File encryption
Deploying secure, easy-to-use file encryption on end-user workstations is often challenging. However, the file encryption functionality of the Data Protection license on the eliminates many of the traditional hurdles to deployment.
From a user perspective, file encryption creates two folder types for their use:
- Output folders receive files after encryption.
To decrypt a file, use the File Encryption Agent GUI or the Command Line Interface (FXCLI). This guide provides more details on these options later.
Depending on the needs of the organization deploying file encryption, you can create multiple profiles and input or output folder sets. Each profile can reference its file type, encryption keys, key rotation policy, and more.
As an example of the preceding folder structure, if administrators define a PDF encryption policy is defined by administrators, the system sends the Sample_Invoice.pdf in the input folder to the , encrypts it, and sends it to the output folder as Sample_Invoice.pdf.enc. To decrypt Sample_Invoice.pdf.enc, use the File Encryption Agent GUI or FXCLI.
File encryption works by having an Input folder where you can move files to be encrypted and an Output folder for those encrypted files. This process requires monitoring the Input folder for new file uploads. We support the following folder monitoring methods: KMES-monitored folders and Agent-monitored folders. In both scenarios, encryption occurs on the .
With -monitored folders, you use SFTP or CIFS to mount the to a folder share. Then, you create a File Encryption Profile on the that defines what folder to monitor, the parameters of what to encrypt, and where to save the file after encryption (either locally in a data partition on the or on a folder share).
With Agent-monitored folders, you can deploy an agent (a lightweight application running on a Windows or Linux system) on either servers or individual workstations. Then, administrators configure the agent by using a GUI-based application or a configuration text file for batch deployment.
The offers robust, permission-based access controls, enabling administrators to give users only the ability to perform required tasks. On a global level, you can restrict File Encryption Agents to allow only encryption operations, allow only decryption operations, or allow both. At the end-user level, give access to individual input and output folders that permit encryption or decryption of only certain file types.
Each encrypted file uses a unique encryption key and Message Authentication Code (MAC) key, which enables file portability and file integrity checking. File portability enables administrators to move files between systems and maintain the ability to decrypt them. Integrity checking provides cryptographic assurance that files have not been tampered with.