Endpoint profile: Encryption tab
Encryption allows trusted users to transfer confidential information to removable media (such as an external hard drive) by encrypting the data before transfer.
When the user tries to copy a file to removable media, the endpoint client intercepts the transaction and sends the file through the adapter for analysis. If the action is set to Encrypt with profile key, the endpoint client encrypts the file using a key deployed by the endpoint profile. The encrypted file can then be opened on any endpoint, assuming that endpoint has the key.
The strength of the encryption lies with the encryption algorithm and key length used by the algorithm. Forcepoint DLP uses a 256-bit key length open source AES encryption algorithm and a symmetric-key encryption to offer the safest and easiest method to encrypt sensitive information. The key is double encrypted and cannot be used on a USB stick or any external device to decrypt data on unauthorized PCs.
Define an encryption key for each endpoint profile. Forcepoint DLP includes one default encryption key. Note that each endpoint client might have a different encryption key, based on its profile.
To create an encryption key:
- Click New.
- Enter a password and confirm it.Note:
The password should be at least 8 characters in length (maximum is 15 characters), and it should contain:
- At least one digit
- At least one symbol
- At least one capital letter
- At least one lowercase letter
- The following example shows a strong password:
- 8%w@s1*F
- Click OK.
- Enter a description (for example “Encryption key for March”).
A code is generated based on the password, and the key appears on the Encryption tab with Pending status. The status is Pending until settings are deployed to the endpoint servers. While a key is awaiting deployment, additional keys cannot be generated.
There can be only one active encryption key for each endpoint profile and 9 enabled keys in the archive. (There is no limit to the number of disabled archived keys.)
After deployment, the pending key becomes the active key, and the former active key changes status to decryption-only and appears in the Archived Keys list to be used for files previously encrypted by that key.
The following additional actions can be performed on this tab:
- To disable a decryption-only key, select the key and click Disable. Only decryption-only keys can be disabled. The change takes place only after all of the following:
- Settings are deployed.
- The endpoint receives the change.
- The endpoint is restarted OR the relevant removable media is disconnected from the endpoint.
- To enable a disabled key, select the key and click Enable. The key reverts to decryption-only status.
- To delete a pending key, click Delete. Only pending keys can be deleted.
Forcepoint recommends backing up the encryption keys every time you modify them. See Backing up encryption keys section.