This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to get passphrase of group key in 8.1?

If Files are automatically encrypted with endpoint encryption group key on removable devices, how can I get the key in management console to decrypt files with sophos portable. That's required as this device can never be attached to a computer connected to management console.

 



This thread was automatically locked due to age.
Parents
  • Hi Fred,

    the only keys that have an own passphrase are the so called "local keys".

    So what you could do, is create a local key (e.g. on your own SGN client) and assign this key to a group or OU which contains the users who should have it in their keyring.

    This key can then be defined in your encryption policy and SGPortable can open files encrypted with this key on a non SGN client.

    That´s pretty straightforward and should be understandable for users.

     

    The alternative, is the usage of the Media Passphrase (separate option in the Policy), which can be used to wrap one specific (!!!) group or structure key. This key needs to be defined in the option "Defined key for encryption".  

    See also:   

    https://docs.sophos.com/esg/sgn/8-1/admin/en-us/esg/SafeGuard-Enterprise/concepts/DataExchangeMediaPassphrase.html


    Personally I prefer the local key option...


    Cheers

    F.

Reply
  • Hi Fred,

    the only keys that have an own passphrase are the so called "local keys".

    So what you could do, is create a local key (e.g. on your own SGN client) and assign this key to a group or OU which contains the users who should have it in their keyring.

    This key can then be defined in your encryption policy and SGPortable can open files encrypted with this key on a non SGN client.

    That´s pretty straightforward and should be understandable for users.

     

    The alternative, is the usage of the Media Passphrase (separate option in the Policy), which can be used to wrap one specific (!!!) group or structure key. This key needs to be defined in the option "Defined key for encryption".  

    See also:   

    https://docs.sophos.com/esg/sgn/8-1/admin/en-us/esg/SafeGuard-Enterprise/concepts/DataExchangeMediaPassphrase.html


    Personally I prefer the local key option...


    Cheers

    F.

Children
  • Hi Funkey,

    thanks for replay.

    That's a way how you can define a passphrase once you create a key but not what I want to know.

    However a key is created (server/local) the passphrase is stored in the database. If you create a key on server side (or even it's automatically created) it has a random passphrase ether.

    In order to recover data there must be a way to get the passphrase somehow from the database, in fact thats why keys are being archived to the database - to  use them for recover. 

    I know from other solutions that you may have to make the key invalid (can't use them anymore for encryption) but you get the passphrase to recover data.


    If there isn't a way to recover those data I would immediately stop using SafeGuard!

  • Hi Fred,

    as said the only keys that have a passphrase are local keys (these are the ones users can create on their systems).

    All keys generated automatically (e.g. during the import of the AD structure) or manually in the MC by an SO, do not have a passphrase that can be used in sgportable. 

    However, the recovery process does not require a passphrase, as the access to encrypted files can easily be achieved by assigning the corresponding key to another users keyring.

    An exception that requires an extra step, are so called "personal keys" which need to be demoted first before you can assign them to another user.

    Hope that helps.

    F.