Help? No File Encrypted Using Fast Initial Encryption

Hi,

Fast Initial Encryption settings apply to volume based encryption (Full disk encryption) only. If you have specified a volume based encryption policy to your SafeGuard Enterprise machine that has the Device Encryption module installed, the whole partition should be encrypted and the partition should show a green key on the explorers hdd icon.

The "File encryption" context menu applies to file based encryption only (SafeGuard Enterprise Data Exchange module) and not to volume based encryption (SafeGuard Enterprise Device Encryption module), which is why it says that no file has been encrypted.

Regards,

Chris

ChrisD, thank for replies.

Sorry with my english, maybe my explanation is less understood by you.

I mean, I have been successfully applied to a volume-based encryption with Fast Initial (Disk Usage only), but why all the data on the hard drive (that I Encrypted) is not encrypted? and there should not show a green key icon on the explorers hdd.


Thank you.

Regards,

Hendra

Hello Hendra,

but why all the data on the hard drive (that I Encrypted) is not encrypted?

it might not be immediately obvious what the difference between volume-based and file (or container/folder) encryption is. Maybe this metaphor helps:

File encryption is like writing something on a piece of paper in encrypted form (e.g. using a certain cipher). You can safely put it in the pile of other papers on your desk as only someone with knowledge or the encryption will be able to read it. In addition you can also make a copy and freely distribute it - it will still be unreadable. But anyone who can access your pile of papers can at least detect that such a paper exists. 

Volume-based encryption is something like an archivist whom you pass the plain-text paper and who then transcribes it (using a key which you "possess" but not necessarily know), puts it to the pile of papers on your desk and perhaps distributing it to different sheets during this procedure. You'll never see your document in its encrypted form and you won't be able to read (and not even to extract) it without the archivist's help (and the key). If you get the document it will always be in its original (and in this case) unencrypted form - or you won't get it at all. Someone bypassing the archivist will just see a pile of papers covered with gibberish and not be able to make out anything of the contents, number and size of papers and the like. But you can't make a copy of a document in its encrypted form - sure you can make a copy and hand it to the archivist (i.e. copy to the same or another encrypted) volume and it will be securely stored - as all you get to see is the original document.

Therefore it's sometimes desirable to combine these two methods. Keep in mind - one method protects the individual papers/documents the other the pile as a whole.

I hope this was not too much English (what's your preferred language, BTW?) and doesn't add to your confusion but clarifies things a little.

Christian

Good afternoon all concerned,

What I was looking for today was to see whether there is a Command Line argument (or option) that can be passed to "Setup.exe" in order to get the "File encryption" versus the "Whole volume" excryption?  I appreciate the fact this discussion is over 6 months old and I thank Christian (a.k.a. "QC") for the detailed description of the two forms.

Are we talking about the same thing, though?  What I was looking for when I found this discussion is "options" to make the Intial Encryption (sometimes referred to as a "Depot Level encryption") faster.  This comes in very handy as another person posted when thousands of computers are being done and "time on task" is of the utmost importance!

It is my understanding that one only encrypts the files stored within the User Profiles of persons using the machine, while the other encrypts everything including the Operating System itself.  Perhaps this terminology is a vendor-specific definition and only applies to another product I have experience using.

The vendors of this sophisticated software all need to remember the pressure even semi-technical End Users (I.T. shop personnel) are often placed under (eg. to produce as many "finished" machines per day as humanly possible) and program in options for helping us keep our jobs !!

So far, all I was able to find was a " /v " switch described as useful for passing parameteres to "MsiExec.exe", but this did not include any details on what those parameters *might* include.

Respectfully submitted,

.. 

~ Dennis C.

ABG-TRP, Virginia

Hi Dennis,

you can find a list of command line parameters for SafeGuard Enterprise Client in the installation manual or in following KBA:

SafeGuard Enterprise Client: description of ADDLOCAL command line parameters for installation

This article describes the parameters you can use when the SafeGuard Client installation is done using msiexec and ADDLOCAL.

The terminology / module names for the different encryption modes (file vs full/whole disk encryption) in SafeGuard Enterprise is:

Full Disk Encryption

• Volume Based Encryption
• BitLocker (uses Windows integrated encryption options managed by SafeGuard)

File Based Encryption

• Data Exchange (for files on removables) or
• File Share (for files on the local machine / network storage) or
• Cloud Storage (for files stored in the cloud using any supported cloud provider)

Regards,

ChrisD

Thanks ChrisD!

The KBA provided is a decent reference, but not being familiar with the SafeGuard software, I guess it would be necessary to approach management and ask which options they selected for the Client installation parameters.  This is not something that was given to us initially.  I have not seen the screens shown in this Knowledge Base Article, so that makes me believe we have been only minimally more educated than an End User (not good).

We only received the most minimal introduction to the software such as:

1).  Install part one, check for three Sophos icons in the Control Panel, "Programs and Features":  If three are present, reboot.

2).  If three (3) icons are not present, uninstall, reboot and reinstall.

3).  AFTER a successful install (3 icons showing plus a reboot), proceed with part two.

4).  Part two adds a single additional Sophos icon to "Programs and Features":  If present, reboot.

This was followed by instructions on checking for the presence of Certificates (2, Individual and Company) and Key Rings (1 each, local Administrator and primary End User), which is great, but we obviously want to know more in order to become competent with the software, add legitimate job skills and become reasonably capable of explaining the software to the End Users. ..  Ultimately, I think, the goal is for both the End User and the Technician to feel comfortable using and managing the software - so they have the most positive experience possible and walk away (to do their daily job) with no worries of being unnecssarily "locked out" of the computer at a crucial moment, or of encrypting a file with a password they then go on to forget completely.  I expect there are options for assisting them with forgotten passphrases also, but this is an area on which we have not been provided any information.

To further understand the Sophos SafeGuard product, I sought out the "Release Notes" for version 6.00.1 and read them carefully, repeatedly, and also highlighted the portions that appeared to be related to our situation.  This is self-directed education and sometimes the quickest, most available - or ONLY education we receive on software products.  Seriously.

If I have shared anything in this posting that is COMPLETELY and UTTERLY incorrect, please do not hesitate to point that out to me.  I will be happy to be re-educated correctly.

Thanks for your support to date!  It is really, truly appreciated.   ~ Dennis

(Additional thought..)

The two types of encryption I think have been available in "other" similar products are:

1).  Volume based "Full-disk Encryption" (FDE) and I followed a USENET discussion group on the topic for several years.  Under FDE there were further options to A). Initially encrypt everything, including the Operating System directories, and  B). Initially encrypt ONLY the data added to the computer AFTER the encryption was installed.  So, on this second version, the FDE was required to be installed before the End User's profile was added to the computer, otherwise no data kept within it would EVER be encrypted.  That sounds like a risky limitation, but as long as the Technicians adhered to the proper prodcedures when Imaging a new computer and adding software to it, then everything was safe.

Of course, there was the idea of:  "What if people save data outside of their User Profile?" and this was indeed (IMHO) a true risk, so perhaps this "option" has been done away with on that "other" product by now.  We often coached End Users not to save anything in areas of the hard drive outside of their Profile and that doing so would place the information "at risk" (whether this was literally true of not, did not matter to us at the time - many years ago).

2).  Where the FDE option covering everything encrypted 1 GB per hour, it was ESSENTIAL to allow sufficient time for the computer asset to remain on the Tech Depot workbench until the initial process completed.

3).  The "faster" method would complete the User's Profile in 30 minutes or less, because the initial size of those "first time on this computer" Profiles was typically very small.  Unless the User was being migrated from another, older asset and had many data files (such as a 3, 5 or 7 Gigabyte "Personal Folder" for use with Microsoft Outlook), which then presented an issue we were clearly aware of and could account for in our processes.

If the Sophos product does not support this option, or requires it to be specified on an organizational level (eg. across the board, all users) then I do understand and would just view this as a necessary limitation which must be accounted for.

~ Dennis