Featured Eseminar Auditor Download GuardianEdge Federal GuardianEdge

“This is the best encryption technology we have used that integrates with Windows Server Active Directory and enables us to easily manage laptops simply by making changes to Group Policy objects that are sent to users immediately.”

—Oliver Rebollido, Network Engineer, Fenwick & West LLP, Mountain View, California.
Removable Storage Encryption FAQs


Removable Storage Frequently Asked Questions

This page contains answers to the most commonly asked questions about Removable Storage

Removable Storage Encryption

  1. Does GuardianEdge Removable Storage use a file-based or volume-based approach to protect data?
  2. How does GuardianEdge Removable Storage encrypt and decrypt data?
  3. What algorithms does GuardianEdge Removable Storage use to protect data?
  4. What certifications does GuardianEdge Removable Storage possess?
  5. What options do users have for deciding how they are going to encrypt data?
  6. Do users notice a change in performance when using GuardianEdge Removable Storage?
  7. How does GuardianEdge Removable Storage treat existing unencrypted files that are already on a device?
  8. Can GuardianEdge Hard Disk and GuardianEdge Removable Storage run on the same endpoint?

Enterprise Manageability

  1. Is GuardianEdge Removable Storage integrated with Active Directory?
  2. How do administrators deploy GuardianEdge Removable Storage to endpoints?
  3. When new releases or upgrades come out, how do administrators upgrade the endpoints?
  4. How are policies set and pushed out to endpoints?
  5. Can GuardianEdge Removable Storage force data saved to removable storage devices to be encrypted?
  6. How are users authenticated in order to access encrypted data?
  7. Can GuardianEdge Removable Storage be used on multi-user computers, such as those used at kiosks, hospitals, and police stations?
  8. How scalable is GuardianEdge Removable Storage?

Key Management

  1. How are files encrypted?
  2. Is there a means to access encrypted files if a user forgets their password?
  3. How are encryption keys protected in order to ensure that encrypted data remains secure?
  4. Does GuardianEdge Removable Storage offer an easy way for users who are part of the same workgroup to protect and share data?
  5. Is a PKI infrastructure required to use GuardianEdge Removable Storage?

Data Portability

  1. Can data encrypted by GuardianEdge Removable Storage be accessed on computers that are not running the software?
  2. When encrypted data is accessed on machines not running GuardianEdge Removable Storage can it be re-encrypted?
  3. Can GuardianEdge Removable Storage protect email attachments?
  4. Can GuardianEdge Removable Storage protect CDs/DVDs?

Supported Platforms/Devices

  1. What storage devices does GuardianEdge Removable Storage support?
  2. What physical media does GuardianEdge Removable Storage support?
  3. What operating systems does GuardianEdge Removable Storage support?

End User Experience

  1. What methods are available for users to authenticate to encrypted data?
  2. Do users have to go through any sign-up or registration process before they can start using GuardianEdge Removable Storage?
  3. Does encryption interfere with normal usage of the machine?
  4. Does the user need to perform any additional steps to access encrypted data?
  5. How does a user share encrypted data with co-workers? How about with suppliers, partners, and other external parties?
  6. Does the encryption and decryption cause degradation in performance?
  7. Does GuardianEdge Removable Storage create any application compatibility issues?

Reporting

  1. Does GuardianEdge Removable Storage enable administrators to validate that the proper policies are in place?
  2. Does GuardianEdge Removable Storage provide logging of endpoint events and activities?
  3. Does the reporting include details for users and computers?


Removable Storage Encryption

1) Does GuardianEdge Removable Storage use a file-based or volume-based approach to protect data?

GuardianEdge Removable Storage uses a file-based approach to encrypt data. Files are individually encrypted with their own randomly generated file encryption key. This is in contrast to a volume-based approach whereby all of the files on a device are encrypted as a single unit. Advantages of a file-based approach include the following:

  1. Flexibility for users to use a device for personal and work. File-based encryption allows employees to have their personal data that is saved from their home computers unencrypted on the same device as the data that is saved from their work computer that is forced to be encrypted.
  2. Enhanced security when devices are shared with one or more people – File-based encryption provides users the ability to set different passwords for different files, thereby providing others access only to the files that are intended for them. With volume-based encryption, on the other hand, there is only one password, and anyone that knows that password can access all of the files on a device.

2) Does GuardianEdge Removable Storage use a file-based or volume-based approach to protect data?

GuardianEdge Removable Storage intercepts files read from and written to storage devices. For file reads, GuardianEdge Removable Storage will allow unencrypted files to be opened in a manner identical to how the files would be opened if GuardianEdge Removable Storage was not installed on the computer (provided there is not a No Access policy in place). For encrypted files, GuardianEdge Removable Storage will first try to decrypt the file using a workgroup key (if there is one), and then will try passwords that the user previously entered. If neither of these methods works, only then will GuardianEdge Removable Storage prompt the user to enter a password or, when combined with GuardianEdge Advanced Authentication, to insert a smart card or token to decrypt the file.

When users write data to storage devices, GuardianEdge Removable Storage will intercept the write and, if a forced encryption policy is in place, will encrypt the file. Users will be prompted to enter a password and/or certificate(s) that will be used to protect the file encryption key, if they have not already set these.

3) What algorithms does GuardianEdge Removable Storage use to protect data?

GuardianEdge Removable Storage uses AES-128 and AES-256 algorithms to protect encrypted data.

4) What certifications does GuardianEdge Removable Storage possess?

  • GuardianEdge Removable Storage encryption algorithms are FIPS 140-2 certified.
  • GuardianEdge Removable Storage is Common Criteria EAL4 compliant, and is in evaluation for certification.

5) What options do users have for deciding how they are going to encrypt data?

Users can encrypt data using standard encryption or can create self-extracting encrypted files.

Files encrypted with standard encryption can be accessed on computers that have GuardianEdge Removable Storage installed and on those that do not using an access utility. Users do not have to do anything to select this method of encryption; it occurs automatically when users save data to devices/media.

Self-extracting encrypted files are intended for one-way distribution to recipients, such as attorneys, accountants, partners, and vendors that do not have GuardianEdge Removable Storage installed on their computers, although the files can also be accessed from computers that do have GuardianEdge Removable Storage installed. Self-extracting files can be saved to storage devices, sent by email, or placed on a network share or FTP server.

6) Do users notice a change in performance when using GuardianEdge Removable Storage?

There is minimal performance impact from using GuardianEdge Removable Storage. Users may note a small change in performance when they save files to devices as part of their normal workflow, and a slight delay when saving either a large number of files (e.g. > 500) or very large files (e.g. > 1 GB).

7) How does GuardianEdge Removable Storage treat existing unencrypted files that are already on a device?

Administrators can decide how plaintext files already on a device are dealt with. Plaintext files can either be allowed to remain unencrypted or can be forced to be encrypted.

8) Can GuardianEdge Hard Disk and GuardianEdge Removable Storage run on the same endpoint?

Yes. GuardianEdge Hard Disk and GuardianEdge Removable Storage complement each other. GuardianEdge Hard Disk protects data on the hard drive, while GuardianEdge Removable Storage protects data on storage devices.

When users save data from a disk that GuardianEdge Hard Disk has encrypted to a storage device, GuardianEdge Hard Disk decrypts the data on the fly as it is being read from the hard drive into RAM. At this point, this data is indistinguishable from data that is being read from a disk that is not encrypted. The data then gets copied to the storage device, and GuardianEdge Removable Storage encrypts the data as it is being written to the storage device.

If a user copies or drags-and-drops an encrypted file from a storage device to the hard drive, GuardianEdge Removable Storage will first decrypt the file so that the computer can read it into RAM. Then, the computer will write the data to the hard drive, at which point, GuardianEdge Hard Disk will encrypt it.

Enterprise Manageability

1) Is GuardianEdge Removable Storage integrated with Active Directory?

GuardianEdge Removable Storage is a component of the GuardianEdge Data Protection Platform. The GuardianEdge Data Protection Platform has the most extensive Active Directory integration of data protection products on the market today. The points of integration into Active Directory include:

  • MMC interface - The GuardianEdge Management Console uses a native MMC interface, already familiar to administrators for managing email and systems and allowing them to be immediately effective with minimal training.
  • Microsoft GPO policy control - Policies can be deployed to all levels of the Active Directory hierarchy, including domains, sites, OUs, and groups. This Active Directory hierarchy is natively available through GuardianEdge Manager, and no LDAP synch is required to periodically update it.
  • Active Directory role based administration - The GuardianEdge Data Platform uses Active Directory’s powerful role-based capabilities. Administrators can be limited to specific functions, such as creating MSI files or viewing monitored data, within the GuardianEdge Management Console. Additionally, administrators can only be allowed to deploy GuardianEdge policies to a specific domain, site, OU, or group
  • Active Directory’s Resultant Set of Policies (RSoP) can be used to determine the winning GuardianEdge policy on an endpoint.
  • Structure and policy deployment - GuardianEdge Platform policies use Active Directory’s replication, forest / domain structures and policy deployment mechanisms.

2) How do administrators deploy GuardianEdge Removable Storage to endpoints?

Administrators deploy GuardianEdge Removable Storage to endpoints using their existing deployment tools and methodologies. GuardianEdge Removable Storage supports deployment using any standard software deployment tool that can distribute .msi packages. These include third party software deployment tools, such as SMS and Tivoli, and Microsoft GPOs.

3) When new releases or upgrades come out, how do administrators upgrade the endpoints?

Administrators upgrade the endpoints by pushing out an MSI package with the new version using their existing deployment methodologies and tools. If using a third party deployment tool, the administrator will need to inform the tool that the MSI package will be upgrading an installation in place, as opposed to creating a fresh install. If using GPOs, the administrator can right-click on the GPO and indicate that the MSI package upgrades a previously pushed out MSI package.

4) How are policies set and pushed out to endpoints?

GuardianEdge Removable Storage policies are set in a manner very similar to setting other policies in Active Directory. Assuming that the administrator is deploying a new GPO, he/she starts by right-clicking on the GPO container and selecting “New”. The administrator can then right-click on the new GPO and select “Edit”, after which the user can select the GuardianEdge Removable Storage setting he/she wants to modify. For example, the administrator could select the setting “Encrypt All Files.” After choosing the setting the administrator closes the GPO and then links the GPO to an Active Directory. As the final step, the administrator will need to ensure that this policy is higher in precedence than any other policies containing the same settings.

5) Can GuardianEdge Removable Storage force data saved to removable storage devices to be encrypted?

Yes. All files that are saved to a storage device are forced to be encrypted if there is an administrator-defined policy in place to force encryption.

6) How are users authenticated in order to access encrypted data?

The authentication method depends upon how the files are protected. If the files are protected with a password, then users will be required to enter the correct password before they can access the data. When combined with GuardianEdge Advanced Authentication, files can also be protected with one or more certificates. If the file is protected with one or more certificates, a user attempting to access the data must have a private key that matches one of the certificates.

7) Can GuardianEdge Removable Storage be used on multi-user computers, such as those used at kiosks, hospitals, and police stations?

Yes. Each user has his/her own GuardianEdge account that is created automatically and behind the scenes when the user logs on to Windows. The user can use this to encrypt data that he/she writes to storage devices, and the administrator can be assured that all data that users write is encrypted.

8) How scalable is GuardianEdge Removable Storage?

GuardianEdge Removable Storage is tightly integrated into Active Directory, and, as such, is highly scalable, both in terms of being able to handle a large number of clients and in integrating into existing operational workflows. While there are a number of variables that affect scalability, including the number of sites and the bandwidth between the sites, GuardianEdge Removable Storage will support upwards of 100,000 clients in most situations. For a more precise number, please contact us, and we would be happy to review the specifics of your situation.

Key Management

1) How are files encrypted?

Files are encrypted with “file encryption keys” generated by GuardianEdge FIPS 140-2 validated pseudo-random number generator. These “file encryption keys” are then encrypted with public keys derived from user and administrator credentials including passwords and / or certificates as controlled via policy by the administrator. Additionally, if the computer from which the data is being saved is part of an administrator-defined workgroup, then the file encryption key will be encrypted with a workgroup key for common workgroup access.

2) Is there a means to access encrypted files if a user forgets their password?

Yes, GuardianEdge Removable Storage provides a recovery method whereby administrators can access files for which users forgot their passwords.

3) How are encryption keys protected in order to ensure that encrypted data remains secure?

GuardianEdge Removable Storage protects each file encryption key with other encryption keys as defined by the administrator. These keys permit access to the encryption key, and may include: a workgroup key, a password, a recovery key, or, when combined with GuardianEdge Advanced Authentication, may also include one or more certificates.

4) Does GuardianEdge Removable Storage offer an easy way for users who are part of the same workgroup to protect and share data?

Yes. Administrators can enable a workgroup key. This allows seamless encryption and decryption of data for members of the same workgroup.

5) Is a PKI infrastructure required to use GuardianEdge Removable Storage?

No. Users can protect files with passwords. However, if users must be able to use certificates to encrypt data, then GuardianEdge Advanced Authentication and PKI are required.

Data Portability

1) Can data encrypted by GuardianEdge Removable Storage be accessed on computers that are not running the software?

Yes. GuardianEdge provides the Removable Storage Access utility. This utility can reside on storage devices and used to decrypt and encrypt data from computers that do not have GuardianEdge Removable Storage installed. Administrators can set a policy to have this utility to be automatically copied to devices that users connect to computers with GuardianEdge Removable Storage installed.

2) When encrypted data is accessed on machines not running GuardianEdge Removable Storage can it be re-encrypted?

Yes. The GuardianEdge Removable Storage Access utility enables data to be encrypted from computers that do not have GuardianEdge Removable Storage installed.

3) Can GuardianEdge Removable Storage protect email attachments?

Yes. Users can create self-extracting files, which can be sent via email. The recipient is required to enter a password to access the data.

4) Can GuardianEdge Removable Storage protect CDs/DVDs?

Yes. GuardianEdge Removable Storage encrypts data being saved to CDs / DVDs with a native CD / DVD burning capability to provide maximum protection when encrypting data for use on CD / DVD media.

Supported Platforms/Devices

1) What storage devices does GuardianEdge Removable Storage support?

GuardianEdge Removable Storage supports devices that connect through the USB, FireWire, and SecureDigital (SD) ports and that attach a file system. This includes devices such as USB flash drives, external hard drives, SD readers, Compact Flash (CF) readers, and Apple iPods.

2) What physical media does GuardianEdge Removable Storage support?

GuardianEdge Removable Storage supports CDs/DVDs, Secure Digital (SD) cards, Compact Flash (CF) cards, and floppy disks.

3) What operating systems does GuardianEdge Removable Storage support?

GuardianEdge Removable Storage supports the following operating systems:

  • Windows XP, SP1-2
  • Windows XP Tablet Edition
  • Windows 2000 Professional Edition, SP4

End User Experience

1) What methods are available for users to authenticate to encrypted data?

Users can authenticate in various way, depending upon how the data is protected:

  • If there is a workgroup key on the GuardianEdge Removable Storage computer—and it matches that of the file—then no user authentication is required.
  • If the data is protected with a password, then users will authenticate with their password.
  • When GuardianEdge Advanced Authentication is present, data may also be protected with certificates. If the data is protected with a certificate, then users will authenticate with a token or smart card that has a private key matching a certificate with which the data is protected.

2) Do users have to go through any sign-up or registration process before they can start using GuardianEdge Removable Storage?

No. Administrators can enable auto-registration, which allows users who log on to Windows to automatically have a GuardianEdge account through a process that is transparent to them.

3) Does encryption interfere with normal usage of the machine?

No. Users continue to work as they always have. The only thing that is different from a user workflow perspective is that GuardianEdge Removable Storage will prompt users for encryption and decryption only when required to obtain credentials to encrypt and decrypt the files. GuardianEdge has provided a number of mechanisms that minimize such interactions.

4) Does the user need to perform any additional steps to access encrypted data?

Although GuardianEdge has taken steps to minimize the prompts associated with providing credentials to access encrypted data, there will be instances where the user will receive prompts. In these cases, to access encrypted data the user will be required to enter a password or (when GuardianEdge Advanced Authentication is present and data is protected with certificates) insert a token/smart card. Other than this, there are no changes to the way users work when using encrypted data from devices.

5) How does a user share encrypted data with co-workers? How about with suppliers, partners, and other external parties?

GuardianEdge Removable Storage is very flexible in how it allows users to share encrypted data. Following are among the ways it allows users to share data:

  • Encrypted files can be provided to a co-worker on USB flash drives
  • Encrypted files can be provided to a co-worker on a CD/DVD
  • A self-extracting encrypted file can be sent by email to a co-worker
  • A self-extracting encrypted file can be put on an FTP site or network share
These same methods are available for sharing data with external parties, such as suppliers and partners, except that external parties would be required to use a special utility that resides on devices/media for the standard GuardianEdge Removable Storage-encrypted files. For self-extracting files, no special software is required, and the user simply needs to enter a correct password.

6) Does the encryption and decryption cause degradation in performance?

There is minimal performance impact from using GuardianEdge Removable Storage. Users may note a small change in performance when they save files to devices as part of their normal workflow, and a slight delay when saving either a large number of files (e.g. > 500) or very large files (e.g. > 1 GB).

7) Does GuardianEdge Removable Storage create any application compatibility issues?

GuardianEdge Removable Storage is a standard Windows application and does not cause problems with other applications.

Reporting

1) Does GuardianEdge Removable Storage enable administrators to validate that the proper policies are in place?

Yes. The following data is included in the data that GuardianEdge Removable Storage shows for each user:

  • Computer name
  • User name
  • Date and time of last status update
  • Encryption policy
  • Encryption method (password/certificate)
  • Workgroup key
  • Recovery
  • Automatic copying of Access utility to devices

2) Does GuardianEdge Removable Storage provide logging of endpoint events and activities?

Yes. There are a number of events that are logged, including the following:

  • Successful receipt of a policy
  • Successful encryption of a file, together with the file name
  • Successful decryption of a file, together with the file name
  • Unsuccessful decryption of a file, together with the file name
  • Delay instituted for consecutive unsuccessful authentication attempts in excess of the administrator-defined threshold
  • Expiration of the above mentioned delay

3) Does the reporting include details for users and computers?

Yes. Users and computers are included in the reporting, as detailed above.