Good afternoon.
How do i go about encrypting at the folder level?
We don't want to encrypt the entire volume and i can't see where in the policies to configure it.
Thanks
Rich
This thread was automatically locked due to age.
Good afternoon.
How do i go about encrypting at the folder level?
We don't want to encrypt the entire volume and i can't see where in the policies to configure it.
Thanks
Rich
Hi appiRich,
Welcome and thank you for posting your question on the SophosTalk community forum!
Please provide the forum with some details on which product and version you are trying to us.
appiRich wrote:
Hi,
it is Utimaco Safeguard Enterprise
Richard
Thank you Richard,
Unfortunately, SafeGuard Enterprise still doesn't have built-in file & folder encryption as an option. SG PrivateCrypto does encrypt files & folders using either a password/passphrase or the key-ring from SG Enterprise. SG PrivateDisk will also encrypt files & folders but stored within a secured file vault which will appear as an additional drive letter. SG PrivateDisk also works with passwords, the SGN key-ring but also with certificates and smartcards.
Lastly, SG LANcrypt is specifically designed to encrypt files & folders on the network or on the local device with greater user transparency. When reading your original question again, it sounds like you are looking for this solution. For more details on this solution please visit SafeGuard LANcrypt and please contact your technology partner or Sophos regional account executive.
Hello,
Reading your post seems a bit old. Not sure if there is a solution now:
Here is my scenario:
We want to encrypt certain files and folders on user's pc mostly they have C drive. We are using safeguard enterprise but as I understood it can not use file based encryption on boot volume like C drive.
How can I achieve this scenario with the current product safeguard enterprise 6.1
Our management needs that any files leaving the pc or labtop like send via email copied to USB etc... are automatically encrypted.
Safeguard Data Exchange can fulfill this task on Removable media but tat is not enough. We want to encrypt at level files and folders on the user''s machine. When user is accessing the file it is automatically decrpted because he has the key but when sending via email it should stay encrypted.
Can you please guide us if this is possible with safeguard enterprise 6.1 and if not what other product do you suggest?
Thanks,
Hani,
You can use File Share to encrypt specific folders. File share encrypts files written to a specific location with a specific key - as specified in a policy. The folder itself doesnt need to be at a remote location - when you specify the path you can use a local drive including the boot drive. Just make sure your not encrypting any System or Safegaurd files.
When encrypted files are removed from the location in the policy they remain encrypted until a user with the key specificly asks for them to be decrypted. The files even have a key icon on the thumbnail to tell you the state of the encryption.
In your example if both the sender of the email and the recipient had File Share installed they yould encrypt the file before sending it and decrypt it once they recieve it.
The file share feature needs to be installed on the device you want encrypted, then a policy needs to be created and tied to the devices you want encrypted.
If you open the management center and click on Policies, right click on Policy items and then click New > File Encryption.
Name the policy to whatever you want and then click on "Path" and enter the paths for the folders you want to encrypt. You can specify as many as you want. You can also exclude certain sub folders by typing the path for the folder and changing the "Mode" to exclude.
Under key select what key you want to encrypt the data with. This will probably be the most important step as it controls who can access the data. If you just the logged on user to encrypt the data you can select "personal Key" or if you want multiple users to access the data you can use a key for a group or OU. All members of the Group and OU will have access to that key so can decrypt the data.
Once your happy with the policy, save it and then go to Users and Computers, select the domain, group or OU you want to apply it to and select the "policy" tab. Drag your newly created policy to the top pannel and then drag the OU. Group or domain to the bottom screen. Make sure you remove .Authenticated Users and .Authenticated Computers - otherwise the policy will be applied to EVERY computer and user managed by the management center.
We have used it in our organisation and its been quite successful.
You can find more information on page 169 in this guide: http://www.sophos.com/en-us/medialibrary/PDFs/documentation/sgn_61_h_eng_admin_help.pdf?la=en
Thank you very much for this usefull info. the file share is a good feature but it is limited with personal key or predifined one.
So if my documents are encrypted with a personal key I can not change the key before sending it to other party via email but I can only change it while copying it to removable media. So how can the other party open the file?
it may works fine internally only with the user having sgn and the key in his ring.
We have also a specific scenario that needs to be applied to certain users.
Any file inside the company should stay inside. in other word if we encrypt the c Drive for a user with a group key, we want them to be unable to send attachement in clear text. any file should be encrypted and only they can open it internally. Exemple someone may send confidential files to external party. he will send it encrypted with a group key so that the other party can not open it.
It is a complicated scenario and I am working on finding the best solution before implementing it in our organization.
Hello,
I tried this option. Ok all files in my documents are encrypted with a group key that I defined but the moment the user drag the file from my document to the root C: drive it is decrpted. How can I prevent the file from being decrypted. I want the file to stay encrypted even if it s moved to Cdrive.
Also if I use the personal key. The recipient has the option to import the key by providing a passphrase. I don t have a passphrase for the personal key, so how it can be imported?
Thanks,
Hi Hani,
So bare in mind - while we have set file share up here we havent tried emailing files for it yet so you might have different experiences.
I have tried dragging and dropping a file to the route of C: and its decrypting the files for us as well. I presume this must be some sort of fail safe? Certainly when moving it anywhere else it stays encrypted. Reasuringly you can move files if you dont have the encryption key in your key ring. Otherwise that would be a massive security hole!
I get the feeling file share was mainly designed for network shares as opposed to any form of information protection enforcement. Its certainly not mentioned in their best practices: https://sophserv.sophos.com/repo_kb/114307/file/114307_sgn_60_bpg_eng_file_share_best_practice.pdf
At some point I need to look at the Sophos Outlook Add-in - I will let you know how I get on. It may be worth having a look yourself: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/outlookplugin.pdf?la=en.pdf
With regards to passphrases for individual keys. You should be able to set them by right clicking on the Safegaurd icon in the system tray and selecting "Change Media Passphrase."
Hello Simon,
Thank you for your inputs.
I tried the file share encryption module to protect lets say my documents with a personal key. If I am sending a file via email, it will stay encrypted with this personal key. On the receiveing side he can not decryt the file because it was encrypted with the personal key. However if I safe the file and right click on it I have the option to import the key and it asks for a passphrase. I did not setup a passphrase initially so how can I import that key?
After some testing and more reading I found that import key is only possible by using local key.
So I encrypted the file using group key so at least the file can be decripted internally but not if sent to expernal party. This is exacly what we are trying to achieve just for ceratin groups.
Regarding the outlook Add on , it will not help as we are using Lotus Domino.
Thanks,
