> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure monitored folders

> Procedures for setting up and configuring monitored input/output folders.

As mentioned in the **Overview** section of the main page of this administrative guide, file encryption works by having an input folder where you move files to be encrypted and an output folder where you move the files after encryption. This process requires monitoring the Input folder for new file uploads. We support the following folder monitoring methods: KMES-monitored folders and Agent-monitored folders. In both scenarios, encryption occurs on the KMES.

## KMES-monitored folders

With KMES-monitored folders, the KMES mounts to a folder share by using SFTP or CIFS. Then, you create a **File Encryption Profile** on the KMES that defines what folder to monitor, the parameters of what to encrypt, and where to save the file after encryption (either locally in a data partition on the KMES or on a folder share).

Perform the following steps to configure a KMES-monitored folder:

<Steps>
  <Step>
    Go to **Data Protection**> **File Encryption** and select **\[ Add ]**.
  </Step>

  <Step>
    In the **Info** tab of the **File Encryption Profile** window, notice that in the **Key** **mode** drop-down list, you can select **Version 1** or **Version** **2**.

    * If you select **Version 1**, when you select **\[ Choose ]** in the **Key** field, you can see and select only File Encryption v1 keys.
    * If you select **Version 2**, when you select **\[ Choose ]** in the **Key** field, you can see and select only File Encryption v2 keys.

    After entering a name for the **File Encryption Profile** and selecting a file encryption key, go to the **Input** tab.

    <Note>
      Refer to the File Encryption Techniques section of this guide to understand the differences between File Encryption v1 and File Encryption v2 keys.
    </Note>
  </Step>

  <Step>
    In the **Input** tab, select a file share in the **Source** drop-down list.

    <Note>
      For instructions on configuring a file share, refer to the [KMES Series 3 user guide](https://docs.futurex.com/Legacy_Products/bam/6.3.6.x/product-specific/kmes-series-3/admin-guide).
    </Note>

    When you select a **file share** as the **Source**, the following fields display:

    <table>
      <thead>
        <tr>
          <th><em><strong>Field</strong></em></th>
          <th><em><strong>Description</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>Extension</strong></td>
          <td>The KMES determines which files to encrypt within a directory based on the file extension. In this field, specify a valid file extension (such as <code>.txt</code>, <code>.pdf</code>). </td>
        </tr>

        <tr>
          <td><strong>Directory</strong></td>
          <td>Select <strong>\[ Browse ]</strong>, and in the file browser, select the input directory you want the KMES to monitor. </td>
        </tr>

        <tr>
          <td><strong>Subfolders</strong></td>
          <td>Select this checkbox if you want the KMES to also monitor subfolders in the main input directory. </td>
        </tr>

        <tr>
          <td><strong>Delete original</strong></td>
          <td>Select this checkbox if you want the KMES to delete the original unencrypted file after the encrypted version of the file is moved to the configured output directory. </td>
        </tr>

        <tr>
          <td><strong>Exclude</strong></td>
          <td>Add the names of all files and folders in the input directory that you want the KMES to exclude from encryption. </td>
        </tr>

        <tr>
          <td><strong>Note</strong></td>
          <td>Asterisks represent a wildcard character. For example, an exclude pattern could be entered as <code>somedir/someotherdir/\*.txt</code>. The path is relative to the input directory. </td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    In the **Output** tab, the following fields display if you select a file share as the input source in the previous step:

    <table>
      <thead>
        <tr>
          <th><em><strong>Field</strong></em></th>
          <th><em><strong>Description</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>Destination </strong></td>
          <td>In this drop-down list, you can select either <strong>Local </strong>or a configured file share. If you select Local, encrypted files are stored in a data partition on the KMES itself, and you can export them by right-clicking the <strong>File Encryption Profile</strong> and selecting <strong>Export</strong>.</td>
        </tr>

        <tr>
          <td><strong>Extension </strong></td>
          <td>Specify the file extension you want to use for encrypted files (such as <code>.enc</code>). </td>
        </tr>

        <tr>
          <td><strong>Directory </strong></td>
          <td>The <strong>\[ Browse ]</strong> button is active only if you selected a file share as the <strong>Destination</strong>. In this case, select <strong>\[ Browse ]</strong>, and in the file browser, select the output directory where you want the KMES to save encrypted files. </td>
        </tr>

        <tr>
          <td><strong>Overwrite </strong></td>
          <td>In this drop-down list, you can select either <strong>Disabled</strong>, <strong>Overwrite</strong>, or <strong>Version</strong>. <br />If you select <strong>Disabled</strong> and a file exists in the output directory under the same name, the KMES does not overwrite the existing file. <br />If you select <strong>Overwrite</strong>, the KMES overwrites the existing file. <br />If you select <strong>Version</strong>, the KMES saves versions of files under different names. </td>
        </tr>

        <tr>
          <td><strong>Include Path </strong></td>
          <td>If you select this checkbox, file headers include the full file path rather than the original file name only. </td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the File Encryption Profile.
  </Step>
</Steps>

## Agent-monitored folders

With Agent-monitored folders, you can deploy an agent (a lightweight application running on a Windows or Linux system) on servers or individual workstations. Then, administrators can configure them on an individual basis by using a GUI-based application or for batch deployment by using a configuration text file. Just as with KMES-monitored folders, you must create a **File Encryption Profile** on the KMES that defines what folder to monitor, the parameters of what to encrypt, and where to save the file after it is encrypted. The difference is that the input and output folder locations for Agent-monitored folders are both on the server or workstation that is running the agent.

Perform the following steps to configure an Agent-monitored folder:

<Steps>
  <Step>
    Go to **Data Protection**> **File** **Encryption**, and select **\[ Add ]**.
  </Step>

  <Step>
    In the **Info** tab of the **File Encryption Profile** window, notice that in the **Key mode** drop-down list, you can select **Version 1** or **Version 2**.

    * If you select **Version 1**, when you select **\[ Choose ]** in the **Key** field, you can see and select only File Encryption v1 keys.
    * If you select **Version 2**, when you select **\[ Choose ]** in the **Key** field, you can see and select only File Encryption v2 keys.

    After entering a name for the **File Encryption Profile** and selecting a file encryption key, go to the **Input** tab.

    <Note>
      Refer to the File Encryption Techniques section of this administrative guide to understand the differences between File Encryption v1 and File Encryption v2 keys.
    </Note>
  </Step>

  <Step>
    In the **Input** tab, select **Agent** in the **Source** drop-down list. When you select **Agent** as the **Source**, the following fields display:

    <table>
      <thead>
        <tr>
          <th><em><strong>Field</strong></em></th>
          <th><em><strong>Description</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>Extension </strong></td>
          <td>The agent determines which files to encrypt within a directory based on the file extension. In this field, specify a valid file extension (such as<code> .txt, .pdf</code>). </td>
        </tr>

        <tr>
          <td><strong>Directory </strong></td>
          <td>Enter the full path to the input directory you want the agent to monitor. </td>
        </tr>

        <tr>
          <td><strong>Subfolders </strong></td>
          <td>Select this checkbox if you want the agent to also monitor subfolders within the main input directory. </td>
        </tr>

        <tr>
          <td><strong>Delete original </strong></td>
          <td>Select this checkbox if you want the agent to delete the original unencrypted file after moving the encrypted version of the file to the configured output directory. </td>
        </tr>

        <tr>
          <td><strong>Requires authorization</strong> </td>
          <td>Select this checkbox if you want to require the agent to authenticate to the KMES with an identity that has been granted <strong>File Encryption</strong> permissions </td>
        </tr>

        <tr>
          <td><strong>Exclude </strong></td>
          <td>Add the names of all files and folders in the input directory that you want the agent to exclude from being encrypted. </td>
        </tr>

        <tr>
          <td><strong>Note </strong></td>
          <td>Asterisks represent a wildcard character. For example, you can enter an exclude pattern as <code>somedir/someotherdir/\*.txt</code>. The path is relative to the input directory. </td>
        </tr>

        <tr>
          <td><strong>Hostname Whitelist </strong></td>
          <td>Add the hostnames of all computers and servers running the File Encryption Agent. </td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    In the **Output** tab, the following fields display if you selected **Agent** as the input source in the previous step:

    <table>
      <thead>
        <tr>
          <th><em><strong>Field</strong></em></th>
          <th><em><strong>Description</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>Destination</strong></td>
          <td>This field is grayed out because the only supported <strong>Destination </strong>for agent-based monitoring is on the computer/server running the agent. </td>
        </tr>

        <tr>
          <td><strong>Extension</strong></td>
          <td>Specify the file extension you want to use for encrypted files (such as <code>.enc</code>). </td>
        </tr>

        <tr>
          <td><strong>Directory</strong></td>
          <td>Enter the full path to the output directory where you want the agent to save encrypted files. </td>
        </tr>

        <tr>
          <td><strong>Overwrite</strong></td>
          <td>In this drop-down list, you can select either <strong>Disabled</strong>, <strong>Overwrite</strong>, or <strong>Version</strong>. <ul><li>If you select <strong>Disabled</strong> and a file exists in the output directory under the same name, the agent does not overwrite it. </li><li>If you select <strong>Overwrite</strong>, the agent overwrites the existing file. </li><li>If you select <strong>Version</strong>, the agent saves versions of files under different names. </li></ul></td>
        </tr>

        <tr>
          <td><strong>Include Path</strong></td>
          <td>If you select this checkbox, file headers include the full file path rather than the original file name only. </td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the File Encryption Profile.
  </Step>
</Steps>
