To Enable Partition Encryption at the CLIENT:
SecureDoc offers the ability to do partition encryption and the setup of the partition encryption is pretty straight forward.
Please remember that partition encryption is typically not recommended for a system drive because it is not as secure as full disk encryption and Windows might be configured to store its swap files, virtual memory, print spool files and temporary files on a different drive - and since these might not be encrypted, they constitute at-risk areas for data attack.
Here are the instructions on setting up Partition Encryption.
A - Enable Partition Encryption:
Step 1: Browse to your SecureDoc.ini file (C:\Program Files\WinMagic\SecureDoc-NT\UserData)
Please add the following to the "SecureDoc.ini” file
Under the Heading "General"
Add the line: "AllowNotEncEntireDisk=1", which is a switch setting that permits NOT protecting the entirety of the disk (in other words, it disables Full Disk Encryption in favor of Partition-based encryption).
Step 2:
Reboot the machine.
Step 3:
Login to Windows with Administrator rights, then login to SecureDoc Control Center using a key file with administrative privileges.
Step 4:
Choose "disk encryption” tab
Step 5:
Click on the Drive drop down menu and choose the partition you want to encrypt.
This enables you to encrypt different partitions. When you navigate to Disk Encryption you will now have the option to encrypt each partition separately.
To Configure Remote Installation package (using SES Console) for partition encryption: To encrypt partition(s) only on client machine we have to create a special remote package.
NOTE: There are no GUI tools to accomplish portions of what needs to be configured - the Profile's .spf file must be configured manually in the installation package area - and so these changes must be reinstated whenever the package is recreated.
1. Enable the option "Encrypt partition only" in the Profile.
2. Manually edit the profile's .spf file. There are three different settings to determine which partition on client machine will be encrypted or not. All these three settings are under [Package Settings]:
a) Ignore partition by the existence of special file under the root of that partition:
- Setting: "DriveToIgnoreByFile" [TYPE_STRING]
- Default: SD_NE.txt
- Example: If SD_NE.txt exists under the root of drive D, then drive D will be ignored and not be encrypted.
b) Encrypt partition by drive letters:
- Setting: "DriveToConvertByDrvArray" [TYPE_DWORD]
- This setting is a 32 bit value. The lowest 26 bits represent the 26 drive letters and the 6 bits left are reserved (keep equal 0).
- Example:
. 0x0000001C: Including drive C, D & E - this can be expressed in decimal uniquely as 28, calculated as ((2^2=4 for C) + (2^3=8 for D) + (2^4=16 for E))
. 0x00000034: Including drive C, E & F - this can be expressed in decimal uniquely as 52, calculated as ((2^2=4 for C) + (2^4=16 for E) + (2^5=32 for F))
- or Convert the Hex values to decimal value: 0x0000001C = 28; 0x00000034 = 52, as explained above
- That means:
. DriveToConvertByDrvArray=28 will encrypt C, D & E.
. DriveToConvertByDrvArray=52 will encrypt C, E & F.
See notes at end of this article for all mount-point values in Decimal.
c) Encrypt drive by matching keyword within the drive label:
- Setting: "DriveToConvertByVolLabel" [TYPE_STRING]
- If the keyword is found within the drive label the drive will be encrypted. Otherwise it will be encrypted or ignored depend on the other settings. Matching label is not case sensitive.
- Example: Setting: "Best":
. Drive C with label "BEST_WinXP" will be encrypted.
. Drive D with no label or "DATA" will not be encrypted.
Note:
The setting "DriveToIgnoreByFile", default "SD_NE.txt", has highest priority, that means if it exists, the partition will be ignored, even if it's in the drive list to be encrypted, or its label matches the keyword.
Calculating mount-point/partition ID values in Decimal
The following values are the decimal equivalents of each of the possible partition mount point names: A: 1, B: 2, C: 4, D: 8, E: 16, F: 32, G: 64, H: 128,
I: 256, J: 512, K: 1024, L: 2048, M: 4096, N: 8192,
O: 16384, P: 32768, Q: 65536, R: 131072, S: 262144, T: 524288,
U: 1048576, V: 2097152, W: 4194304, X: 8388608, Y: 16777216, Z: 33554432,
ALL: 67108863 (which is the sum of all the numbers shown)
You'll note that each of these is effectively a "power of two" exponential progression. A is 2^0=1, B is 2^1=2, C is 2^2=4, D is 2^3=8, and so on.
To calculate a combination of mount-point identifiers: - First choose the drive letters (In our example we'll use E and F).
- Add together their Decimal values from the chart above (E=16, F=32). For example, 16+32 = 48 decimal.
So, the decimal notation value for drives E and F will be: 48
For illustration purposes, the decimal notation values for drives C, D and U would be 4+8+1048576 = 1048588.
|