Why can users not add data to an encrypted CD or DVD?
One would think it would be logical to be able to add files to an encrypted item of CD or DVD media, or to add encrypted files to a non-encrypted item of CD or DVD media, in much the same way as it is possible to add more files to an already written unencrypted CD or DVD.
This is a common point of confusion; CD and DVD media is not treated like a regular filesystem, such as one would find on a hard drive or USB memory/thumb drive.
With "normal" Windows, iiformation written to CDs and DVDs is written in "sessions", and the media can be written in such a way that it can either permit or disallow the addition of further sessions. Once additional sessions have been disallowed, this option cannot be undone.
Since the contents of each session cannot be changed once written, it is therefore not possible after the fact to fundamentally alter the whole item of media to have an encryption header at the media level.
However, SecureDoc (like almost all Encryption products) does not support "sessions", and therefore must write to (and CLOSE) the CD/DVD as a single session.
Therefore, it is not possible to add encrypted files to an unencrypted disk, add unencrypted files to an encrypted disk, or even to add more encrypted files to an already-encrypted disk.
To prove this:
1 - Write some file to a brand-new CD using Windows CD/DVD Writing Wizard (drag and drop file to CD/DVD-R drive on My Computer, right click and select "Write these file to CD").
2. Install SecureDoc (it's not necessary to encrypt the hard drive at this point), and log in with an admin-level keyfile
3. Open SDCC, go to Options -> Media Encryption
4. Check on "Enable CD/DVD encryption"
5. On My Computer, drag and drop some files to CD/DVD-R drive
6. Right click on CD/DVD-R Drive and select "Write these files to CD"
7. Follow the CD Writing Wizard
8. Observe the result - The additional files cannot be added to the CD
Reason:
CD/DVD encryption is different from disk encryption: Once information has been burned into a CD/DVD, Windows normally does allow extra data to be burned onto the media in the form of an additional/extra "session". However, once burned the fact is that the original data cannot be changed.
They're either hidden, or blocked from access, but the media already containing burned information can not be set up to apply encryption once it has been written-to.
SecureDoc doesn't allow writing more data onto that media (i.e. it does not support having a blend of unencrypted and encrypted sessions on a single item of media). This is correct and secure, and using a policy that enforces encryption when writing to CD/DVD media ensures that nobody can copy data out of this machine without it being encrypted.