SafeGuard Volume based and File Based Encryption

Hello Ahmed,

You're not far off with the middle paragraph. Volume Based full disk encryption makes the volume not readable if connected to a computer without an SGN client and the key but the files ARE encrypted as part of the Full Disk Encryption. The decryption is completely transparent though. Copying files to another location decrypts them, otherwise you wouldn't be able to send out anything you create without decrypting it first.

If the customer is worried about files being sent out unencrypted then there's a couple of different options:
1. Use File Encryption to make sure files are shared via DropBox/USB stick with a passphrase to access the encrypted files
2. Use File Encryption to encrypt a working folder on the local machine and enable persistent encryption

Hi Toby,

Thank your for your feedback

Consider the following scenario:

• I will use file based full disk encryption on all non-boot volumes.

• I will use volume based full disk encryption on boot volume since this is the only option

• the persistent encryption is enabled

• I am quoting the following from the KB 117783  "When a user saves an encrypted file with Save As under a different file name in a location not covered by an encryption rule, the file will be plain text."

• The user opens a file from a file based encrypted volume then use Save As option and saves the file with a different name on location on the boot volume

• The new file will not be encrypted (the boot volume is using volume based encryption) and he can send it (using email for example) and the recipient can read the file without needing SGN cleint and key

Is there is a way to prevent that and make the file always encrypted anywhere on the computer?

Hi Toby,

Thank your for your feedback

Consider the following scenario:

• I will use file based full disk encryption on all non-boot volumes.

• I will use volume based full disk encryption on boot volume since this is the only option

• the persistent encryption is enabled

• I am quoting the following from the KB 117783  "When a user saves an encrypted file with Save As under a different file name in a location not covered by an encryption rule, the file will be plain text."

• The user opens a file from a file based encrypted volume then use Save As option and saves the file with a different name on location on the boot volume

• The new file will not be encrypted (the boot volume is using volume based encryption) and he can send it (using email for example) and the recipient can read the file without needing SGN cleint and key

Is there is a way to prevent that and make the file always encrypted anywhere on the computer?

Hi Ahmed.

did you had any success with your setup? I´m facing the same scneario and i was wondering if you can share your thoughts on this.

Hello Ahmed,

This behaviour is expected, unfortunately there's no way to change it - the idea is to keep all local data secure without the need to decrypt when sending files elsewhere. The alternative would be that every time you uploaded a file from your PC, emailed something to someone outside your organisation etc you would need to manually decrypt each and every file which just isn't practical.

Naturally the only time a file is being taken outside the organisation is when an internal member of staff chooses to do so, if someone were to come into the building and steal one of these hard drives they would see the data as encrypted.

If you need to take files outside the organisation and keep them encrypted then you can use the Data Exchange feature to copy the files elsewhere via Cloud-based services like DropBox, or copy the files onto a Pen Drive. The files can then be decrypted at your destination with a passphrase, or if you're going to another of your offices protected by the same SafeGuard setup you'll be able to access the data as if it wasn't encrypted..