Version 6.5 FFE-encrypted files cannot be read by pre-V6.5 client devices. If using FFE and considering upgrading to V6.5, please review BEFORE upgrading
ISSUE / ADVISORY
Aspects of File-and-Folder-encrypted data are managed differently between V6.5 of SES and prior versions.
FFE policies on Network Shares
For FFE policies protecting network shares, it’s possible both 6.5 and earlier clients will be accessing the same files. This would result in v6.5 clients being able to view all data fine, but the 6.4 SR1 clients would not be able to view newly encrypted files from a v6.5 client. The recommendation here is to prepare for the 6.5 upgrade and remove the existing FFE policies on network folders. Once the policies are removed, create and encrypt the network shares again using a 6.5 client.
The result of this change is that clients running V6.5 of SecureDoc will be able to access FFE-encrypted files/folders created and encrypted by clients running a SecureDoc version prior to V6.5, but the reverse is not true. Any devices running a version of SecureDoc prior to V6.5 will be unable to read any files encrypted by V6.5 FFE.
NOTE: if you do not use the FFE encryption feature within your organization, you need read no further; this does not affect your company.
The following use cases will determine how your organization should handle the 6.5 upgrade:
IF your company uses FFE Policies to protect Network Shared Folders:
Ideally, the time to resolve the potential incompatibility is PRIOR to upgrading SES to V6.5
... the following steps must be taken.
1 - Using an existing Client running a version of SecureDoc prior to V6.5 (and which participates in the current pre-V6.5 FFE policy):
copy or move all files from any existing FFE-managed folder to sequester them in a safe area (ie. an area that is not managed by an FFE Policy)
this will ensure that clear-text copies of these files are available (they will be re-encrypted/protected in step 7, below).
2 - Remove any FFE policies that had been created from within the pre-V6.5 SES Server.
3 - Apply those changes to affected client devices to remove any reference to FFE policies on affected devices.
4 - Upgrade SES to V6.5
5 - Upgrade any SecureDoc-protected Client devices that require File-and-Folder Encryption policy support through the V6.5 SecureDoc Client, so they can participate in the new FFE management specifics.
6 - Re-create the desired FFE Folder Policies using the now-upgraded SES V6.5 console, and apply that policy to the desired devices
7 - Ask one or more of the affected users to copy the previously-sequestered files back into the newly-defined FFE-policy-protected folders (which are now protected under the V6.5-version of the FFE policy engine). These files will now be encrypted under the new V6.5 encryption methodology.
IF your company ONLY uses LOCAL FFE Policies to protect Local (on-PC) Files or Folders:
... then this impact is minimal.
For FFE policies protecting local shares, the limitation will not be as noticeable. The reason is that once the client is updated to v6.5, all new files will be encrypted using the V6.5 methodology, but all existing files will also be available and can be viewed. No changes are needed for local folders protected by FFE.