Configuring encryption for removable media

Administrator Help | Forcepoint DLP | Version 8.7.x

Forcepoint DLP Endpoint provides 2 methods for encrypting sensitive data that is being copied on removable media devices:

(Windows and Linux) Encrypt with profile key encrypts data with a password deployed in the endpoint profile. This is for users who will be on an authorized machine—one with the endpoint agent installed—when they try to decrypt files.

Select this option when configuring action plans for endpoint removable media. The action defaults to permitted on Mac endpoints, regardless of your action plan setting.

(Windows only) Encrypt with user password encrypts data with a password supplied by endpoint users. This is for users who will be decrypting files from other machines—those without the endpoint agent installed.

Select this option when configuring action plans for endpoint removable media. The action defaults to permitted on Linux and Mac endpoints, regardless of your action plan setting.

Encrypt with profile key is the most secure method of protecting data on USB devices.

The encryption key is provided when administrators create endpoint profiles for each user or group of users (see Endpoint profile: Encryption tab).

The endpoint client automatically decrypts files for users whose profiles have the relevant key. Users do not need to supply a password.

Administrators can back up and restore encryption keys (see Backing up encryption keys and Restoring encryption keys).

Encrypt with user password allows endpoint users to set the password to use. They can view the files on their home machines or give the files (and the password) to another user.

Although content is encrypted on Windows endpoints, it can be decrypted on any Windows or Mac machine.

Users must run a Forcepoint Decryption Utility that is included on the removable media device with the encrypted files, and they must provide the password to access the files. See the Forcepoint DLP Endpoint User's Guide for more information.


	Note For CD/DVD media, Forcepoint DLP automatically promotes the "encrypt" action to "block files being transferred" if the destination is a CD writer.