Endpoint Encryption for Files and Folders 3.2.1 Quick Start ... - McAfee

McAfee ® Endpoint Encryption for Filesand FoldersQuick Start GuideVersion 3.2.1

McAfee, Inc.McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, USATel: (+1) 888.847.8766For more information regarding local McAfee representatives please contact your local McAfee office,or visit:www.mcafee.comDocument: Endpoint: Encryption Manager for Files and Folders Quick Start GuideLast updated: Friday, 19 June 2009Copyright (c) 1992‐2008 McAfee, Inc., and/or its affiliates. All rights reserved.McAfee and/or other noted McAfee related products contained herein are registered trademarks ortrademarks of McAfee, Inc., and/or its affiliates in the US and/or other countries. McAfee Red inconnection with security is distinctive of McAfee brand products. Any other non‐McAfee relatedproducts, registered and/or unregistered trademarks contained herein is only by reference and are thesole property of their respective owners.

PrefaceContentsPreface ........................................................................................... 5Using this guide ............................................................................................. 5Audience ................................................................................................. 5Conventions ............................................................................................ 5Related Documentation ............................................................................. 5Contacting Technical Support .................................................................... 5Introduction ................................................................................... 6Equipment ..................................................................................................... 6Sequence of Events ........................................................................................ 6Installing Endpoint Encryption Manager ......................................... 8Installation .............................................................................................. 8Create the Object Database .......................................................... 10Configuring the Endpoint Encryption Administration Database ...................... 10The Endpoint Encryption Manager ................................................ 13Endpoint Encryption Administration Tools ......................................................... 13Create a Endpoint Encryption Server Application .......................... 15Start the server ...................................................................................... 15Groups .................................................................................................. 16Creating Users ........................................................................................ 17User Properties ....................................................................................... 18Creating Encryption Keys .............................................................. 19Creating a new encryption key .................................................................. 19Change Encryption Keys Properties ........................................................... 20To restrict access to an encryption key ...................................................... 22Creating Encryption Policies ......................................................... 23Changing the Properties of an Encryption Policy .......................................... 24Assigning a Policy to a User (Group) .......................................................... 25Creating an Install Set .................................................................. 27Installing Endpoint Encryption for Files and Folders ..................... 28The Endpoint Encryption for Files and Folders client side .............................. 29Encrypting and Sharing Data .................................................................... 30Caching encryption keys for offline use ...................................................... 31Encrypting Folders and File Types ................................................. 33Folder policies ............................................................................................... 33Setting a folder to be encrypted ................................................................ 33To make the policy change take effect ....................................................... 34File extension policies .............................................................................. 34To make the policy change take effect ....................................................... 35Removing Endpoint Encryption for Files and Folders .................... 36Removing the Endpoint Encryption for Files and Folders client ...................... 36Removing the Endpoint Encryption Manager ............................................... 36Notes ............................................................................................ 37

PrefacePrefaceUsing this guideThis guide describes how to install and get started with McAfee Endpoint Encryption forFiles and Folders.AudienceThis guide is intended for administrators of Endpoint Encryption for Files and Folders.ConventionsThis guide uses the following conventions:Bold Condensed All words from the interface, including options, menus, buttons, and dialogbox names.Courier The path of a folder or program; text that represents something the usertypes exactly (for example, a command at the system prompt).ItalicEmphasis or introduction of a new term; names of product manuals.BlueA web address (URL); a live link.NoteSupplemental information; for example, an alternate method of executingthe same command.Caution Important advice to protect your computer system, enterprise, softwareinstallation, or data.Related DocumentationThe following materials are available from our web site, www.mcafee.com, and fromyour Endpoint Encryption Distributor:• Endpoint Encryption for Files and Folders Administration Guide• Endpoint Encryption Manager Administration Guide• Endpoint Encryption for Files and Folders Users Guide• Endpoint Encryption for Files and Folders Technical Description• Endpoint Encryption for Files and Folders Generic PKI Token Technical WhitePaperContacting Technical SupportPlease refer to www.mcafee.com for further information| 5

IntroductionIntroductionProper implementation of your company’s security policies is critical to the protectionof its data assets. McAfee recognizes that careful planning and testing mustaccompany any large-scale software installation.This document provides you with basic installation and setup guidelines for a smallnetwork system secured by Endpoint Encryption for Files and Folders. Within thissystem, you can create users, encryption keys and policies, control encryption of filesand folders, run client installations and work out the implementation details with theMcAfee Technical Support team prior to the full-scale rollout.If the extent of your implementation requires only a basic system, this documentprovides the essential information you need to complete the installation and setup ofusers, encryption keys and policies.EquipmentTo complete the installation and setup of the Endpoint Encryption Manager and theEndpoint Encryption Communications Server, you need the following equipment:• One PC to be used for the Endpoint Encryption Manager• An additional PC for the client• Each PC should be capable of running Windows 2000, Windows XP andWindows Vista• Each PC requires a network card and TCP/IP installed and working, as well asaccess to ports 5555 and 5556 (Note: these are the default ports and can bechanged) on the administration PC.Sequence of EventsThe installation and setup of Endpoint Encryption is order-dependent and must bedone in the following sequence:1. Install the Endpoint Encryption Manager.2. Create the Object Database.3. Create the Endpoint Encryption Communication Server application.4. Add users to the system.6 |

Introduction5. Create encryption keys.6. Assign users and security administrators to encryption keys.7. Create encryption policies.8. Assign policies to users.9. Create a Endpoint Encryption for Files and Folders installation set.10. Install Endpoint Encryption for Files and Folders on a client machine.11. Further Activities – Encrypting Folders and File Types.12. Removing Endpoint Encryption for Files and Folders and Endpoint EncryptionManager.You can use this basic system for testing, planning and training administrators.| 7

Installing Endpoint Encryption ManagerInstalling Endpoint EncryptionManagerEndpoint Encryption Manager provides centralized management of the entire EndpointEncryption network of users and policies. Two major components are the ObjectDatabase and the Endpoint Encryption Administration Application. The following stepswill guide you through the installation of the administration software. You only need todo this once.Installation1. From the software download, run the SetupEEFF.exe file. The Welcome toEndpoint Encryption Installation screen will appear.2. Click Next.3. Enter your product code. The product code will arrive separately frominstallation CD, usually via email. Note: Contact your McAfee salesrepresentative if you need further clarification or you lose your product code.4. Read and approve the license agreement, click Yes to proceed.5. Determine where you want the program files to be installed. Click Next.6. Choose an encryption algorithm. If you are unsure, or have no preference,then select the default AES (FIPS 256) or the algorithm that matches yourcompany’s security policies.7. There are many types of components that you can select from the OptionalComponents window:• Tokens: If you are not using physical tokens, uncheck all boxes for thisoption. Otherwise, select the type of device used to store the token.• Smart Card Readers: If you plan to use hardware devices to storetokens, you will need to select the type of reader to be used on both theadministration system and the client systems. Deselect all the readers ifthey are not required.• Endpoint Encryption for Files and Folders Client Languages: McAfeesupports multiple languages. Specify the language, or languages, requiredfor your clients.8 |

Installing Endpoint Encryption Manager8. When you have selected your components click on Next. The Start CopyingFiles window provides you with the opportunity to review your choices beforeactually installing the Endpoint Encryption software. Review this list carefully.Changing the install setup1. If you want to make changes, simply hit the Back button until you get to theappropriate window.2. Make your changes.3. Continue to click the Next button until you reach the Start Copying Filesscreen. If you wish, review your configuration again.4. Click on Next to create the installation set. This takes just a couple ofminutes.5. Endpoint Encryption will display the Setup Wizard Complete when theinstallation has finished. Click the Finish button to complete the process.6. Restart the computer if required.| 9

Create the Object DatabaseCreate the Object DatabaseTo use the Endpoint Encryption Manager, you must first configure the EndpointEncryption Administration Database (object database). The object database is arepository for all the security information (keys, policies, etc.) used in EndpointEncryption.The Endpoint Encryption Manager provides the interface for configuring this database.The Administration Database and the Endpoint Encryption Manager tools usually resideon the same computer.Creating the object database is a one-time setup requirement. The only time you willbe given the option to create the database is the first time you run the EndpointEncryption Administration application.To start the process:1. Click the Start menu.2. Select Programs.3. Select McAfee Endpoint Encryption Manager.4. Select Endpoint Encryption Manager.Configuring the Endpoint Encryption AdministrationDatabase1. Accept the defaults. Click the Next button.10 |

Create the Object Database2. Click the Next button.As with many network applications, you can define users individually or within groups.The same concept applies to Endpoint Encryption users, policies and encryption keysthat are attached to the network. The Endpoint Encryption User Group is createdautomatically, and the first Endpoint Encryption user is automatically placed in thisgroup.3. The Administration Database screen contains the default description, driverand data path for your Endpoint Encryption installation. Accept the defaults orassign your own meaningful names to each of these initial assignments.The next window is the creation of the “Root User”. This user has the highest level ofprivileges and is automatically assigned to the Endpoint Encryption AdministratorGroup.4. Enter your user name.5. Select the Token type; the default is Password Only Token. Note: If youselect something other than Password Only Token, e.g. Smartcard, EndpointEncryption USB, you will be asked to enter the token password when you clickon the Next button.6. Enter a password and confirm it.7. The next screen, Program Files, lists all of the files that should be storedwithin the object database. Accept the list that is presented by clicking Next.Note: you can add, edit or remove program files by selecting the respectivebutton.| 11

Create the Object Database8. Click the Finish button to create the database.The status of the database installation is displayed as the files are copied. Uponcompletion, a pop-up window indicates that the task is complete.9. Click the Done button and then Ok to confirm. The login screen willautomatically display.10. Log in as the “Root user” you created earlier.12 |

The Endpoint Encryption ManagerThe Endpoint Encryption ManagerEndpoint Encryption Administration Tools1 The Object TreeThe display is for the object groups contained within each category of users, machines,policies and system components.2 Group MembersDouble-clicking on an object listed in the object tree (area 1) brings up a detailwindow which displays each member contained within the group.| 13

The Endpoint Encryption Manager3 Properties WindowDouble-click on a specific object listed in Area 3, and the property window for thatobject will be displayed.4 Navigation tabsThese allow the admin to switch the Object Tree display between Users, Machines,Policies and System objects.5 System LogThis log displays system-level actions. This pane can be closed and reopened from theView menu.Endpoint Encryption automatically creates the initial Object Tree structure for users,policies, machines, encryption keys and System objects.Click each tab to become familiar with the structure that was created during theinstallation and setup process.14 |

Create a Endpoint Encryption Server ApplicationCreate a Endpoint Encryption ServerApplicationThe Endpoint Encryption system requires a communication server to handle theexchange between the clients and the Endpoint Encryption Object Directory.1. Select the System tab.2. Expand the Endpoint Encryption Servers groups in the tree.3. Double-click on Endpoint Encryption Servers.4. Right-click this window and select New Server.5. If you are using multiple machines for testing, leave all the EndpointEncryption Server settings at their defaults. If you are testing the EndpointEncryption Manager and the Endpoint Encryption Client on one machine, youmust change the IP address of the server to 127.0.0.1.6. Click OK.Start the serverOnce you have created your server:1. Start the communications server by going to the Start menu.| 15

Create a Endpoint Encryption Server Application2. Select Programs Endpoint Encryption Administration Tools Endpoint Encryption Database Server.3. Log in.4. Select the server to which to log in to. As you have only specified one server,there is only one option from which to choose.GroupsCreating additional groups, or modifying the properties of an existing group, is asimple task:Creating Groups1. Select the tab containing the groups you want to manage, e.g. Policies.2. Right-click the group root, e.g. Endpoint Encryption for Files and FoldersPolicies group and select Create new group.3. Enter a meaningful name and description for the group. It could relate to theproperties assigned or perhaps an organizational unit within your company.4. Check the box if you want all users in this group to have the same properties.NOTE: Check this box if you want all users in this group to have the same properties.5. Click Ok to save the new group.Renaming Groups1. Right click on the group you wish to rename.16 |

Create a Endpoint Encryption Server Application2. Select the Rename option.3. Type over the highlighted text with the new name.4. Click outside the text or press the Return key.Creating UsersAll users of the Endpoint Encryption system need their own account.1. Select a user group.2. Double-click on the group to open it.3. Right-click anywhere in the user group members’ window.4. Click Create user.5. To complete the process, the Create New User window is displayed.6. Enter a name for the user. They will use this to log in.7. Add identifying information for authenticating a user when they needassistance from the helpdesk, e.g. date of birth, mother’s maiden name, etc.Note: The identifying information can be edited or cleared when required.8. Click OK.| 17

Create a Endpoint Encryption Server ApplicationUser PropertiesFrom the Properties window you can set, or reset, any attribute from general userinformation and password policies to specific privileges assigned to the user.1. Select the group containing the user.2. Right-click or double click the user name and select Properties to open theirsettings window.3. Click each attribute category and specify the rules for the user.4. Enter the values in the Properties window.5. Click Apply to save the settings.18 |

Creating Encryption KeysCreating Encryption KeysFor more detailed information about keys, see the Endpoint Encryption for Files andFolders Administrator’s Guide.Encryption keys are used to protect data. They mathematically “scramble” the data inthe file to prevent anyone from reading it. Without access to the encryption key usedto scramble the data, you will not be able to understand it. You can give access toparticular keys to certain users. This method lets you make data available only tocertain individuals.With Endpoint Encryption for Files and Folders , you can create many keys to protectdifferent classes of data. For example, if you want to protect information thatexecutives use from lower tiers of managers, you could create the following set ofkeys:KeyExecutives KeyCountry Managers KeyFunctional Managers KeyAccounting and Finance KeyUsersExecutive Management, Board of DirectorsExecutive Management, Country ManagersExecutive Management, Country Managers,Functional ManagersExecutive Management, Accounting and FinancedepartmentsCreating a new encryption keyFollow the schema on the next pages to create a new encryption key.| 19

Creating Encryption Keys1. Navigate to the Policies tab in the Endpoint Encryption Manager.2. Right-click on the Encryption Keys Groups node and select Create Group.3. Enter the group name, for example, Management Keys.4. Click OK.5. Open the new group by double-clicking it I the tree structure.6. Right-click and select Add Key.7. Enter the new key’s details as appropriate.8. Click OK to create and save it.Change Encryption Keys PropertiesNew keys, by default, are available to any Endpoint Encryption for Files and Foldersuser, as is stated in the list of Users for a key. To restrict who can access a key,simply change the key properties. For each encryption key group (or each encryptionkey if it belongs to a non-controlled group) you may change the following options:• Key Validity period• Offline availability• User access rights to the keys20 |

Creating Encryption KeysUltimately, it is the presence of a user in the Users list for a key that determines if theuser can read data encrypted with that key. If the user is not on the “Users” list for akey, then the user cannot read data encrypted with that key. If the user is on the list,data encrypted with that key can be transparently accessed.In addition, once you define some users for a key, only those users will be able tomodify the key’s properties in the future. This ensures the security of the data.NOTE: Remember to add your own (or another admin account) to the key’s user list if you want to be ableto administer it in the future! Once the list has been set, only users in the list will be able to make anychanges to the particular key (or key group).To change the properties for a key (group), follow these steps.1. Navigate to the Policies tab of the Endpoint Encryption Management Console(see the previous section).2. Expand the Encryption Keys Groups node and double-click the groupcontaining the encryption key(s) you want to change the properties for.3. Double click the encryption key you want to change. A dialog will appeardisplaying the properties of the key.To make the key available when offline1. Click the Validity section.2. Enable the key and local caching. Optionally, select for how long the key canbe used offline before a new connection to the database must be made.3. Click Apply to save the settings.| 21

Creating Encryption KeysTo restrict access to an encryption key1. Click the Users section.2. Click Add to add some specific users to the key.3. Click Apply to save the settings.22 |

Creating Encryption PoliciesCreating Encryption PoliciesFor more detailed information about Endpoint Encryption for Files and Folders Policies,see the Endpoint Encryption for Files and Folders Administration Guide. Note thatEndpoint Encryption for Files and Folders policies are not the same as Microsoft®ActiveDirectory policies (GPOs).Endpoint Encryption for Files and Folders Policies define what functions a user canperform with the Endpoint Encryption for Files and Folders Client. For example, theuser’s ability to create their own encrypted files can be switched off, as can the user'sability to manually decrypt data; however, you do not need to be able to decrypt a fileto access it.Endpoint Encryption for Files and Folders policies also control the automatic encryptionof information. For example, you can specify that all .doc files should be created asencrypted, or all files in “My Documents” should be encrypted, or, a folder on anetwork share.A policy may also specify that data written to removable media, such as USB memorydevices and removable hard disks shall always automatically be encrypted.The default settings for a new policy group, or new policy object, prevent anysensitive/critical operation. If you want to allow access to the functions of EndpointEncryption for Files and Folders you need to change the settings of the correspondingpolicy. An example of how to edit an individual policy is described next. As with allobjects in the Endpoint Encryption Central directory, a policy may be individuallyedited, or only edited through the settings at the group level (controlled group).To create a Endpoint Encryption for Files and Folders policy, follow the schema on thenext pages.| 23

Creating Encryption Policies1. Navigate to the Policies tab in the Endpoint Encryption Manager.2. Expand the Endpoint Encryption for Files and Folders Policy Groupsnode.3. Open the default group Endpoint Encryption for Files and Folders Policiesby double-clicking it in the tree structure.4. Right-click the members’ window.5. Select Add to add a new policy to the group.6. Give the policy a descriptive name, e.g. one that reflects the user group towhich it will be assigned.7. Click OK to create and save the new policy.Changing the Properties of an Encryption PolicyEach policy object contains several policy options that each can be altered to make thepolicy unique to reflect the encryption environment of the user (group) that shall beassigned the policy.Typically, each user group will have its own encryption policy. Only one policy can beassigned to a user or user group. Thus, it is not possible for a user (group) to have amerge of several policies applied.To change the properties for an encryption policy, follow these steps.24 |

Creating Encryption Policies1. Navigate to the Policies tab of the Endpoint Encryption Management Console(for graphics, see the previous section.2. Expand the Endpoint Encryption for Files and Folders Policy Groupsnode and double-click the group containing the policy you want to change theproperties for.3. Double click the policy you want to change. A dialog opens that displays theproperties of the policy.4. Click the category you want to edit the settings for.5. Select the options as appropriate.TIP: Selecting the Allow Explicit Encrypt, Decrypt features ensures that these options appear when a clientuserright clicks a file.6. Click Apply to save the changes in the policy.Assigning a Policy to a User (Group)When you have created an encryption policy, you need to assign it to a user or usergroup. The user(s) acquire the correct policy, from the database, once the EndpointEncryption for Files and Folders client has been installed. The policy is obtained (andupdated) whenever the user authenticates to the database (e.g. through a SBCELogon).1. In the Endpoint Encryption Manager console, navigate to the Users tab.2. Expand the user group containing the user you want to assign a policy to.| 25

Creating Encryption Policies3. Double-click the user group to display its members.4. Double-click the user that shall be assigned the policy; the User Propertiespage opens.5. Scroll down the categories menu to find the Policies option.6. Click this icon to open the settings window.7. Click the Add button to display the available policies in the system.8. Expand the policy tree to locate and select the policy that shall be assigned tothis user (group).9. Click OK and then Apply to assign the selected policy to the user (group).26 |

Creating an Install SetCreating an Install SetThe install files for Endpoint Encryption for Files and Folders are created from theObject Database. The executable file resulting from creation of the installation setconstitutes the actual Endpoint Encryption for Files and Folders client that shall bedeployed to the users’ machines.To create an installation set for Endpoint Encryption for Files and Folders, follow theschema on the next page. You can use the resulting executable file to install EndpointEncryption for Files and Folders on any supported client operating system.1. Navigate to the Policies tab in the Endpoint Encryption Manager console.2. Expand the Endpoint Encryption for Files and Folders Policy Groupsnode to display your policy groups.3. Right-click the group that will be the base for the client you are about tocreate.4. Select Create Installation set.5. Select what file groups you want to include in the client. For a basic testinstallation, only select Endpoint Encryption for Files and Folders client files.6. Select which Endpoint Encryption communication server shall be used by theclient. Note: Ensure the SBFILEDB.DLL is not selected.| 27

Installing Endpoint Encryption for Files and FoldersInstalling Endpoint Encryption forFiles and FoldersEndpoint Encryption for Files and Folders is a transparent file and folder encryptionproduct for Windows 2000, Windows XP and Windows Vista.Endpoint Encryption for Files and Folders offers “Persistent Encryption Technology”(PET); this ensures that protection travels with the document when moved/copiedaround on different storage media – thus, allows the sharing of encrypted data.With Endpoint Encryption for Files and Folders, encrypted documents can be copiedbetween directories, to and from network drives and removable storage, withoutbecoming decrypted; the encryption travels “with” the data. Endpoint Encryption forFiles and Folders also can automatically encrypt all new files of defined types (forexample all new Word Documents), and can automatically encrypt specifieddirectories, such as My Documents.Endpoint Encryption for Files and Folders is managed from the Endpoint EncryptionManager. All policy, user and key information is centrally controlled by EndpointEncryption administrators. You can mix Endpoint Encryption for PC and EndpointEncryption for Files and Folders on the same machine and use the same tokens anduser accounts to authenticate transparently to both.Copy the install file to the machine on which you want to install the client on. This canbe the same machine on which you have the administration system, or a different (but28 |

Installing Endpoint Encryption for Files and Foldersnetwork-connected) machine. When you run the install file, it will display a progresswindow as it installs the files.Once it has finished, it will prompt you to restart the machine. That is all there is toinstalling Endpoint Encryption for Files and Folders . Following the first reboot afterinstallation, the Endpoint Encryption for Files and Folders Logon dialog may appearautomatically (unless Forced logon was deselected in the policy from which theinstallation set was created). You must enter the credentials for a valid user in order toretrieve the proper policy of the user.NOTE: You need to have local administrator rights on the machines where you install the EndpointEncryption for Files and Folders client.When the client machine restarts, you will see a new tool tray icon on the Task Bar,and new options in the right-click menu of files and folders (depending on the policysettings).The Endpoint Encryption for Files and Folders client sideWhen you have deployed a Endpoint Encryption client product onto a machine, you willnotice a new icon in the system tray. This icon is common for all Endpoint Encryptionproducts. Right-clicking the icon displays a menu with content that differs dependingon which Endpoint Encryption clients you have installed. When only EndpointEncryption for Files and Folders is installed, the tray icon menu looks as follows.• Click About to see information about this installation of Endpoint Encryptionfor Files and Folders.| 29

Installing Endpoint Encryption for Files and Folders• Click Unload all keys to unload any open encryption key. You will need toauthenticate again before you can access encrypted data.• The User Local Key management section of the tray icon menu containsoptions for managing user locally generated encryption keys• Click Endpoint Encryption Recovery to initiate a recovery session, shouldyou have forgotten your password• Click Show status to show a dialog that displays the current EndpointEncryption for Files and Folders activities, e.g. what folders are currently beingencrypted. The Show status dialog also contains a button for collectingimportant support data (the Diagnostics button).• Click Synchronize to manually authenticate to the central database in orderto load encryption keys and to explicitly update your policy.Encrypting and Sharing DataTo encrypt a file or a folder, simply right click the object and select Encrypt… fromthe Endpoint Encryption for Files and Folders option. You need to have thiscontext menu option enabled in the policy applied to you.When you select the Encrypt… option from the context menu, you will next be askedwhat encryption key you want to use30 |

Installing Endpoint Encryption for Files and FoldersSelect the appropriate key and then click OK to execute the encryption. If you encrypta folder, the existing content of the folder will be encrypted.Without a Endpoint Encryption for Files and Folders user ID and password, encrypteddata is inaccessible. You can make encrypted data available to only a subset of theEndpoint Encryption users by protecting it with a key which only has the users youwant to be able to access the data assigned.Caching encryption keys for offline usePart of the key properties (validity) deals with the Key Cache – this is a local copy ofthe encryption keys kept on a user’s hard disk, protected with their EndpointEncryption log in credentials.You can specify in the Keys properties whether it is allowed to be cached or not, andhow long it can be cached for. Open the Endpoint Encryption Manager and open theproperties for the key (group) you want to set caching for – select the Validityattribute.Caching enabledUsers can continue to use this key when they are disconnected from the network andcannot access the Endpoint Encryption Server. For example, if they copy an encrypted| 31

Installing Endpoint Encryption for Files and Foldersfile to their hard disk, they will be able to continue using it when they are not in theoffice. It is possible to control for how long the key will be available for offline usebefore it has to be “refreshed” from the central database.Caching disabledData protected cannot be accessed without a connection to the Endpoint EncryptionServer. The only time the key for this information is available is if the user has anetwork connection and has valid credentials.32 |

Encrypting Folders and File TypesEncrypting Folders and File TypesFolder policiesSetting a folder to be encryptedTo encrypt a folder through a policy, follow these steps:1. Open the Endpoint Encryption Manager console.2. Navigate to the Policies tab.3. Expand the Endpoint Encryption for Files and Folders Policy Groupsnode.4. Double-click the policy group containing the policy you want to add the folderencryption to.5. Open the particular policy by double-clicking it in the policy group member’swindow; the Properties dialog for the policy will open.6. Find and select the Folders category in the left-hand categories pane.7. Click the Add button to add folders to be encrypted.8. Type the path to the folder you want to encrypt, or, select a shortcut from thedrop-down menu.9. Select which key will be used to encrypt the folder.10. Click OK and then Apply to save your changes.| 33

Encrypting Folders and File TypesTo make the policy change take effectOn your client machine, right-click the Endpoint Encryption for Files and Folders iconand click Synchronize to gain your new policy.If you create a new file in the directory, you will find it is automatically encrypted.File extension policiesEndpoint Encryption for Files and Folders can automatically encrypt data based on thefile type. This can be done for any application (global extensions), or for dedicatedapplications only (process specific extensions). You can setup this behavior by editinga user’s policy.Setting a file type to be encryptedTo specify a file extension encryption policy, follow these steps:1. Open the Endpoint Encryption Manager console.2. Navigate to the Policies tab.3. Expand the Endpoint Encryption for Files and Folders Policy Groupsnode.4. Double-click the policy group containing the policy you want to add the fileextension encryption to. This will open the Properties window.1. Find and select the File Extensions category in the left-hand categories pane.34 |

Encrypting Folders and File Types2. Select the Process Specific extension option.3. Click Add to add a process name.4. Enter the process name including the EXE extension.5. Select which encryption key shall be used to encrypt the files.6. Click Ok to create the process entry. Then mark the process and again clickAdd to add what file types created by this process shall be encrypted. Youmust leave the “.” out, e.g. only enter “doc” and not “.doc”.7. Click OK to add the extension to the process. You may add additionalextensions and processes if you like.8. When ready, click Apply to save the changes.To make the policy change take effectOn your client machine, right-click the Endpoint Encryption for Files and Folders iconand click Synchronize to gain your new policy. You can see if it takes effect from theAbout Endpoint Encryption for Files and Folders… option (the Policies tab).If you create a new file with the specified type, you will find that it is automaticallyencrypted.| 35

Removing Endpoint Encryption for Files and FoldersRemoving Endpoint Encryption forFiles and FoldersRemoving Endpoint Encryption from your test environment is a two-stage process.First you have to remove Endpoint Encryption for Files and Folders from your PC. Oncethis is finished, you can remove the administration software.Removing the Endpoint Encryption for Files and FoldersclientFrom Add/Remove Programs, select the Endpoint Encryption for Files andFolders option.Removing the client does not decrypt any information and does not delete any keys.You can safely reinstall Endpoint Encryption for Files and Folders again using the sameuser ID and password to regain access to your protected information.NOTE: No file is decrypted when the client is uninstalled. Thus, in order to access files after removing theEndpoint Encryption for Files and Folders client the files must first be decrypted. Use the Searchencrypted… feature to find the encrypted files in your environment. This feature is enabled through apolicy: in the General window, ExplorerIntegration section. Once applied, the feature is available by rightclickingany folder.Removing the Endpoint Encryption ManagerOnce you have removed the Endpoint Encryption for Files and Folders client, stop theEndpoint Encryption Server and any connectors or Web Services and use theAdd/Remove Programs from control panel to remove the administration system.NOTE: Be sure you have decrypted any information before this step, as it won’t be possible to retrieveencrypted data once the Endpoint Encryption database has been removed. The database is removedautomatically when uninstalling the Endpoint Encryption Manager.If installed on Windows Vista, the Endpoint Encryption database is not removed when uninstalling EndpointEncryption Administration. The database remains after uninstall in the folder Program Data.36 |

NotesNotes| 37