Reference Guide

ManualsBrandsDell ManualsConverged InfrastructureEncryption

141

142

143

144

145

146

147

148

149

150

Security Management Server v10.2.11 AdminHelp

A word about types of encryption: SDE is designed to encrypt the operating system and program files.

To accomplish this purpose, SDE must be able to open its encryption key while the operating system is

booting without intervention of a password by the user. Its intent is to prevent alteration or offline attacks

on the operating system by an attacker. SDE is not intended for user data. Common and User key

encryption are intended for sensitive user data because they require a user password to unlock

encryption keys.

Policy descriptions also display in tooltips in the Management Console. In this table, master policies are

in bold font.

Policy Default Setting Description

Self-Encrypting Drive (SED)

This technology manages self-encrypting drives (SEDs). Authentication by users through a Pre-Boot Authentication

environment (before the operating system has booted) is required to unlock the drive.

Enable SED

Plugin

Selected

The plugin must remain selected. To deactivate the PBA and

disable SED Manager, toggle the

Self-encrypting Drive policy

to OFF.

See basic

settings

Policy Default Setting Description

Policy-Based Encryption

This technology uses De

ll's proprietary data centric encryption to allow user data and computer encryption. This allows

greater protection over individual data than traditional full disk encryption, by limiting access on a computer to only

what a user is authorized to view.

Encrypt with

SDE when SED

is detected

Not Selected

When Selected, this policy applies SDE encryption to self-

encrypting drives. Use this policy when SDE encryption is

preferred instead of native SED encryption.

User Encrypted

Folders

String

String - maximum of 100 entries of 500 characters each (up to

a maximum of 2048 characters)

A list of folders on the computer hard drive to be encrypted

with the user data encryption key or excluded from encryption.

If the same folder is specified in this policy for multiple

users of the same Windows computer, each file in that folder

is encrypted for the first owner

of the file after the policy

takes effect, and can be decrypted only by that owner.

The text in this policy is translatable.

More...

Specify as for Common Encrypted Folders.

This policy applies to all drives classified by Windows as

Hard Disk Drives (see My Computer). You cannot use this policy

to encrypt drives or external media whose type displays as

Removable Disk, use EMS Encrypt External Media instead.

Application

Data

Encryption

List

Exe List

winword.exe

excel.exe

powerpnt.exe

msaccess.exe

winproj.exe

outlook.exe

acrobat.exe

visio.exe

mspub.exe

winzip.exe

winrar.exe

onenote.exe

String - maximum of 100 entries of 500 characters each

Do not add explorer.exe or iexplorer.exe to the ADE list, as

unexpected or unintended results may occur.

Explorer.exe is the process used to create a new notepad file

on the desktop using the right-click menu.

Setting encryption by file extension, instead of the ADE

list,

provides more comprehensive coverage.

Changes to this policy do not affect files already encrypted

because of this policy.

List process names of applications (without paths) whose new

files you want encrypted, separated by carriage returns. Do

not use wildcards.

137