decentralized encryption is defined by an administrator using a central rule that establishes which users have access to removable storage devices, whether a user is forced to encrypt their removable storage devices, and whether they are allowed to access unencrypted devices. Depending upon the rule, a user may be able to:
- Read and/or write data to a removable storage device.
- Encrypt a device.
- Format a device.
Users encrypt their devices using the Easy Exchange method, where all existing data is erased and the remaining storage volume is encrypted. Removable storage devices encrypted using decentralized encryption can also be used outside the enterprise network, when necessary.
When a user has the necessary permissions formats or modifies an encrypted removable storage device, the Security Identification (SID) changes. The new SID that is not recognized by the Application Server because there is no matching record in the database. Therefore, access to the new device is restricted. This ensures that no data, encrypted or not, can leave the enterprise network using unauthorized removable storage devices. As an additional security measure when a removable storage device is used outside the network, an administrator can choose to export the public key to an external file that can be sent separately to the user, instead of storing the public key on the removable storage device.
Encryption from the client provides several options:
- Passphrase users can use encrypted media with an encryption key stored on the device at the time of encryption.
- Passphrase users can use encrypted media with an encryption key accessed from a file that is stored separately from the media at the time of encryption.
- Windows Active Directory users can use encrypted media with an encryption key protected by a Certificate Authority.