Skip to main content
Matrix42 Self-Service Help Center

File and folder encryption

Overview

With the encryption products, files and folders can be encrypted both on the computer and in the network, as well as on external storage media and in cloud storage.

The following table provides an overview of encryption products and their encryption options:

Product What? Where?

Removable Device Encryption

Files (When encrypting a folder with Removable Device Encryption, the folder itself is not encrypted, only the contents of the folder (files). New files added to this folder are not encrypted automatically.

  • External storage
  • CD/DVD
  • Hard drives (if Control hard disks like external media option is enabled)
  • Floppy disk

Local Folder Encryption

Folder

  • Locally
  • In a local cloud storage if Cloud Storage Encryption is disabled
  • On additional hard drives

Cloud Storage Encryption

Files and folders

In a controlled local cloud storage

Network Share Encryption

Network shares of computers without EgoSecure Agent

  • Network share itself and subfolders
  • Thin client storage (encrypts only via the context menu)

Permanent Encryption

Files and folders

Everywhere

Encryption types

Depending on the type of encryption, data is encrypted with a specific key.

There are five types of encryption:

  • Common encryption: Commonly encrypted data can be decrypted by all users who are registered on the same EgoSecure Server and who have the same common key.
  • Individual encryption: Individually encrypted data can only be decrypted by the owner of the key.
  • Group encryption: Data encrypted with group encryption can be decrypted by all members of an EgoSecure group or a directory service group that has the same group key. For details, see: Creating an encryption group
  • Mobile encryption: Mobile encrypted data is usually password-protected and is used to transport data on external storage media or cloud storage. Except guest encryption, Cloud Storage Encryption and Permanent Encryption, mobile encryption is always used in addition to another encryption type. 
  • Permanent encryption only applies to files and adds the .espe file extension to them. In comparison to other types of encryption, permanent encryption remains when copying or moving files. For details, see Encrypting files permanently. There is no separate key for permanent encryption, it uses the keys of the other encryption types.

Applying general settings

Enabling encryption types

In the product settings, specify the encryption types, which become available for a user/computer once an encryption product is activated.

Selecting encryption types

  • Go to Product settings | Encryption | Encryption options and click on Encryption is now disabled.

clipboard_efae7daad73c9bd2d07ff28cbb42393f1.png

  • The encryption is now enabled. The settings are not greyed out more.
  • In the Available encryption types area, enable the encryption types to make them available globally. Not activated encryption types can not be activated for directory objects.
  • Select a Default encryption type in the drop-down menu. This encryption type is used when the file is encrypted automatically.
  • Click Save.
  • The selected encryption types can now be activated for users, computers and groups.

Managing encryption keys

  • Keys for the encryption types are created automatically based on the key length and the encryption algorithm as soon as:
    • an encryption product is activated (common key)
    • a user/computer with a permission for individual encryption is logged on to the Server (individual key)
    • an encryption group is created for group encryption (group key) 
  • You can export and import keys to make them available to other Clients (common key) or to decrypt files using EgoSecure Home Data Protection (individual keys). For details, see: Exporting a key

Master key for data recovery

To restore encrypted data that can no longer be decrypted by the user, create a master key. You save the master key as an encrypted file in a secure location or save it in the database with password protection. For details, see: Creating a master key

Defining key length and encryption algorithm
  • In the Encryption key length area, select length in bits. The key length applies to
    • the encryption key that is provided to the Agent
    • and
    • the exchange key used to encrypt the encryption key. The exchange key is used to secure the key transfer between Server and Agent.
  • In the Encryption method area, select:
    • Triple DES
    • AES 256 (recommended)
    • AES 256 (OAEP, SHA265) (from Agent version 12.2.892.0)
    • GOST (for details, see: GOST)

clipboard_e80f2c036237a18ba06e5d71f52372251.png

Using GOST encryption algorithm

Make sure that no RSA key is available. Otherwise, the GOST method cannot be selected.

  • To use the GOST method, install CryptoPro CSP (supported versions: 4.0 and higher) on computers with:
    • EgoSecure Agent
    • ​EgoSecure Server
    • EgoSecure Console, to generate a master key (if Server and Console are NOT on one computer).
    • Computers where CryptionMobile.exe is used.
  • To switch between GOST 512 & GOST 1024 & RSA (AES, OAEP, 3DES) methods, regenerate all encryption keys in the Key management section.
Showing existing keys
  • Go to Product settings | Encryption | Key management.
  • In the List of keys area, select which keys to show.

clipboard_edecf0a8deda58f965d9feabc96a7ae07.png

  • The User column shows the user/computer (individual key), the name of the encryption group (group key) and the entry <All> for all directory service objects.
  • In the Status column, the entry Valid for active keys and Archive keys for archived keys are shown.
Generate new keys and archive old ones
  • To make old keys available only for a limited time (to decrypt data that has already been encrypted), enable the Set expiration period for <key type> checkbox and specify how many days archived keys can be used.
  • If you do not set a validity period, archived keys will always remain valid.
  • To manually generate a new key, click Generate new key on the toolbar and select an entry.
  • A message informing you of the validity period of archived keys appears.
  • Click Yes to confirm the message.

clipboard_e4565411f93cb4e9d8e5dfa9306af0d8e.png

  • To automatically generate new keys, enable the checkbox of the key type under Automatic key management and specify in how many days to generate the keys.
  • The new keys are generated immediately/at the selected time and existing ones are archived.
  • Encryption is performed with the new keys after generating the new ones. The new keys appear in the list.
Creating a master key
  • Under Product settings | Encryption | Key management, click Create master key on the toolbar.
  • The Create master key dialog appears.
  • Create the key:
    • To store the key in an encrypted file, select Generate a random key automatically.
    • To store the key password-protected in the database, select Generate a key using a password and enter a password.
    • If you use GOST as the encryption method, provide both a location and password for the master key.
    • To use a master certificate as a master key, click Select a master certificate:
    • Click Select.
    • The Windows Security dialog appears.
    • Select a certificate from the list.
      • The certificate must be previously imported to the local computer store of the computer where the EgoSecure Console is installed.
      • The certificate must be suitable for encryption: the Key Usage field of the certificate details must contain the Key Encipherment and/or Data Encipherment value.
    • Click OK
  • Confirm the dialog window with OK.
  • Click OK to confirm the dialog about the successful generation of the master key.
  • Files encrypted now or later on the Client can be decrypted using the master key. For details, see: Decrypting files with a master key

Using master certificate with Agents lower than 15.3 To use a master key based on a master certificate, EgoSecure Agents must be of the version 15.3 and higher.

Mobile encryption settings

If users have rights for mobile encryption on external or optical storage media or in clouds, they can access these files with password outside the EgoSecure network via the mobile application CryptionMobile.exe. The Cryption Mobile application is automatically copied to the corresponding location. Instead of a password, a PKI smart card can also be used for mobile encryption. For details, see: Using PKI smart card instead of password Under Product settings | Encryption | Mobile encryption, define the settings for the mobile encryption:

Password security guidelines

Specify guidelines to apply to the user when assigning a password for a mobile key. These guidelines are displayed on the Agent when user defines a password for a mobile key.

When closing Cryption Mobile

  • Search for unencrypted files and warn
    • Files decrypted during current CM session: The Cryption Mobile application warns a user that files decrypted during the session are not encrypted.
    • Current directory: Searches for unencrypted files in the directory that is currently opened in Cryption Mobile.
    • All unencrypted files: Search for unencrypted files in all device directories.
  • Remove temporary decrypted files and files that were decrypted onto hard disk
    • With confirmation: User confirms a removal.
    • Secure data delete: No confirmation from a user for a removal is required.

Decryption options

  • Decrypt file directly: Decrypts the file in its current location.
  • Decrypt file as a copy at the same media: Decrypts the file as a copy in its current location.
  • Decrypt file as a copy to the other media: Decrypts the file to another location.

Opening options

Defining a location for saving files when opening them in Cryption Mobile.exe.

Other settings

  • Copy CryptionMobile.exe to external media only after user writes or modifies data there: If the option is enabled, CryptionMobile.exe is written to external storage* once the file copying or modifying finishes. If the option is disabled, the copying of CryptionMobile.exe to external storage* starts immediately. *External storage here is external devices like flash cards, hard drives (if Control hard disks like external media option is enabled) and cloud storage in case of Cloud Storage Encryption.
  • Use timeouts to protect against password brute force attacks: Prevents a password of a mobile key from being cracked by a brute force attack.
  • Show download button for Encryption Anywhere App: In the Encryption | External storage and Cloud storage: On the EgoSecure Agent, displays a button with the download link for iOS and Android encryption applications.
  • Allow Permanent Encryption: Permits or forbids the usage of permanent encryption in the CryptionMobile.exe. Once the option state changes, the current CryptionMobile.exe file is replaced with a new set of permissions.

Additional protection for encrypted data

You can additionally protect encrypted data on computers without activated encryption modules. The optional protection includes the activation of the read-only and hidden attributes for encrypted files. On computers with activated encryption products, the data remains visible and editable.

clipboard_e9dc8f1e88bd1515e3094f4f9fc3d5a2a.png

Enabling additional protection

  • Navigate to Product settings | Encryption | Encryption options.
  • In the Optional protection of encrypted files area, enable the check box.
  • Click Save.

Monitoring and controlling access

You can allow the user to monitor and control access to encrypted folders. The control of the access applies to folders that have been encrypted with Local Folder Encryption, Cloud Storage Encryption or Network Share Encryption.

Enabling notifications for users about external access to encrypted folders (NSE, CSE, LFE)

  • Go to Product settings | Encryption | Encryption options.
  • In the Access information area, check the box.
  • Click Save.
  • From now on, users can receive notifications when encrypted folders are accessed. They can allow or deny access. For details about access monitoring on the user side, see the EgoSecure Agent – User guide.

clipboard_e89fef6e5e207eac92255590c527cb4e7.png

Other encryption options

Creating an encryption group

Group encryption is used to make encrypted data accessible only to a certain group of people. Create groups and assign users and/or computers to them. A user can also be a member of several encryption groups. To use group encryption, the Group encryption encryption type must be assigned to the user.

  • Go to Product settings | Encryption | Groups management.
  • Click Add.
  • The Create group dialog appears.
  • Specify a group name and click OK to confirm.
  • The new group appears under Encryption groups.
  • To arrange the groups hierarchically, move the group to another level using drag & drop. The users of a group can use the group encryption of all subordinate groups.

clipboard_eab71d101e9149a440cd3a71b9bd08a57.png 

  • In the Group members - <group name> area, click Add.
  • The Users/computers selection dialog appears.
  • Double-click the user/computer in the directory service structure and click OK to confirm.
  • The dialog closes and the selected directory service objects appear under Group members - <group name> area.
  • Click Save.
  • Added users can use the key of the group (and subordinate groups) as long as the respective encryption product is activated for the user.
  • Added computers can use the key of the group (and subordinate groups) as long as the respective encryption product is activated for the computer.

Allowing/blocking encryption device-specifically

By default, encryption is allowed on all devices. You can prevent encryption on certain devices. To prevent, scan EgoSecure Agents for devices or search for devices in the database.

Searching a database for devices. To see a device list of all Clients from the database, enable the Accept data for devices DB option in the AdminTool.

Permanent Encryption and Devices list for encryption. The device list for encryption doesn’t apply for Permanent Encryption, because Permanent Encryption works independently of devices.

  • Go to Permitted devices | Encryption | Devices list for encryption.
  • Select a mode:
    • Black list: Encryption is not allowed on listed devices.
    • White list: Encryption is allowed only on listed devices.
  • To scan a Client for a device,
    • In the List of EgoSecure agents area on the left, select the client computer. To multi-select, hold-down Ctrl and click.
    • Click Scan computer on the toolbar of the Devices list for encryption area.

clipboard_e47e0073dc228943edadfdfb37d46f6c3.png

  • The Add new device – Scan computer dialog appears. The currently connected devices are listed. Devices marked in bold are already in the device list.
  • To also display devices that were previously connected to the computer but are currently not available, disable the Show only available devices checkbox.
  • To search for a device list in the database,
    • Click Scan computer on the toolbar of the Devices list for encryption area.
    • The Add new device – Devices database dialog appears. The currently connected devices are listed. Devices marked in bold are already in the device list.
    • In the Computer drop-down, select computers or select <All> to see all devices of all computers of a directory service.
  • Select a device. To select multiple devices, hold down the Ctrl key and select.
  • Specify criteria for the device identification (default: Hardware ID + Serial number). For details, see: Criteria

clipboard_eca5ab6540b68a728cb3e56f76f1d4566.png

  • Click Add.
  • The Add new device dialog closes. The device with an enabled check box appears in the list. Once you click Save, the settings apply to the devices with enabled check box.
  • Click Save.
  • The permissions or restrictions apply to activated devices.

Decrypting files with a master key

To decrypt user files, the master key must exist at the time of encryption. This key must be available for decryption. Decryption process depends on the encryption method you use (AES/DES or GOST). For details, see: Creating a master key

Decrypting data with a master key (AES/DES)

  • Navigate to Product settings | Encryption | Files recovery.
  • Select the master key that you created before encryption:
    • If you saved the master key to a file, click Browse and select the corresponding file with the ending .cpk.
    • If you saved the master key to the database, enter the password and select the key length of the master key (defined under Product settings | Encryption | Encryption options | Encryption key length).
  • In the Decrypt files area, drag a file into the blank area or click Add to select a file.
  • The file appears in the list. In the Status column the encryption status displays as Encrypted.
  • Click Decrypt.

clipboard_e79ca93d584205a62073a1ed327ea5491.png

  • If the master key matches, the status changes to Successfully decrypted and the file is decrypted in the location where it is currently stored. When decrypting permanently encrypted files, both files (encrypted and decrypted) remain in the original location.

Decrypting data with a master key (GOST)

  • Click on Browse and select the appropriate master key for decryption.
  • In the Decrypt files section, drag a file into the blank area or click Add to select a file.
  • Click Decrypt.
  • The Enter master key password dialog appears.
  • Enter the password and click OK.
  • If the entered password matches, the status changes to Successfully decrypted and the file is decrypted in the location where it is currently stored.

Protecting access via two-factor authentication

Two-factor authentication allows access to encrypted data of an encryption module once the user authenticates with a certificate (e.g. with a Windows certificate store or smart card). Two-factor authentication is compatible with the following encryption modules: Removable Device Encryption (except the encryption of processes under User management | Encryption | Processes), Cloud Storage Encryption, Local Folder Encryption, Network Share Encryption and Permanent Encryption. Authentication is required every time the user wants to access the certain location. It is valid until the current session on the Agent ends (e.g.: by logging out of Windows or by restarting). This also applies if the certificate is deleted beforehand or the smart card is ejected.

Enabling two-factor authentication

  • Install a certificate for two-factor authentication on the computer with the EgoSecure Server (start the certificate file and follow the instructions).
  • Provide the certificate to the user: via a smart card/chip card or via the installation on the client computer.
  • Under User management | Encryption, select a user.
  • In the Settings tab, click Select in the Authentication certificate area.

clipboard_e92370b7ba8caaa324494d0c4a380bd57.png

  • Select the installed certificate and click OK.
  • Enable the two-factor authentication: Under User management/Computer management | Encryption, enable the Use two-factor authentication check box in the corresponding tab (External storage, CD/DVD, Cloud storage, Local Folder, Network Share or Permanent).
  • Click Save.
  • The two-factor authentication is configured. As soon as the user wants to access encrypted data, authentication starts and a user message appears.

Protecting mobile encrypted data via PKI smart card instead of password

You can restrict the authentication for mobile encryption. This means that authentication via a PKI smart card is required for all encryption modules and globally for all users when using mobile encryption. It is also no longer possible to enter a password to access mobile data.

  • Navigate to Product settings | Encryption | Encryption options.
  • Enable the Use PKI smart cards for mobile encryption check box in the PKI authentication area.
  • The PKI authentication is enabled. Users can not use passwords for the mobile encryption more. Only authentication via PKI smart card is permitted. Files previously encrypted with one of the mobile passwords can still be opened.

Allowing direct access to encrypted data to applications

If an application wants to access encrypted data via a user session, but no encryption module is activated for the user, EgoSecure blocks access to this data. You can define applications for which access to encrypted data is always permitted.

Allowing raw access to applications

  • Go to Product settings | Encryption | Application-dependent settings.
  • Click Add.
  • A new entry appears in the list.
  • Specify an application.
  • Click Save.
  • The application now has access to encrypted data regardless of the active user session.

Importing and Exporting a key

  • You can export a common key to
    • make backup
    • make the key available in other tenants

Exporting a common key

  • Navigate to Product settings | Encryption | Key management.
  • Click Export common key on the toolbar.
  • The Save As dialog appears.
  • Enter a file name and location.
  • Click Save.
  • The key is saved in the protected .cpk format.

Importing a common key

  • Navigate to Product settings | Encryption | Key management and click Import common key on the toolbar.
  • Select an option from the drop-down menu:
  • Replace common key: Replaces the existing key with the imported key. The existing key is archived and is still valid unless you set a period of validity for common keys.
  • Import additional common key: Imports and archives the new key. It is valid till you set a period of validity for common keys.
  • The Open dialog appears.
  • Select a previously exported common key and click Open.
  • The key appears in the list of archived keys. Data encrypted with this key can now be decrypted by all directory service objects that use common encryption.

Exporting an individual key 

Every user who has individual keys, can export it via EgoSecure Agent. For example, data can be decrypted and edited at home using EgoSecure Home Data Protection.

clipboard_e8ae2ffc9205d7e89b562ed2fd5833bd8.png

Guest encryption for external usage of EgoSecure products

It is not possible to run the Cryption Mobile mobile app on computers with the installed EgoSecure Agent. Visitors from other companies who also use EgoSecure encryption products will then not be able to access the encrypted data on their storage media or in clouds. With Guest encryption, you allow visitors to decrypt their encrypted data in Windows Explorer using the mobile password.

To enable Guest encryption, perform the following: 

  • Go to Product settings | Encryption | Encryption options.
  • Enable the check box in the Guest encryption area.
  • Click Save.
  •  The guest can now decrypt encrypted data with the password.

clipboard_eb8645d6a56bbf7265a73cebeba263e52.png

Defining shortcuts to switch between encryption types

A keyboard shortcut enables users to deactivate the encryption type for external storage media or switch from Unencrypted to the first available type next to None (the priority is the following: Common encryption, Group encryption, Individual encryption).

Defining shortcut for changing the encryption type

  • Go to Administration | Clients | Fast access settings.
  • Enable the Use shortcuts to change encryption type check box.
  • Select a key combination from the drop-down menus.
  • To emit a signal on the Client when changing, enable the Use audio signal when encryption type changed check box.
  • Click Save.

Removable Device Encryption (RDE)

Removable Device Encryption encrypts data on the following devices:

  • External storage
  • CDs/DVDs
  • Hard disks if they are controlled like external media. For details, see: Disks control in the Client settings

RDE automatically encrypts files on the device as well as files that are copied to or created on the device. If EgoSecure Agent has a valid key, the file is automatically decrypted on accessing it. If a valid key is not available, the access is blocked. RDE can be activated for users and computers. When the product is activated for users and computers at the same time, computer settings have a priority. If RDE is activated for the user, the files can be automatically encrypted if they are created, opened or edited with certain processes. For details, see: Process encryption

Enabling and customizing Removable Device Encryption for user/computer

  • Check whether all necessary settings for encryption have been made. For details, see: Applying general encryption settings
  • To encrypt on CD/DVD disks:
    • Enable the Allow CD/DVD encryption check box under Product settings | Encryption | Encryption options.
    • Make sure that escdflt.sys driver was installed on the Agent computer during the Agent installation (the Install kernel driver for CD/DVD control option).
  • If no driver is installed, generate the MSI package with the enabled option “Install kernel driver for CD/DVD control” under Installation | EgoSecure agents | Create MSI package and update the Agent.
  • Under User management/Computer management, activate Removable Device Encryption for a directory object. For details, see: Activating products
  • Under Encryption | External storage and/or CD/DVD, enable the Activate individual settings option to deactivate inheritance and change the settings.
  • The previously inherited encryption types remain enabled. Uncheck them, if necessary.  
  • Select encryption types to make them available for a directory object.
  • If more than one encryption type is available, a user can select an encryption type for a storage medium with manual encryption and an encryption type for automatic encryption.

clipboard_e1c54398024d060319331a4e9cf4f3ff2.png

  • If you enabled Mobile encryption, enable the following options, if necessary:
    • Activate automatically, to automatically activate the mobile encryption on the Agent.
    • Always active, to activate and deactivate the mobile encryption on the Agent automatically.
    • Remind to select password, show a popup for a user so that he can select a current mobile key.
  • Click Save.
  • The user can now encrypt on external storage media according to the defined permissions and settings. A description of the procedure can be found in the EgoSecure Agent – User guide.

Encryption via processes

RDE activated on users can encrypt all files opened, edited and created with a certain process.

Adding processes

  • Under Encryption | Processes, click Add.
  • A new entry appears in the table.

clipboard_e7dff389713312e2197babcbd0071b790.png

  • In the Process name column, enter the file name of the application.
  • Right-click the entry in the Encryption column and select an encryption type (if more than one is enabled in the External storage tab).
  • Enable the check box in the System column to enable encryption when the application is launched by a system.
  • To enable encryption when the application is launched from a user account of a Windows user group Backup Operators, enable the check box in the Backup Operators column.
  • Click Save.

Settings for unencrypted file transfer

You can allow the user to save data to external storage unencrypted (Without encryption encryption type). In the settings, define whether a user sees a security message about the related risk or whether the system automatically switches to a different encryption type after a certain period of time. If the Without encryption encryption type is not allowed for a user/computer, you can temporary allow unencrypted file transfer.

Applicable only for Removable Device Encryption The setting only applies to Removable Device Encryption. For details, see: Removable Device Encryption

Showing message and returning encryption back 

The Without encryption encryption type must be enabled under Product settings | Encryption | Encryption options | Available encryption types and then under User management/Computer management | Encryption for a certain user/computer.

  • Go to Product settings | Encryption | Encryption options.
  • To show a warning to the user when he selects the Without encryption type, enable the Security warning check box. You can edit the warning message text. For details, see: Customizing user messages

clipboard_e802c786a481307c7fe93dcb3ad2f57ee.png

  • Once a user selects the None encryption type, the following message appears:

clipboard_e7820a2cfc5ce3882e5e6e6ca5e2e61c7.png

  • To turn back to the default encryption type when the user selects the None encryption type, enable the Turn back to the checkbox and select an encryption type from the drop-down menu. Specify in how many seconds after finishing the file copying, the encryption type turns back.
  • When relogging to the system, service restart or on computer restart, the turning back to the defined encryption type occurs.
  • The user gets a message when the encryption type turns back.

clipboard_e4d27e8e1f18791ed7aaca2a22feb532a.png

  • Click Save.

Temporary allowing unencrypted file transfer

Enable the Without encryption encryption type under Product settings | Encryption | Encryption options.

  • Under User management/Computer management | Encryption, select a user/computer.
  • Navigate to External storage or CD/DVD tab in the lower area.
  • If the Without encryption encryption type is disabled for the default user/computer and no individual settings are available for the user/computer, the Allow temporary... button is available.
  • Enable the Activate individual settings option and disable the Without encryption check box.
  • The Allow temporary... button appears near the Without encryption encryption type.

clipboard_ecd5edc3b8da5ee4f07ccaae173bdb1a7.png

  • Click the Allow temporary... button and enter a time period in the dialog window.
  • Click OK to confirm.
  • The defined period of time and the Cancel button appear next to the Without encryption encryption type:

clipboard_e231279ab40f303c2bae28f539162c34d.png

Local Folder Encryption (LFE)

Local Folder Encryption automatically encrypts all files in a local folder as well as files copied to or created in the folder. To encrypt, the user activates encryption for a folder once. If EgoSecure Agent has access to a valid key, an encrypted file is automatically decrypted when the user accesses it. If no valid key is available, all accesses to it are blocked. Local Folder Encryption can be activated only for a user. Pay attention to the list of folders excluded from encryption.

Enabling and customizing folder encryption for user

  • Check whether all necessary settings for encryption have been made. For details, see: Applying general encryption settings
  • Under User management, activate the Local Folder Encryption product for a user. For details, see Activating products
  • To deactivate inheritance and change the settings, enable the Activate individual settings check box under Encryption | Local folder.
  • The previously inherited encryption types remain enabled. Uncheck them, if necessary.
  • Select the encryption types to make them available for the user.
  • If more than one type is available, the user can select between them.
  • Click Save.
  • The user can now use folder encryption. A description of the procedure can be found in the EgoSecure Agent – User guide.

Enforcing automatic encryption of user folders

  • Select a user.
  • Click Add under User management | Encryption | Local Folder.
  • The dialog for selecting a directory appears.
  • Select a directory and click OK to confirm.
  • The dialog closes and the directory appears in the list.
  • Right-click the entry and select Encryption | <encryption type> from the context menu. In the Folder encryption settings area, you can select the permitted encryption types.

clipboard_ed22bd27478280cf8e51d94531c111ac9.png

  • Enable the Activate individual settings check box to disable the inheritance of folders from groups and default rights.
  • Only individually added folders remain in the list.
  • Click Save.
  • The folders from the list will be automatically encrypted on a computer (as soon as the corresponding EgoSecure Agent is online). The user can decrypt the folder if the Disallow user to encrypt folder himself option is disabled.

Viewing the list of encrypted folders

  • To display a list of all encrypted user folders, click on User management | Encryption | Encrypted folders.

Local folders excluded from Local Folder Encryption

  • Program Files with subfolders
  • Program Files (x86) with subfolders
  • Users (Documents and Settings)
  • Program Data (Application Data) with subfolders
  • Windows with subfolders
  • AppData 
  • Folder with user profile
  • Folders with the system attribute
  • Folders that contain subfolders considered as exclusions.
  • The Users folder can not be encrypted, because it contains system elements. But other subfolders with personal data (e.g.: Desktop, Favorites, My Documents, My Video) can be encrypted.

Cloud Storage Encryption (CSE)

Cloud Storage Encryption automatically encrypts files and folders in cloud storage once the encryption is enabled. If files are copied from other computers without EgoSecure Agent or directly from the browser into the cloud, the files have to be encrypted manually. If EgoSecure Agent has access to a valid key, the files are automatically decrypted when accessed. If no valid key is available, access to encrypted files is blocked. Cloud Storage Encryption can be activated only for a user.

Enabling and customizing Cloud Storage Encryption

  • Check whether all necessary settings for encryption have been made. For details, see: Applying general encryption settings
  • Define the controlled cloud storage types under User management | Settings | Cloud storage.
  • Activate Cloud Storage Encryption for a user. For details, see: Activating products
  • To disable inheritance and change settings, enable the Activate individual settings check box under Encryption | Cloud storage.
  • The previously inherited encryption types remain enabled. Uncheck them, if necessary.
  • Select the encryption types to make them available for the user.
  • If more than one type is available, the user can select between them.
  • Click Save.
  • The user can now use cloud encryption. A description of the procedure can be found in the EgoSecure Agent – User guide

Avoiding encryption problems with OneDrive. During the initialization, the computer on which the initialization is performed must be restarted. Disable the Save space and download files as you use them option.

Network Share Encryption (NSE)

Network Share Encryption automatically encrypts all files existing in an encrypted network share as well as files copied, created and edited there. NSE is used on network computers that do not have EgoSecure Agent but have shared network folders. If an authorized user with a valid key copies an encrypted file from a network folder, the file is automatically decrypted. Network Share Encryption can be activated only for a user.

Avoiding decryption problems when NTFS compression is enabled. The NTFS file system has a built-in compression feature known as NTFS compression. The use of this compression will hinder the Agent to encrypt any compressed file or folder. If NTFS compression is activated after encryption with EgoSecure, the affected files are no longer decryptable. Remove the NTFS compression to gain access to encrypted files.

Setting up Network Share Encryption

Network Share Encryption is set up for Agents with the activated Network Share Encryption and optionally for Agents where Network Share Encryption is NOT activated, but continues to check the encryption status of network share files.

Activating and setting up Network Share Encryption

  • Check whether all necessary settings for encryption have been enabled. For details, see: Applying general encryption settings
  • Under Administration | Clients | Client settings, enable the Allow network shares control option; enable the Allow thin client storage control option if you want to additionally allow users to encrypt on thin client storage via the context menu. 
  • Click Save.
  • Under User management, activate the Network Share Encryption product for a user.
  • A warning message about the use of Windows offline files in connection with encrypted network folders appears.

Possible data loss when using Windows offline files at the same time. As offline files are stored in the local Windows cache, it is not possible to decrypt files that are available offline from encrypted network folders. If Windows offline files are still used in connection with Network Share Encryption, this can lead to data loss. Enable the Disable Windows offline files option under User management | Encryption | Network share or disable the usage of offline files directly on the Clients.

  • Click OK to confirm the dialog.
  • Under Encryption | Network Share, enable the Activate individual settings check box to disable the inheritance of settings from groups or the default user.
  • The previously inherited encryption types remain enabled. Uncheck them, if necessary.
  • Select the encryption types available for the user.
  • Enable the Disallow user to encrypt network shares himself check box to forbid a user to encrypt network share folders via the context menu.
  • Enable the Hide encryption interface on Agent check box to hide the encryption progress dialog on the Agent side when an encryption is enforced by the administrator.
  • Click Save.

Setting up Network Share Encryption (NSE) on Agents without activated NSE

Even if Network Share Encryption is deactivated, the Agent continues to check the encryption status of network share files and shows popups if access to encrypted files is denied. Not only the user, but also processes might want to access encrypted files, which results in many popups. In such a case you can disable the encryption state check on Agents with deactivated NSE. As a result, users can access encrypted files, but the file itself remains encrypted (when opening the file the so-called “garbage” is displayed). 

  • Navigate to Product settings | Encryption | Encryption options.
  • In the Access to network share files area, enable the Allow raw access to encrypted network share files option.
  • Click Save.

Enforcing automatic encryption of network folders

Once Network Share Encryption is activated and set up, you can add network share folders for encryption. Network share folders can be:

  • Added for a default user or individually for each user.
  • Managed centrally with an automatic encryption of newly added unencrypted files (unencrypted files appear in an encrypted network share folder if they are copied there from a computer without Network Share Encryption).

No Agent on computer and granted write access. There must be no Agent on a computer with a network share. Write access to a folder where encryption will be performed must be granted to a user.

Enforcing automatic encryption of network folders – individually managed 

  • Select a user.
  • Under User management | Encryption | Network Share, click Add on the toolbar.
  • Select a directory in the dialog window and click OK to confirm. Defining the path to mapped network shares and virtual drives is not recommended. It may lead to system conflicts when the same network share folder is added for encryption twice.
  • The path to a directory appears in the list.
  • In the Encryption column, click on an encryption type to select another one.
  • Enable the Activate individual settings check box to disable inheritance from groups and default rights.
  • Only individually added folders remain in the list. 
  • Click Save.
  • Once the changes are transferred to a user, the specified folders are encrypted. The specified encryption rule is also displayed under Product settings | Encryption | Network share, where all network share folders for encryption (within one tenant) are displayed.
  • On the Agent side: Once the encryption starts, the EgoSecure Encryption by Matrix42 progress dialog appears if the Hide encryption interface on Agent check box is disabled for a user under User management | Encryption | Network share.
  • The network share folders encrypted by the administrator from Console can not be decrypted by a user.

Folders already encrypted with an individual key. If admin wants to decrypt or reencrypt a folder that has been encrypted with an individual key, this occurs only after a user confirmation in the popup.

Enforcing automatic encryption of network folders – centrally managed 

  • Go to Product settings | Encryption | Network share.
  • In this location, all the encryption rules defined for network share folders within the current tenant are displayed.
  • Click Add on the toolbar.
  • The Specify a directory dialog appears.
  • Specify a directory and click OK to confirm. Defining the path to mapped network shares and virtual drives is not recommended. It may lead to system conflicts when the same network share folder is added for encryption twice.
  • The path to a directory appears in the list.
  • In the Encryption column, click on an encryption type to select another one.
  • In the User that encrypts column, click the entry to select a user or a group for using their key for encryption. <Any user> value is displayed when no user or group has been selected for encryption or when an encryption entry has been created for a default user. The value means that any first available user with activated Network Share Encryption and disabled Activate individual settings check box (activated inheritance) is permitted to encrypt the folder.
  • Make sure that for the selected user or group the selected encryption type is enabled under User management | Encryption | Network share.
  • In the Agent that encrypts column, click the entry to select a computer or a group that encrypts a folder. <Any computer> value means that any available computer will encrypt. The value is displayed when no computer or group has been selected for encryption or when an encryption entry was created for a default user.
  • In the Rescan column, set the check box for the entry to scan an encrypted folder for unencrypted files according to a scheduler and defined rules.
  • Click Save.
  • The added network share folder is additionally displayed for each defined user (if  <Any user> is defined: for all users with enabled inheritance) under User management | Encryption | Network share.
  • Once the defined Agent (or first of the defined Agents) is online, the encryption starts and the encryption status changes in the Status column.
  • On the Agent side: Once the encryption starts, the EgoSecure Encryption by Matrix42 progress dialog appears if the Hide encryption interface on Agent check box is disabled for a user under User management | Encryption | Network share.
  • The network share folders encrypted by the administrator from Console can not be decrypted by a user.

Control only listed folders

  • Under Product settings | Encryption | Network share, set the Control only listed folders check box.
  • Unless it’s been disabled, a warning will appear stating that unencrypted folders can be damaged or changed. If you wish to continue, select ok.
  • Click Save.
  • This option is for a whitelist, so, when selected, only the folders listed will be encrypted.

Setting up a scheduler for folder rescan

  • Under Product settings | Encryption | Network share, set the Scan encrypted network folders for encrypted files check box to enable a scheduler.
  • Select the week days when a scan starts.
  • Set the time when the scan starts on each selected week day.
  • Select a behavior type if new key is generated under Product settings | Encryption | Key management:
    • Encrypt unencrypted files with previous key. If unencrypted files have been detected during a scheduled scan, the option automatically encrypts the unencrypted files with a previous (archived) key.
    • Reencrypt the whole folder with new key. If during a scan a new key has been detected, the option automatically reencrypts all files (that are encrypted with a previous key) with a new key.
  • Click Save.
  • The defined scheduler rules are valid only for the encryption entries with the enabled checkbox in the Rescan column.

Viewing the list of encrypted folders

  • To display a list of all encrypted user folders, click on User management | Encryption | Encrypted folders.

Permanent Encryption (PE)

Permanently encrypted files remain encrypted when accessed or sent. Decryption can only be initiated manually and with existing key(s). Once a file/folder is encrypted, the file extension is extended with the .espe ending and the folder is transformed to a zipped .espe file. Permanent Encryption can also be performed on files that have already been encrypted with Removable Device Encryption or Cloud Storage Encryption. Permanent Encryption can be activated only for a user.

Enabling and configuring Permanent Encryption for a user

  • Check whether all necessary settings for encryption have been made. For details, see: Applying general encryption settings
  • Activate the Permanent Encryption product for a user. For details, see: Activating products
  • To disable inheritance and change settings, enable the Activate individual settings check box under Encryption | Permanent.
  • The previously inherited encryption types remain enabled. Uncheck them, if necessary.
  • Select the encryption types available for the user.
  • If more than one type is available, the user can select between them.
  • Select which options are available for the user in the context menu: only permanent encryption or only permanent decryption or both.
  • Click Save.
  • Now the user can encrypt/decrypt files within the permitted encryption types. A description of the procedure can be found in the EgoSecure Agent – User guide

Setting up Permanent Encryption

  • Go to User management | Encryption | Permanent.
  • Select a directory object in the User management area.
  • Enable the Delete source file after encryption option to delete an original unencrypted file after encryption and leave only a new encrypted .espe file. If the option is disabled, both an original unencrypted file and an encrypted .espe file are left.
  • Enable the Delete ESPE file after decryption option to delete an encrypted .espe file and leave an original unencrypted file instead. If the option is disabled, both an original unencrypted file and an encrypted .espe file are left.
  • Click Save.
  • Go to Product settings | Encryption | Encryption options.
  • In the Permanent Encryption area, select a Secure Erase method for deleting files securely after encryption and/or decryption. Select Non-secure method to apply no Secure Erase method during file deletion. This option doesn’t depend on the Secure Erase license.
  • Click Save.

Enabling Permanent Encryption with a smart card/certificate

Permanent Encryption with a smart card/certificate encrypts files and folders with the help of an active directory certificate or any certificate suitable for encryption. Administrators on their own generate such certificates in the Active Directory and distribute them to the computers with the EgoSecure Agent. Certificates can be stored in the Active Directory or in the Windows Store. Each certificate has its own key length. That is why the length of the certificate key does NOT depend on the encryption key length defined under Product settings | Encryption | Encryption options.

Not compatible with GOST.  Permanent Encryption with a smart card/certificate is not compatible with the GOST encryption algorithm.

Certificate requirements:

  • For Certificate encryption: The Key Usage field of the certificate details must contain the Key Encipherment and/or Data Encipherment value.
  • For Certificate signing: The Key Usage field of the certificate details must contain the Digital signature value.
  • For Certificate encryption and signing: The Key Usage field of the certificate details must contain the Key Encipherment and/or Data Encipherment value and the Digital signature value.

Permanent Encryption with a smart card/certificate is divided into three options:

  • Certificate encryption (encrypts files with the help of a certificate)
  • Certificate signing (protects file via signing their certificate; the digital signature protects the file from change and spoofing)
  • Certificate encryption and signing (combines the two options above)

To protect a file with both Certificate encryption and Certificate signing, use the Certificate encryption and signing option. If a user first selects the Certificate encryption option and after that selects Certificate signing (or vice versa), these protection options replace each other.

Enabling Permanent Encryption with a smart card/certificate 

  • Go to User management | Encryption | Permanent.
  • Select a directory object in the User management area.
  • Enable the Certificate encryption option.
    • The Certificate encryption option becomes available on the Agent in the context menu.
  • Enable the Digital signature using certificate option.
    • The Certificate signing option becomes available on the Agent in the context menu.
    • The Certificate encryption and signing option becomes available on the Agent in the context menu if steps 3 and 4 are performed.
  • Click Save.
  • Now on the user side, the certificate encryption and signing options become available in the context menu inside the Encrypt permanently group.
  • For details about Permanent Encryption with a smart card/certificate on the user side, see the EgoSecure Agent – User guide

Enabling Post-Quantum Encryption in addition to Permanent Encryption

EgoSecure Post-Quantum Encryption encrypts files with password in such a way so that in the future quantum computers cannot override the security that exists nowadays. This high security level is provided due to the Kyber-1024 encryption method. Once Post-Quantum Encryption is enabled, it becomes available on the Agent side if the Permanent Encryption product is already activated for a user.

Enabling Post-Quantum Encryption

  • Go to Product settings | Encryption | Encryption options.
  • Enable the Allow Post-Quantum Encryption box.
  • Click Save.
  • Now the option becomes available for activation in User management.
  • Go to User management | Encryption | <user selection> | Permanent.
  • Enable the Allow Post-Quantum Encryption check box.
  • Click Save.
  • Now on the user side, Post-Quantum Encryption options become available in the context menu inside the Encrypt permanently group and depend on the state of the Encrypt permanently and Decrypt permanently check boxes.
  • For details about the Post-Quantum Encryption on the user side, see the EgoSecure Agent – User guide

 

  • Was this article helpful?