Encrypting Removable Storage Devices

Device Control creates encrypted files in virtual memory, and then writes the files to physical media available in various formats, such as removable storage devices and CD/DVDs. Decentralized encryption enables users to encrypt removable media using the client.

Device Control supports decentralized encryption methods from the client for ciphering data copied to removable storage media and CD/DVD media. Easy Exchange encryption encrypts devices for portable use, which means that a user can use the encrypted device with a password and the encryption key without having to connect to the network through a computer running the client.

Ensure auto-enrollment is enabled in the Microsoft Management Console (MMC), otherwise the domain administrator will need to approve each enrollment request before a certificate can be retrieved and installed.

Important: Only default user certificate templates are supported.

Easy Exchange Encryption

Easy Exchange encryption is volume-based. The entire volume of the removable storage media is used for ciphering existing data and all sectors on the volume and installing the Secure Volume Browser (SVolBro.exe) deciphering program.

Devices encrypted using the Easy Exchange method do not require a password or encryption key when attached to a computer running the client. These encrypted devices are deciphered when users attach the device to a computer running the client, and there is a Microsoft^® Certificate Authority (CA) available from the network for authentication.

Important: When there is no Microsoft Enterprise CA installed in the network, users can only access encrypted data using a password and a public encryption key.

When a user is working outside your network, they must use the installed Secure Volume Browser to access encrypted data. The Secure Volume Browser does not require local administrative rights,

however a password and a public encryption key are required. The Secure Volume Browser program is automatically copied on to the media when it is encrypted.

The administrator also has an option during encryption to export the public key to the media or to an external file, depending on enterprise network security policies and procedures.

Important: If the encryption key is not exported to the encrypted media, then an administrator must send the key in a separate file to the user before the decryption process can start.

The Easy Exchange encryption method is used for decentralized encryption because this method uses the Secure Volume Browser to unlock a medium for user access.

Encrypting Media

Encrypting media from the client is performed using the Encrypt Medium utility. The rules governing the behavior of the encryption options depend upon the Export permissions assigned by the administrator for user access.

Standard User Options Rules

The default behavior for the Encrypt Medium utility options are governed by the following rules:

For the list of users granted access:

When a user does not have valid certificate, the user name is displayed in red and disabled.
When a user is added, the domain and account name are displayed to distinguish between users having similar names in different contexts.
The user can add any number of Passphrase users.
The user can add any number of Windows users.

Encryption options for Easy Exchange are:

Enabled when the device size is less than 128GB.

Decentralized Encryption

Decentralized encryption enables a user to perform device encryption at a computer workstation without requiring network administrator rights. The user is forced to cipher and administer their removable storage devices, based on user access and device permissions established centrally by the network administrator.

Decentralized encryption is defined by an administrator using a central rule that establishes which users have access to removable storage devices, whether a user is forced to encrypt their removable storage devices, and whether they are allowed to access unencrypted devices. Depending upon the rule, a user may be able to:

Read and/or write data to a removable storage device.
Encrypt a device.
Format a device.

Users encrypt their devices using the Easy Exchange method, where all existing data is erased and the remaining storage volume is encrypted. Removable storage devices encrypted using decentralized encryption can also be used outside the enterprise network, when necessary.

When a user has the necessary permissions formats or modifies an encrypted removable storage device, the Security Identification (SID) changes. The new SID is not recognized by the server because there is no matching record in the database. Therefore, access to the new device is restricted. This ensures that no data, encrypted or not, can leave the enterprise network using unauthorized removable storage devices. As an additional security measure when a removable storage device is used outside the network, an administrator can choose to export the public key to an external file that can be sent separately to the user, instead of storing the public key on the removable storage device.

Encryption from the client provides several options:

Passphrase users can use encrypted media with an encryption key stored on the device at the time of encryption.
Passphrase users can use encrypted media with an encryption key accessed from a file that is stored separately from the media at the time of encryption.
Windows Active Directory users can use encrypted media with an encryption key protected by a Certificate Authority.