Endpoint Encryption

Hi,

We are planning to use Symantec File Share Encryption for around 1000 users which will be managed by Symantec Encryption Management Server (EMS). We are also planning to use SKM Keymode. My question is in what scenario will we need Consumer policy level ADK or Organizational level ADK?

I mean if we have any user who has left the organization or is unwilling to decrypt a file that was encrypted by him, we simply can reset his password from Active Directory and then logon on with his account and access that file or give rights for file to other users. 

I can't think of any scenario where ADK will be required. Before we make a planning decision of not implementing ADK, can anyone guide me if there is any particular sceanrio where only ADK will be able to decrypt the required file?

Hi sym_wizard,

There are 2 type of password

1. WDE Password keys

2. Netshare/File Keys Password

Files are encrypted with a public Key and can be decrypted with private portion and the password of the same key. if a uses is unavailable, reseting the password from AD will change the WDE password, which will allow you to login to the machine however the file is encrypted with a Key password which is with the user and should not be shared. 

If ADK is used it will added access to the encrypted File and an administrative level access to the File.

Also there is a very less chances of you having the AD admin and the PGP admin rights to the same individual, which again makes it dificult to share the password between teams.

Here is the Guidliness.

https://support.symantec.com/en_US/article.TECH149500.html

~Regards,

Shahid

Sorry Sahid, much of that information is incorrect.

Resetting a user's password in AD (Active Directory) will not reset their WDE (Whole disk encryption) password. Whole disk encryption pass is stored on the disk. WDE users can be synchronized with A.D. or they can be standalone passphrase users. If it is a standalone passphrase user, updating the A.D. passphrase will never change it. If it is a Single Sign On user ( Sync'd with A.D. ) the password will only update once the user is logged into windows. That means you cannot update the password of a user if their computer is powered down, or if you are stuck at the bootguard screen.

The ADK, and the Admin Passphrase are both methods of gaining access built around the scenario where a user is unavailable to provide their passphrase.

Additionally, similar concepts apply to keys. Various key management modes allow differeing types of passphrase managagement. If the user is in Client Keymode, they can have a standalone passphrase. This would not be affected by any A.D. passphrase change. 

It is recommended to have an ADK if you need Administrators to be able to decrypt data without a user key. 

That being said, there should be an Administrator of the fileshare. Typically this is also an I.T. admin... and you could use that key to decrypt. However, if users are setting up their own encrypted fileshares, it's often a good idea to implement the ADK so Administrators can decrypt the data as needed.

Cheers,

Phil

Thank you Phil for such a detailed and helpful reply. Much appreciated. I know for Client Key Mode (CKM) and Guarded Key Mode (GKM) users have passphrase for encrypted files which is not known to Administrator. Hence he can't decrypt the file by simply resetting the user AD password and logging in with his domain account.

However, since we are planning to use SKM keymode so now Management is asking me to provide justification and explaination as to in which scenario will we need ADK which can't be overcome by other means. Also currently due to little size of organzation, we have IT Administration and Security Administration being perforned by the same person. Can you please help me out?

Thanks.