Reference Guide

ManualsBrandsDell ManualsConverged InfrastructureEncryption

181

182

183

184

185

186

187

188

189

190

Manage Policies

Application Data Encryption (ADE)

ADE encrypts any file written by a protected application, using a category 2 override. This means that

any directory that has a category 2 protection or better, or any location that has specific extensions

protected with category 2 or better, will cause ADE to not encrypt those files.

For example, ADE does not encrypt any files written into /Windows/System32 folder, because this

directory has a default protection of category 2.

Example Policies for Common/User Key Encryption

The following set of encryption rules encrypts most of the drive, including standard Microsoft Office-type

documents in the Documents and Settings folders. This policy set should only be used for Common

encryption (not User encryption, removable media, or SDE). This is considered a strong policy set, and

will typically require some adjustments for local conditions and requirements.

%ENV:SYSTEMDRIVE%\

^%ENV:USERPROFILE%\;<insert standard office extensions here >

FOLDERID_Documents or %CSIDL:PERSONAL% (pre-Windows 7)

%ENV:USERPROFILE%\Desktop\

^%ENV:USERPROFILE%\;mp3.mp4.mpeg.avi.wmv.wav

-^%ENV:USERPROFILE%\Desktop\;<system file extensions to exclude>

-%ENV:SYSTEMDRIVE%\;<system file extensions to exclude>

-%ENV:SYSTEMDRIVE%\config.msi

What this does:

Encrypts all of C:\, except for protected directories

Encrypts standard Microsoft Office documents across the drive, except for protected directories,

although it will encrypt them in the USERPROFILE directory.

Encrypts all of My Documents

Encrypts all of the Desktop, except for any selected excluded extensions

Excludes common system files from encryption

Excludes all encryption from C:\config.msi directory, due to MSI upgrade migration issues

All paths are dynamic based on environment variables

%ENV:USERPROFILE% (inclusion or exclusion) variable should never be used with SDE

Encryption.

System Data Encryption (SDE)

SDE is an intelligent file-based encryption method where the encryption key is auto-authenticated during

the volume mount process. A unique SDE key is generated for each volume that is targeted for

encryption by SDE. This allows the SDE key to be used to encrypt data that would not otherwise be

possible with the Common or User keys due to time-based availability of the keys.

Due to the difference in how the SDE key can be used, there are several caveats to be aware of when

considering use of this feature.

• The built-in exclusions covered in protected directories do not apply to SDE. By design, SDE

excludes portions of the operating system that are necessary for booting and updating.

176