Endpoint profile: Encryption tab

Documentation | Support

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Configuring Endpoint Deployment > Viewing and managing endpoint profiles > Endpoint profile: Encryption tab

Endpoint profile: Encryption tab

Administrator Help | Forcepoint DLP | Version 8.5.x

Related topics:

Backing up encryption keys

Restoring encryption keys

Configuring encryption for removable media

Encryption allows trusted users to transfer confidential information to removable media (such as an external hard drive) by encrypting the data before transfer.

When the user tries to copy a file to removable media, the endpoint client intercepts the transaction and sends the file through the adapter for analysis. If the action is set to Encrypt with profile key, the endpoint client encrypts the file using a key deployed by the endpoint profile. The encrypted file can then be opened on any endpoint, assuming that endpoint has the key.


	Note Encrypt with user password allows users to decrypt files from other machines (without the endpoint agent installed). See Configuring encryption for removable media.

The strength of the encryption lies with the encryption algorithm and key length used by the algorithm. Forcepoint DLP uses a 256-bit key length open source AES encryption algorithm and a symmetric-key encryption to offer the safest and easiest method to encrypt sensitive information. The key is double encrypted and cannot be used on a USB stick or any external device to decrypt data on unauthorized PCs.

Define an encryption key for each endpoint profile. Forcepoint DLP includes one default encryption key. Note that each endpoint client might have a different encryption key, based on its profile.


	Note The default profile contains a default key based on the password of the administrator that installed the Security Manager.

To create an encryption key:

1.

2.

Enter a password and confirm it.

Note

The password should be at least 8 characters in length (maximum is 15 characters), and it should contain:

At least one digit

At least one symbol

At least one capital letter

At least one lowercase letter

The following example shows a strong password:

3.

Enter a description (for example "Encryption key for March").

4.

A code is generated based on the password, and the key appears on the Encryption tab with Pending status. The status is Pending until settings are deployed to the endpoint servers. While a key is awaiting deployment, additional keys cannot be generated.

There can be only one active encryption key for each endpoint profile and 9 enabled keys in the archive. (There is no limit to the number of disabled archived keys.)

After deployment, the pending key becomes the active key, and the former active key changes status to decryption-only and appears in the Archived Keys list to be used for files previously encrypted by that key.

The following additional actions can be performed on this tab:

To disable a decryption-only key, select the key and click Disable. Only decryption-only keys can be disabled. The change takes place only after all of the following:

a.

Settings are deployed.

b.

The endpoint receives the change.

c.

The endpoint is restarted OR the relevant removable media is disconnected from the endpoint.

To enable a disabled key, select the key and click Enable. The key reverts to decryption-only status.

To delete a pending key, click Delete. Only pending keys can be deleted.

Forcepoint recommends backing up the encryption keys every time you modify them. See Backing up encryption keys.

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Configuring Endpoint Deployment > Viewing and managing endpoint profiles > Endpoint profile: Encryption tab

Copyright 2017 Forcepoint. All rights reserved.