Configuring encryption for removable media

Administrator Help | TRITON AP-DATA | Version 8.3.x

TRITON AP-ENDPOINT DLP provides 2 methods to encrypt sensitive data that is being copied on removable media devices. You can:

Encrypt with profile key: Windows and Linux only. Encrypt with a password deployed in the endpoint profile. This is for users who will be on an authorized machine—one with the endpoint agent installed—when they try to decrypt files. Select Encrypt with profile key when configuring your action plans for endpoint removable media. The action defaults to permitted on Mac endpoints regardless of your action plan setting.

Encrypt with user password: Windows only. Encrypt with a password supplied by endpoint users. This is for users who will be decrypting files from other machines—those without the endpoint agent installed. Select Encrypt with user password when configuring your action plans for endpoint removable media. The action defaults to permitted on Linux and Mac endpoints regardless of your action plan setting.

Encrypt with profile key is the most secure method of protecting data on USB devices. You provide an encryption key when you create endpoint profiles for each user or group of users. (See Encryption tab for more details.) The endpoint automatically decrypts files for users whose profiles have the relevant key. Users do not need to supply a password. Administrators can backup and restore encryption keys. See Backing up encryption keys and Restoring encryption keys for more details.

If you select the Encrypt with user password option, you allow endpoint users to set the password to use. They can view the files on their home machines or give the files (and the password) to another user. Although content is encrypted on Windows endpoints, it can be decrypted on any Windows or Mac machine. Users must run a Forcepoint Decryption Utility that is included on the removable media device with the encrypted files, and they must provide the password to access the files. See the TRITON AP-ENDPOINT DLP User's Guide in the Forcepoint Technical Library for more information.


	Note In the case of CD/DVD media, the TRITON Manager automatically promotes the encrypt action to block files being transferred if the destination is a CD writer.