Endpoint Encryption

We are using Netshare in a Universal Server environment using SKM mode. We do some daily processing of files via a Windows scheduled task and are trying to locate files into the Netshare folder, but the files remain unencrypted. We were successful using the Netshare command line command to -unlock the folder and that worked fine if we run the script manually. We are unable to make this work when we use windows task scheduler to run the script (using the same user credentials). Is what we are trying to do possible?

Thanks,

Scott

You should be able to do those commands using a batch file of some description, whether you run it yourself or via task scheduler should make no difference.

I think you need to Unlock, encrypt the file, copy it into the directory, and then lock again so:

pgpnetshare --unlock c:\encryptedfolder\ --passphrase blahblah 

then

pgpnetshare --encrypt c:\unencryptedfolder\filenamehere.txt --recipient usernamehere --passphrase blahblah

That will then encrypt the file then copy file

xcopy c:\unencryptedfolder\filenamehere.txt c:\encryptedfolder\filenamehere.txt /y /x /o /h /q /v

copy file with a few switches for robustness then

pgpnetshare --lock-all

The task scheduler will not be able to store pgp passphrases, so you would need to supress the display of the task by using the ECHO OFF command, and lock the batch file right down so only authorised people can access it

Thanks for your response. I should mention however, that we are using directory synchronization and are using group keys for access to the Netshare folder (we are not using any passphrases). We have tried to use the --reencrypt-clone command on the netshare folder after the file is copied, and that works fine as long as someone is logged on to the computer. If we run it with nobody logged on via the scheduled task, it does not work. I am wondering if Netshare is looking for some environment variable to be set when the command is issued?

thats fine, instead of specifying a passphrase you can specify a key, or because you have a universal server you can just use --universal-server keys.universalserverhere.com 

We have an AD group named pgp_test and a corresponding Universal server group named pgp_test with consumer matching rules in place. I am trying to use this command

pgpnetshare --encrypt c:\testfile.txt --universal-server our_server_name --group pgp_test --signer 528F711F

And I receive the following

Error: Could not resolve group [pgp_test] [-11287].

I am unable to find a reference to this error. Can you tell me what I may doing wrong?

Thanks.

pgpnetshare --encrypt c:\testfile.txt  --recipient pgp_test --signer signername --universal-server our_server_name

The above command should work. And make sure that, the signer is already part of the group "pgp_test" as user in Active Directory.

Hope the above info helps.

I was wondering if you solve the Schedule Task issue.

We found out that PGP netshare only works if there is a user logged in. But not necessarily the user which is running the Schedule Task.

I think, the moment a user is logged a PGP service runs (PGPfsd) which monitors access to the file system.

If no user is logged on then the service does not run. Thus the system works as if no agent has been installed on the computer. (Files will not get encrypted or decrypted)

I was hoping you found a solution where no user has to be logged in.

I opened a support case with Symantec and the response was as follows

     ISSUE : Unable to automatically Encrypt the File in Netshare protected folder via Script (running as scheduled Job), when user is not logged on to the server. It works Manually though.

     SOLUTON : - Netshare needs to run as the user logged in, that has access. It doesn't run as a scheduled job, since group keys are downloaded from the Universal and encrypted to the user. It will not work if the user is not logged in.
- If the application is generating a full login session for the user it should work, but if it is just executing a process as the user (or as the SYSTEM user) then it probably won't work.
- It needs to connect to universal to download the group key, if PGPTray is not running as the user - it would fail.