Configuring encryption for removable media

Forcepoint DLP Endpoint provides 2 methods for encrypting sensitive data that is being copied on removable media devices:

  • Encrypt with profile key encrypts data with a password deployed in the endpoint profile. This is for users who will be on an authorized machine—one with the endpoint agent installed—when they try to decrypt files.

    Select this option when configuring action plans for endpoint removable media. The action defaults to permitted on macOS endpoints, regardless of your action plan setting.

  • Encrypt with user password encrypts data with a password supplied by endpoint users. This is for users who will be decrypting files from other machines—those without the endpoint agent installed.

    Select this option when configuring action plans for endpoint removable media. The action defaults to permitted on macOS endpoints, regardless of your action plan setting.

Encrypt with profile key is the most secure method of protecting data on USB devices.

  • The encryption key is provided when administrators create endpoint profiles for each user or group of users (see Endpoint profile: Encryption tab section).
  • The endpoint client automatically decrypts files for users whose profiles have the relevant key. Users do not need to supply a password.
  • Administrators can back up and restore encryption keys (see Backing up encryption keys section and Restoring encryption keys section).

Encrypt with user password allows endpoint users to set the password to use. They can view the files on their home machines or give the files (and the password) to another user.

  • Although content is encrypted on Windows endpoints, it can be decrypted on any Windows or macOS machine.
  • Users must run a Forcepoint Decryption Utility that is included on the removable media device with the encrypted files, and they must provide the password to access the files. See the Forcepoint DLP Endpoint User Guide for more information.
    Note: For CD/DVD media, Forcepoint DLP automatically promotes the “encrypt” action to “block files being transferred” if the destination is a CD writer.