Sophos Safeguard

Hi - It is best to create a policy to allow decryption and assign this to a group.

Don't make computers a member of this group UNTIL to NEED to decrypt.

It is pointless and not recommended to assign a client/computer an encrypt AND decrypt policy at the same time. 

This old post of mine may help further - community.sophos.com/.../safeguard-enterprise-8-1-decrypt-files-and-uninstall

Hi Micheal,

We have testing this scenario due to below cases happen with our client:

1. Suppose if there one system is encrypted with all drives protection and in feature if the system is crashed then we need to provide the harddisk to other recovery vendor for data recovery purposes.

In recently one system is having two disk like c & d drive.

In that system only c drive is accessible to the client and d drive data is not visible .

Hecne he is asking for the decryption process.

Can you suggest what is the best policy we can create here.

Hi Paresh - I am assuming you're talking about encrypted with BitLocker - Right?

If so - I would supply the recovery company with the recovery key. They "should" know exactly how to mount a drive that's BitLocker enabled - to be honest if they don't....I wouldn't be trusting my business/data to them in the first place!

2nd scenario is our client is having two console SGN 8.0 and 8.2.

Now client wants to migrate the some system which is loaceted in SGN 8.0 to SGN 8.2

FOr migration ,

we need to decrpyt the system then uninstallled client configration then need to installed the new SGN 8.2 configuration with new certificate.

Another case :

Our client is having two console of SGN 8.0 & 8.2 

Now the wants to be moved some client systems from SGN 8.0 to SGN 8.2 

For that we need to Decrypt>>>Uninstalled the Client configuation of SGN8.0>>>Add new SGN8.2 Configuraiont & certificates.

So in that case how we can decrpy for the particular system

No we have 2 system like windows 10 and windows 7 .

Best to create a new post really Paresh - This gets quite confusing with multiple questions and answers in the same thread?

You do NOT need to decrypt in this scenario IF both systems are BitLocker - I've moved many of my clients from one to another.

You could simply update the client. Remove the old configuration, reboot and install the new. Make sure the computer is communicating with the new console. 

If the client has C/R -  I would NOT recommend "moving" it - remove C/R, decrypt and then treat the client as a new one.

If the client is Sophos encrypted - I would also NOT recommend "moving" it - Decrypt and then treat the client as a new one.

Hi Micheal,

Thanks for the input.

Just to update you ,

Here 2 separate servers are built as per location.

Also the configuration packages & certificates are different here,the system is having device & native device encryption licenses here.

Hi Micheal,

Thanks for the input.

Just to update you ,

Here 2 separate servers are built as per location.

Also the configuration packages & certificates are different here,the system is having device & native device encryption licenses here.

Hi paresh palav 

As per your last post, do you want to say that licenses are different in both the safeguard management center?

If the certificate is different, you can import the new certificate to all the clients without decrypting the encrypted data on the clients which have Bitlocker installed. 

Hi Jasmin,

Thanks for the update.

Just to update you,

Here we are built 2 separate sgn servers but only common things are here  features like device encryption, native device encryption.

Is there any chances if we keep the all policy same and just replace the old certificates with the new one.

Hi paresh palav 

My suggestion here is to upgrade the version of Safeguard to 8.2 from 8.0 instead of creating another server with 8.2 as you don't need to replace the certificate as well and policy will be same as previous one.

If you'll create another server, policies will not be exported to the new one.