Encryption
Overview
With encryption, you can encrypt files and folders both on the computer and on the network, as well as on external storage media and in cloud storage. Depending on the selected encryption type, the data is encrypted with a certain key. Depending on the encryption types permitted for you by the administrator, you will see the necessary keys under Encryption | Encryption keys tab.
Encryption types
There are five encryption types:
- Common encryption: Commonly encrypted data can be decrypted by all users who are registered on the same EgoSecure Server and have a common key.
- Individual encryption: Individually encrypted data can only be decrypted by the owner of the key.
- Group encryption: Data encrypted with group encryption can be decrypted by all members of an EgoSecure group or a directory service group to which a group key has been provided.
- Mobile encryption: Mobile encrypted data is typically password protected and is used to transport data to external storage or cloud storage. If you have enabled mobile encryption, you can create a mobile key under Encryption | Encryption keys tab. For details, see Using mobile encryption.
- Permanent encryption: Permanent encryption is used on files and folders and adds the .espe file extension. Unlike other encryption types, permanent encryption is preserved when copying or moving the files. For details, see Encrypting files permanently.
- There is no separate key for permanent encryption, it uses the keys of the other encryption types.
Individual files can be encrypted via permanent encryption or via mobile encryption on external and optical storage media and in cloud storage. Entire folders you can encrypt only locally or on the network.
Encrypting files
If you encrypt folders locally, both included, and newly added data are always automatically encrypted. For external and optical storage media as well as for cloud storage, you can set how new data must be encrypted, depending on your permissions.
Local/network folders
To automatically encrypt files existing in a folder and files newly added there, enable encryption on a folder.
- Right-click a folder in Windows Explorer or on the network.
- Select Define encryption type | [encryption type] from the context menu.
Depending on the permissions, different encryption types are available. All files in the folder are automatically encrypted with the selected encryption type and key. Files newly added to the folder are automatically encrypted with the same encryption type. Depending on the type of encryption, a green or yellow lock appears on the file or folder after encryption. For details see: Identifying an encryption type via an overlay icon All folders encrypted with the Folder encryption product locally by you or remotely by the administrator are displayed under Encryption | Encrypted folders.
External storage and cloud
To automatically encrypt files newly added to a storage medium or cloud, select the encryption type for external storage, CD/DVD encryption or cloud storage encryption.
- In the External storage, CD/DVD encryption or Cloud storage tab, select one of the encryption types:
- Common encryption
- Group encryption
- Individual encryption
- To use mobile encryption, enable the Activate mobile encryption check box. For details, see: Using mobile encryption
Newly added files and existing files that you edit and save are automatically encrypted with the selected encryption type. Depending on the type of encryption, a green or yellow lock appears on the file or folder after encryption. For details see: Identifying an encryption type via an overlay icon. If the mobile encryption has been enabled, the CryptionMobile.exe application is automatically copied to the storage medium or to the cloud.
The CryptionMobileCD.exe application (for CD/DVD encryption) performs encryption operations correctly only on the disks of the ISO format. Disks of the UDF format are not supported.
Manual Encryption
- In the External storage, CD/DVD encryption or Cloud storage tab, select the None option.
- Right-click a folder or a file on an external storage on in a cloud.
- Select Encrypt | [encryption type].
- Depending on the permissions, different encryption types are available.
The file or folder is automatically encrypted with the selected encryption type and key. Depending on the type of encryption, a green or yellow lock appears on the file or folder after encryption. For details see: Identifying an encryption type via an overlay icon. If the mobile encryption has been enabled, the CryptionMobile.exe application is automatically copied to the storage medium or to the cloud. CryptionMobileCD.exe application (for CD/DVD encryption) is copied only to the disks of the ISO format, and cannot be copied to the disks of the UDF format.
Permanent encryption
Encrypting files permanently
If you encrypt a file or a folder permanently, the encryption is retained even when copying or moving the encrypted .espe file.
- Right-click a file or a folder in Windows Explorer.
- Select Encrypt permanently | [encryption type].
If you encrypt a folder, the Save As dialog appears.
- Select a location where to store a zipped .espe file, and then click Save.
- The file is encrypted permanently and gets the .espe extension; the folder is transformed to a zipped .espe archive.
Encrypting files with Post-Quantum Encryption
- Right-click a file or a folder in the Windows Explorer.
- Select Encrypt permanently | Post-Quantum Encryption with password.
- The dialog for creating a password for the file appears.
- Create a password and confirm it.
- Click OK.
- If you encrypt a folder, the Save As dialog appears.
- Select a location where to store a zipped .espe file, and then click Save.
- A dialog that shows encryption progress appears and encryption starts. Once the encryption finishes successfully, the dialog closes automatically.
- The file is now encrypted with Post-Quantum Encryption and gets the .espe extension; the folder is transformed to a zipped .espe archive.
Encrypting files permanently with a certificate
- Preparation: Make sure you have access to the private key(s) that corresponds to the certificate(s).
- Right-click a file or a folder in Windows Explorer.
- Select Encrypt permanently | Certificate encryption from the context menu.
- The EgoSecure Encryption by Matrix42 dialog appears.
- If you previously selected a current encryption certificate, this certificate is now displayed in the right column of the dialog.
- To encrypt with the current encryption certificate, proceed with Click OK to confirm.
- To encrypt with another certificate(s), select the current certificate in the right column and remove it from the list via clicking .
- Select where a certificate is stored and click Search:
- Active Directory: searches for all permitted certificates in the Active Directory. The certificate must be previously generated in the Active Directory. When searching by e-mail, the search results show not only the certificates that contain the searched e-mail, but also the certificates of the user to which this e-mail belongs.
- Windows Store: searches for all available certificates in the Windows Store. The certificate must be previously imported to the local user store of the computer where the EgoSecure Agent is installed.
Certificate requirements: the Key Usage field of the certificate details must contain the Key Encipherment and/or Data Encipherment value.
- Select a certificate from the list. To select multiple certificates, hold down the Ctrl key while clicking.
- Click .
- Click OK to confirm.
- If you encrypt a folder, the Save As dialog appears.
- Select where to store an encrypted zipped espe file and define a name for it and then click Save.
- The encryption starts and the smaller EgoSecure Encryption by Matrix42 dialog appears. Once the encryption finishes successfully, the dialog closes automatically.
The file is encrypted with the help of the selected certificate(s). The .espe file appears instead of or in addition to the original unencrypted file/folder (depends on your permissions).
Protecting files permanently with a smart card
- Preparation: Select a current signing certificate:
- Go to Encryption | Certificates.
- The certificates stored in the Windows Store are displayed.
- Select a certificate from the list.
- The certificate must be suitable for encryption: the Key Usage field of the certificate details must contain the Digital signature value.
- Click Set as current signing certificate.
- Preparation: Make sure you have access to the private key(s) that corresponds to the certificate(s).
- Right-click a file or a folder in the Windows Explorer.
- Select Encrypt permanently | Certificate signing from the context menu.
- The dialog for providing smart card login data appears.
- Provide smart card login data (PIN, password, fingerprint etc.) and confirm the dialog.
- If you encrypt a folder, the Save As dialog appears.
- Select where to store an encrypted zipped espe file and define a name for it and then click Save.
- The encryption starts and the EgoSecure Encryption by Matrix42 dialog appears. Once the encryption finishes successfully, the dialog closes automatically.
The file is now protected via signing its certificate; the digital signature protects the file from change and spoofing. The .espe file appears instead of or in addition to the original file/folder (depends on your permissions). The protected file can be opened, but in case of its change, the signature becomes not valid. To check whether the file signature is verified, use the Show encryption state option.
To protect a file with both Certificate encryption and Certificate signing, use the Certificate encryption and signing option. If a user first selects the Certificate encryption option and after that selects Certificate signing (or vice versa), these protection options replace each other.
Encrypting files permanently with a certificate and a smart card
- Preparation: Select a current signing certificate:
- Go to Encryption | Certificates.
- The certificates stored in the Windows Store are displayed.
- Select a certificate from the list.
- The certificate must be suitable for encryption: the Key Usage field of the certificate details must contain the Digital signature value.
- Click Set as current signing certificate.
- Preparation: Make sure you have access to the private key(s) that corresponds to the certificate(s).
- Right-click a file or a folder in Windows Explorer.
- Select Encrypt permanently | Certificate encryption and signing from the context menu.
- The EgoSecure Encryption by Matrix42 dialog appears. If you previously selected a current encryption certificate, this certificate is now displayed in the right column of the dialog.
- To encrypt with the current encryption certificate, proceed with Click OK to confirm.
- To encrypt with another certificate(s), select the current certificate in the right column and remove it from the list via clicking .
- Select where a certificate is stored and click Search:
- Active Directory: searches for all permitted certificates in the Active Directory. The certificate must be previously generated in the Active Directory.
- Windows Store: searches for all available certificates in the Windows Store. The certificate must be previously imported to the local user store of the computer where the EgoSecure Agent is installed or the certificate must be available on the smart card.
Certificate requirements: The Key Usage field of the certificate details must contain the Key Encipherment and/or Data Encipherment value.
- Select a certificate from the list. To select multiple certificates, hold down the Ctrl key while clicking.
- Click .
- Click OK to confirm
- The dialog for providing smart card login data appears.
- Provide smart card login data (PIN, password, fingerprint etc.) and confirm the dialog.
- If you encrypt a folder, the Save As dialog appears.
- Select where to store an encrypted zipped espe file and define a name for it and then click Save.
- The encryption starts and the EgoSecure Encryption by Matrix42 dialog appears. Once the encryption finishes successfully, the dialog closes automatically.
The file is encrypted with the help of the selected certificate(s), additionally the file is protected via signing its certificate. The .espe file appears instead of or in addition to the original unencrypted file/folder (depends on your permissions).
Selecting a current encryption certificate
- Go to Encryption | Certificates.
- The certificates stored in the Windows Store are displayed.
- Select a certificate from the list.
- Click Set as current encryption certificate.
- Now the selected certificate will always be suggested for encryption. For details, see Encrypting files permanently with a certificate and Encrypting files permanently with a certificate and a smart card.
Adding Mobile Encryption
- Right-click a file or a folder on an external storage that was commonly or individually encrypted.
- Select Encrypt | Add mobile encryption.
- The mobile encryption is added and the icon of the object changes from yellow to green.
If the Activate mobile encryption option is not enabled and the mobile encryption is added via the context menu, the CryptionMobile.exe application (or CryptionMobileCD.exe – for CD/DVD encryption), used for decrypting and opening files externally, is not copied to the media. It is not possible to add the application manually, because it will be encrypted and no longer usable.
Encrypt data on storage media with one-time password
You can encrypt on external and optical storage devices independently of a mobile key. To encrypt, assign a password directly when encrypting. The password is not saved by the EgoSecure Agent. You can only decrypt the object with the entered password.
- Right-click a file or a folder.
- Select Encrypt | With password.
- A dialog box asking you to enter the password appears.
- Enter a password and click OK to confirm.
- The object is encrypted. You can decrypt it via the context menu and the entered password again.
Using mobile encryption
You can encrypt your data in clouds and on external and optical storage media additionally to protect it with a password. If you do not have permission to encrypt data on the fly, the options in the Mobile encryption section of the corresponding tab are greyed out and cannot be activated. Via the CryptionMobile.exe application or the mobile apps for iOS, Android and macOS you externally open or decrypt data encrypted with mobile encryption. For details, see Decrypting mobile files externally.
The mobile encryption can also be controlled via a smartcard with a certificate. In this case, no password entry is possible and necessary. Contact your administrator to get the appropriate certificate.
Enabling mobile encryption
- In the External storage, CD/DVD encryption or Cloud storage tab, enable the Activate mobile encryption check box. For details, see Encrypting files on external storage and in cloud
- If you have not yet created a mobile key, the Edit key dialog opens.
- Create a mobile key:
- a. Select a key owner from the Owner drop-down menu (the Owner drop-down is available only if one encryption product is activated for a user and the other one is activated for a computer; if all encryption products are activated only for a computer (or only for a user), this menu is greyed out and Computer or User is selected automatically):
- Computer. The generated key is valid for a computer (all users of a computer) to encrypt using an encryption product activated for the computer. As soon as an encryption product is deactivated on the computer, the key becomes unavailable. The key is displayed in this Encryption keys tab for all users of the computer where the key is generated.
- User. The generated key is valid for a user to encrypt using an encryption product activated for the user. As soon as an encryption product is deactivated on the user, the key becomes unavailable. The key is displayed in the Encryption keys tab for one user who generated it.
- In the Title field, enter a name for the mobile key. If necessary, select a name that can remind you of the associated password. For details, see Show the password title
- Define and confirm a password for the mobile key. Depending on the configuration, you must use upper- and lower-case letters, numbers and/or special characters, and the password must have a specific minimum length. The configuration is displayed below the field.
- a. Select a key owner from the Owner drop-down menu (the Owner drop-down is available only if one encryption product is activated for a user and the other one is activated for a computer; if all encryption products are activated only for a computer (or only for a user), this menu is greyed out and Computer or User is selected automatically):
- Click OK to confirm.
- The new mobile key appears in the Current mobile password selection menu and is now used for mobile encryption. You can create any number of additional mobile keys.
Creating a new mobile key
- Under Encryption | Encryption keys, click Create in the toolbar.
- The Edit key dialog appears.
- Select a key owner from the Owner drop-down menu (the Owner drop-down is available only if one encryption product is activated for a user and the other one is activated for a computer; if all encryption products are activated only for a computer (or only for a user), this menu is greyed out and Computer or User is selected automatically):
- Computer. The generated key is valid for a computer (all users of a computer) to encrypt using an encryption product activated for the computer. As soon as an encryption product is deactivated on the computer, the key becomes unavailable. The key is displayed in this Encryption keys tab for all users of the computer where the key is generated.
- User. The generated key is valid for a user to encrypt using an encryption product activated for the user. As soon as an encryption product is deactivated on the user, the key becomes unavailable. The key is displayed in the Encryption keys tab for one user who generated it.
- In the Title field, enter a name for the mobile key. If necessary, select a name that can remind you of the associated password. For details, see Show the password title
- Define and confirm a password for the mobile key. Depending on the configuration, you must use upper- and lower-case letters, numbers and/or special characters, and the password must have a specific minimum length. The configuration is displayed below the field.
- Click OK to confirm.
- The generated key appears in the list of the keys.
Edit the password of a mobile key
- Under Encryption | Encryption keys, select the mobile key which password you want to edit.
- Click Edit on the toolbar.
- The Edit key dialog appears.
- Define a password for the mobile key. Depending on the configuration, you must use upper- and lower-case letters, numbers and/or special characters, and the password must have a specific minimum length. The configuration is displayed below the field.
- Click OK to confirm.
- In the Status column, the Password is being modified... entry appears for several seconds.
- The status of the key is now Ready. The password has been updated.
Opening or decrypting encrypted data
Encrypted objects are marked in Windows Explorer with so-called overlay icons. Overlay icons appear on encrypted folders or files in Windows Explorer when EgoSecure Agent or myEgoSecure is on the computer.
Identifying an encryption type via an overlay icon
Icon | Description |
---|---|
Encrypted with a common key. The object can be decrypted on any computer that has EgoSecure Agent or myEgoSecure installed and the valid key is available. | |
Encrypted with an individual key. The object can be decrypted on any computer that has EgoSecure Agent or myEgoSecure installed and the valid key is available. | |
Encrypted with a group key. The object can be decrypted on any computer that has EgoSecure Agent or myEgoSecure installed and the valid key is available. | |
Encrypted with a common and a mobile key. The object can be decrypted with the mobile password on the current computer and via password with CryptionMobile.exe (or with CryptionMobileCD.exe) on computers without EgoSecure products. | |
Encrypted with an individual and a mobile key. The object can be decrypted with the mobile password on the current computer and via password with CryptionMobile.exe (or with CryptionMobileCD.exe) on computers without EgoSecure products. | |
Encrypted with a group and a mobile key. The object can be decrypted with the mobile password on the current computer and via password with CryptionMobile.exe (or with CryptionMobileCD.exe) on computers without EgoSecure products. | |
The object was encrypted with a key that is not available on the computer, or a password was used instead of a key to encrypt it. | |
Encrypted permanently. The object can be decrypted on all computers, where the EgoSecure Agent is installed and the valid key is available. |
Due to the Windows configuration, it may happen that overlay icons on folders in Explorer are not displayed.
Showing encryption state
- Right-click a folder.
- The context menu opens. If the Show encryption state option is available, the folder is encrypted.
- Click Show encryption state.
- The encryption state dialog appears. In the Encryption type column, you can see with which encryption type the folder was encrypted.
Opening encrypted files
- Double-click an encrypted file, for which you have the key.
- The file opens in its usual application. You can edit and save the file.
Permanently encrypted files open as read-only. To apply changes to permanently encrypted files, save them in unencrypted original format.
Decrypting files locally
Decrypting encrypted folders
- Right-click an encrypted folder, for which you have the key.
- Select Deactivate encryption.
- The folder is decrypted. Files copied and created there will no longer be automatically encrypted.
Decrypting encrypted folders on external storage
- Right-click an encrypted object (file or folder), for which you have a valid key or a key is located on a storage medium or in a cloud.
- Select Decrypt.
- The object is decrypted.
Decrypting permanently encrypted files
- Right-click a permanently encrypted file with the .espe extension.
- Select Encrypt permanently | Decrypt from the context menu. If you encrypted a file using the Certificate encryption or Certificate encryption and signing option, make sure you have access to the private part of the certificate used for file encryption.
- The decryption starts and the EgoSecure Encryption by Matrix42 dialog appears. Once the decryption finishes successfully, the dialog closes automatically.
- The file is decrypted. The unencrypted file appears in addition to or instead of the .espe file (depends on your permissions).
Permanently encrypted files open as read-only with a double-click. To apply changes to permanently encrypted files, save them in unencrypted original format.
Decrypting permanently encrypted folders
- Right-click a permanently encrypted file with the .zip.espe extension.
- Select Encrypt permanently | Decrypt from the context menu. If you encrypted a file using the Certificate encryption or Certificate encryption and signing option, make sure you have access to the private part of the certificate used for file encryption.
- The Browse For Folder dialog appears.
- Select where to save a decrypted folder.
- Click OK to confirm.
- The decryption starts and the EgoSecure Encryption by Matrix42 dialog appears. Once the decryption finishes successfully, the dialog closes automatically.
- The folder is decrypted and is now stored in the selected location. The encrypted .zip.espe file is either automatically deleted or remains (depends on your permissions).
Permanently encrypted folders (files with .zip.espe extension) are fully decrypted when opening them with the Cryption Informer.
Decrypting files encrypted with Post-Quantum Encryption
- Right-click a Post-Quantum-encrypted file with the .espe extension.
- Select Encrypt permanently | Decrypt Post-Quantum Encryption from the context menu.
- The dialog for entering the password that is used to encrypt this file appears.
- Enter the password.
- Click OK.
- The password dialog closes. A dialog that shows decryption progress appears and decryption starts. Once the decryption finishes successfully, the dialog closes automatically.
- The file is decrypted. The .espe extension disappears.
Post-Quantum-encrypted files open as read-only. To apply changes to Post-Quantum-encrypted files, save them in an unencrypted original format.
Decrypting mobile files externally
Decrypt the files encrypted with mobile encryption:
- On computers without EgoSecure applications: with CryptionMobile.exe or CryptionMobileCD.exe,
- On computers with EgoSecure Agent or myEgoSecure: via attaching or importing the mobile key with the same password,
- On iOS and Android devices: via the EgoSecure Encryption Anywhere (for iOS und Android) and by attaching the mobile key with the same password.
The CryptionMobile.exe (and CryptionMobileCD.exe) application can NOT be started on computers where the EgoSecure Agent or myEgoSecure are installed with any encryption module activated. To open encrypted files via Cryption Mobile on an external computer where there is an Agent without its mobile key exists, the Guest encryption must be enabled. Contact the EgoSecure Console administrator for this.
Decrypting mobile files on other computers
- Double-click CryptionMobile.exe
- The dialog for entering a password opens.
- Enter the mobile password, with which the files were encrypted.
- In the Algorithm drop-down, select an encryption algorithm used for file encryption:
- AES 256.
- AES 256 (OAEP, SHA256).
- Triple DES.
- Post-Quantum. Used for files encrypted with EgoSecure Post-Quantum Encryption based on the Kyber-1024 encryption method.
- GOST. Used for files encrypted with the GOST 28147-89 encryption method. This method is displayed in the Key length drop-down list only if the GOST provider is found on your computer.
- Select Default to use the encryption algorithm defined by your administrator. The value defined by the administrator is displayed in the Agent under Encryption | [encryption product]:
- In the Key length drop-down, select an encryption key length used for file encryption.
- Select Default to use the key length defined by your administrator. The value defined by the administrator is displayed in the Agent under Encryption | Encryption keys in the Length column for the administrator-owned keys (non-editable ones).
- Click OK.
- Cryption Mobile opens.
- Select the files which you want to decrypt.
- Click in the toolbar on
- Decrypt, to decrypt files on the external storage
- Decrypt to…, to save decrypted files to another location.
- The file is decrypted and the file status changes.
Decrypt mobile encrypted files in clouds on iOS or Android device
- Download the EgoSecure Encryption Anywhere (for iOS or for Android). Depending on the configuration, download links can be found in the External storage or Cloud storage tabs via the Android and iOS buttons.
- Open the application.
- Enter the password for the mobile key and the data to access the cloud.
- You can now download and decrypt files from the cloud.
Reminding password name of an encrypted file
If you forgot the password of a file encrypted with a mobile key, you can see a reminder of its name.
- Right-click the encrypted file, for which you forgot a password.
- Select Remind password from the context menu.
- A dialog box showing you the name of the used password appears.
External access to encrypted files
Depending on the configuration, you may receive notifications when another user tries to access your encrypted data. In this case, the Access monitoring tab becomes available under Encryption.
Receiving notifications for third-party access
In the Access monitoring tab, you can specify whether and in what form you want to receive messages about external access and whether third-party access should be audited. Only the access from computers where the Agent is installed is monitored. You can also grant access to certain content once or always. For details, see Showing confirmation messages about data access.
Displaying information messages about data access
- Enable the Notify users about access to files in encrypted folders option.
- Enable the Information radio button.
- The following message appears in case of third-party access:
- Close the message.
- The access to the file remains blocked and the accessing user is informed. The message appears again when accessing the next time.
Showing confirmation messages about data access
- Enable the Notify users about access to files in encrypted folders option.
- Enable the Confirmation radio button.
- The following message appears in case of third-party access. If you close the dialog without selection, the access to files is denied once. The accessing user is informed about it. The message appears again when accessing the next time.
- Decide about the access:
- Near Allow, select in the drop-down menu, whether to permit an unknown user to access the file/whole folder once or permanently and click Allow.
- Near Deny, select in drop-down menu, whether to forbid an unknown user to access the file/whole folder once or permanently and click Deny.
- Depending on the selection, the access is granted or denied and the notification dialog closes.
Auditing third-party access
- Enable the Audit access to encrypted files in encrypted folders option.
- After a file access, click Show audit in the Access monitoring tab or click in the notification message to view the log.
- The Encryption – Access monitoring – audit dialog opens. You can filter the log entries by date, access type, file size or file name.