Reference Guide

ManualsBrandsDell ManualsConverged InfrastructureData Guardian

201

202

203

204

205

206

207

208

209

210

Security Management Server Virtual v10.2.7 AdminHelp

189

encryption by SDE. This allows the SDE key to be used to encrypt data that would not otherwise be

possible with the Common or User keys due to time-based availability of the keys.

Due to the difference in how the SDE key can be used, there are several caveats to be aware of when

considering use of this feature.

• The built-in exclusions covered in protected directories do not apply to SDE. By design, SDE

excludes portions of the operating system that are necessary for booting and updating.

• If a file is targeted for encryption by any key other than SDE in addition to SDE, then SDE does

not encrypt the file.

• All encryption rules apply when writing SDE policies.

Encryption Rules for SDE Encryption

The following is the default SDE policy. Any changes to this policy should be considered carefully.

Protection of SystemRoot

The protection of the SystemRoot directory is specified so that only the root itself is protected, meaning

that the sub-directories of the SystemRoot do not inherit this protection. This would be the equivalent of

using the following policy:

-@C:\

Encryption Rules for Encryption External Media

Removable Media Encryption policies operate off their own set of encryption rules, independent of

Common encryption, User encryption, or SDE uses. User/Common encryption policies are only applied

to fixed disks. If an endpoint is determined to be removable media, then Removable Media Encryption

policies are applied.

What Happens When Policies Tie

• When an exclusion and inclusion statement both apply to a given directory or file, the exclusion

policy prevails.

• If you apply a Common encryption policy and User encryption policy specifically to the same file

or location, the file or location is Common key encrypted.

• If you apply a Common encryption policy and an SDE encryption policy specifically to the same

file or location, the file or location is Common key encrypted.

• If you apply a User encryption policy and an SDE encryption policy specifically to the same file

or location, the file or location is User key encrypted.

See Sub-directories and Precedence of Directives

for more information.

Encryption Rules for Generic Drive Statements

Instead of having to specify each drive in an inclusion or exclusion rule by its drive letter assignment,

you may use a generic rule to target either All Fixed Drives or all Removable Drives.

Fixed Drive Usage: Replace the drive letter with F#.

Example: F#:\ instead of C:\ or D:\

The Fixed Drive rule can only be used within a Common Encrypted Folder policy, User Encrypted

Folder policy, and/or SDE policy.

Removable Drive Usage: Replace the drive letter with R#.

Example: R#:\ instead of F:\ or H:\