Reference Guide

ManualsBrandsDell ManualsConverged InfrastructureEncryption

181

182

183

184

185

186

187

188

189

190

Security Management Server v10.2.11 AdminHelp

• If a file is targeted for encryption by any key other than SDE in addition to SDE, then SDE does

not encrypt the file.

• All encryption rules apply when writing SDE policies.

Encryption Rules for SDE Encryption

The following is the default SDE policy. Any changes to this policy should be considered carefully.

Protection of SystemRoot

The protection of the SystemRoot directory is specified so that only the root itself is protected, meaning

that the sub-directories of the SystemRoot do not inherit this protection. This would be the equivalent of

using the following policy:

-@C:\

Encryption Rules for Encryption External Media

Removable Media Encryption policies operate off their own set of encryption rules, independent of

Common encryption, User encryption, or SDE uses. User/Common encryption policies are only applied

to fixed disks. If an endpoint is determined to be removable media, then Removable Media Encryption

policies are applied.

What Happens When Policies Tie

• When an exclusion and inclusion statement both apply to a given directory or file, the exclusion

policy prevails.

• If you apply a Common encryption policy and User encryption policy specifically to the same file

or location, the file or location is Common key encrypted.

• If you apply a Common encryption policy and an SDE encryption policy specifically to the same

file or location, the file or location is Common key encrypted.

• If you apply a User encryption policy and an SDE encryption policy specifically to the same file

or location, the file or location is User key encrypted.

See Sub-directories and Precedence of Directives

for more information.

Encryption Rules for Generic Drive Statements

Instead of having to specify each drive in an inclusion or exclusion rule by its drive letter assignment,

you may use a generic rule to target either All Fixed Drives or all Removable Drives.

Fixed Drive Usage: Replace the drive letter with F#.

Example: F#:\ instead of C:\ or D:\

The Fixed Drive rule can only be used within a Common Encrypted Folder policy, User Encrypted

Folder policy, and/or SDE policy.

Removable Drive Usage: Replace the drive letter with R#.

Example: R#:\ instead of F:\ or H:\

The Removable Drive rule can only be used within an Encryption External Media Encryption Rules

policy.

Remove System Data Encryption (SDE)

To completely decrypt SDE encrypted files, apply the following policies:

177