Endpoint Encryption

 View Only
  • 1.  PGP File Share folder encrypted to group key.

    Posted Sep 09, 2014 08:20 AM

    Hi Connect friends,

    File Share folder encrypted to user key rather than group key.

    1. I manually created a group in SEMS & manually generated a group key. Joined members A & B manually.
    2. In the policy I checked "Force the encryption of files in the following " and gave path as z:/
    3. Mapped a drive from file server to drive Z on the member A's machines.
    4. The folder got encrypted.
    5. So far B is offline.
    6. Now Member B mapps the same folder to drive Z, but cannot access the data. Where as user A can access the data.

    The folder is encrypted to user A's key rather than the group key. I verified this by importing A's keypair on B's machine, and the folder is accesible.

    Both users have same previleges on the folder.

    Where did I go wrong?

    I need the folder to be encrypted to the group key, and any new user who joins the group should be able to access the folder.

    Please advise / help!!

     



  • 2.  RE: PGP File Share folder encrypted to group key.

    Posted Sep 09, 2014 10:35 AM

    Hello,

    The group key needs to be added to the access list for group B to access the folder.  A user's keypair is the only one on the access list.  Policy is just saying enforce encryption to this file path.  A keypair still needs to be on the access list for an admin of the fileshare  and then add the group key to allow access to the fileshare.

    Generating AD group key would be an easier method of setting up group keys especially if you want to use match consumers.

    Thanks

    Anthony 



  • 3.  RE: PGP File Share folder encrypted to group key.

    Posted Sep 09, 2014 07:35 PM

    When you encrypt a share that you want users in the group to access, you must be sure to add an administrator keypair to the share, and then also add the public portion of the group key from the correct group.

    You will need to download the public portion of the group key, and import it into theSymantec Encryption Desktop for the group you are creating the share from to add it to the access list.



  • 4.  RE: PGP File Share folder encrypted to group key.

    Posted Sep 10, 2014 12:59 AM

    With the "Force the encryption of files..." 

    1. Isn't it true that the user's key added to the list automatically?
    2. Can we add the group public key to the access list while the folder is being encrypted?
    3. Which key should be "Group Admin" & which one should be "Admin"


  • 5.  RE: PGP File Share folder encrypted to group key.

    Posted Sep 10, 2014 12:20 PM

    When forcing the encryption of files, a user's key will not be added automatically to a share after the first user.  You should set up the share first with the desired keys, then set it to automatically encrypt files in that location.  Or you can add the public portion of the group key after the folder is encrypted.  Doing it that way probably made the first individual to access the folder the share Admin.

    Each share can have only one Admin account, which should be set with the keypair (public and private key) of whomever is going to be administrating the share.  A Group Admin can be set if desired, having the same rights as the Admin, with the exception that they cannot promote another account to Admin.  The Group Admin only needs a public key in the share, but is not required at all.  I recommend only adding a Group Admin if the responsibility for administrating the share will be shared with another person (people).



  • 6.  RE: PGP File Share folder encrypted to group key.

    Posted Sep 24, 2014 09:56 AM

    Thanks Anthony & Mike.

    One more question..

    There is a group of people sharing a folder, and one of them(Say User X) encrypts the folder and makes the group key as group admin.

    Now,  if user X is removed from the group in SEMS and NTFS folder access is revoked for him, and if / when the other users add new data to the folder, would the new data be encrypted to the group key and the access to the folder continue for the group users??

     



  • 7.  RE: PGP File Share folder encrypted to group key.

    Posted Sep 24, 2014 02:20 PM

    We do not recommend using the group key as the administrator key, as it would give all of the users of that key administrative access to the encrypted folder.  They would all be able to add or remove other keys and potentially block other users (or even the entire organization) from accessing the files.  

    I would instead recommend generating a new keypair to use as the admin keypair.  Then encrypt the folder to that keypair, and the group key.  Store the admin keypair on a flash drive in a safe location.  Since that admin keypair is not bound to a specific user, it could be retrieved by the IT staff that have physical access to it if it was needed for anything, but it should not be needed, as the group key would grant access for anyone in the group.  

    Once a user is removed from the group, their access would be revoked, and coupling that with NTFS permissions is the best way to keep the share secure.

    If for some reason, all of the end users were completely trusted to have administrative access to the folder, the setup you described above should work, but I would not recommend it.