PGP NetShare File Protection FAQ
|Article:TECH148964|||||Created: 2006-09-25|||||Updated: 2013-03-21|||||Article URL http://www.symantec.com/docs/TECH148964|
PGP NetShare enables specific users to share protected files in a shared space, such as on a corporate file server, in a shared folder, or on removable media such as a USB drive.
File Protection Rules
Question: When do my files retain protection?
Answer: Whenever you work within a protected folder your files will retain their protection. If you wish to move or copy a protected folder to a new area, you must first protect the destination folder to ensure continued folder protection. While all the files are protected, you will also want the folder to be protected. If you move a file to a non-protected folder then the file will retain its protection on copy but some applications will decrypt the file after you make modifications (examples are: Word, Excel and PowerPoint, these application work with a temporary file that results in the final save being unencrypted). Thus it is a best practice to work within protected folders.
When you copy a protected folder, all the files in the folder will retain their protection. Under certain conditions the folder may not retain its encryption policy file. Thus, when copying folders, it's best to always check that the folder copy resulted in the new folder having the visual lock icon. One way to always ensure this is to first create a folder with your appropriate PGP NetShare access list, then copy the folder or its contents to that folder. If you already copied the folder and notice the icon is missing, either drag the relevant folder (and its contents) to a new parent folder with the appropriate PGP NetShare access or run the PGP NetShare create folder function from the PGP Desktop and encrypt the folder.
As stated above, while the files copied are encrypted, it is best to keep them in a protected folder environment. If you are changing the file name (such as copy to new_name or save as new_name or copy file/folder to same folder forces the file to change names), outside of a protected folder will need to re-encrypt to ensure future updates remain encrypted.
Question: When I copy files, what permissions will it have?
Answer: If you copy a file from one protected folder that is protected to group finance_group_A and copy it to a folder that is protected to group finance_full_group then the file will inherit the new folder's protection policy and become encrypted to the finance_full_group. This assumes you had file access to both folders and are a member of both groups.
Question: What happens when a file server user (without any PGP NetShare software) accesses a PGP NetShare file?
Answer: Because that user has no access to PGP NetShare's ability to transparently decrypt, the file will remain encrypted through all actions. Thus the file server administrator can backup and move files around without effecting file contents and without the ability to view the unencrypted contents. Only users with PGP NetShare client software and the appropriate keys needed to access a give file will have access to the decrypted contents.
Question: When a file is opened directly from a NetShare folder, is there any instance of that file saved in the temporary folder or cached? Example: A Microsoft Word document opened directly from NetShare folder - apart from the instance in the shared folder and the opened document, is there any other instance of the file stored on the workstation?
Answer: Each application varies: Word save the temporary file in the working folder. When working in a PGP NetShare folder, the temp file is encrypted. If the application stores in a non-NetShare area, then it will be clear text. Best practice is to: 1) Use with PGP WDE for full laptop protection. 2) Use within a NetShare folder for consistent protection of temp files.
Answer: PGP Universal tracks who has the ability to update membership. When a folder's membership is updated, the config file for that folder is signed by the last updating user's key. Only those who have the ability to update folders are audited in PGP Universal. When a user unlocks (enters a folder for the first time) a message is sent to the PGP DT messaging log signifying that the folder was entered, not that a file was modified.
For file access, it's best to utilize existing Windows file auditing. You can set up the file system to audit read/write access. You will need to know which folders you wish to track.
Article URL http://www.symantec.com/docs/TECH148964