Policy Files and Default Encryption Keys in Dell Encryption

Summary: The following are policies that users commonly customized depending upon their network environment.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

Affected Products:

  • Dell Security Management Server
  • Dell Data Protection | Enterprise Edition
  • Dell Security Management Server Virtual
  • Dell Data Protection | Virtual Edition
  • Dell Encryption Personal
  • Dell Data Protection | Personal Edition

Policy controls the security posture of clients running Dell Encryption (formerly Dell Data Protection | Encryption). In addition to describing what data should be protected and encrypted, the policy contains settings to define what type of key is used to protect the data.

Cause

Not Applicable

Resolution

Policy determines the subset of users who can access encrypted data on fixed storage (internal hard drives) and removable media by defining the type of key that is used to encrypt data. The key types available are listed below.

Note: Not all key types are available for all policies. For example, User keys are not available to be used with the Secure Windows Hibernation File policy as the hibernation file data must be available to Windows before a user account logging in to the operating system.

System Data Encryption (SDE) Key - Data encrypted with an SDE key is accessible by anyone with access to the computer, including local accounts. SDE keys are unlocked at boot time based on system measurements and are typically used to encrypt operating system and program files so that they are available to the computer and applications as quickly as possible.

Note: Changes to computer hardware may change the measurements that are used to unlock the SDE key, causing boot failures. An SDE recovery must be performed to force the client to recalculate the expected system measurements to recover from this.

System Data Encryption User (SDUSER) Key - Data encrypted with an SDUSER key is encrypted with the same SDE key as SDE encrypted data. The difference between the two keys is that, in addition to the SDE key unlock requirements, a managed user must be logged into the computer for the data to be accessible.

Common Encryption Key - Data encrypted with a common encryption key is accessible by anyone with a managed login to the computer. Common encryption keys are unlocked when a managed user logs in to the computer and the software verifies their identity. Common encryption keys are unique per computer.

User Encryption Key - Data encrypted with a user encryption key is accessible only to the specific user to which the user encryption key is assigned. User encryption keys are unlocked when a managed user logs in to the computer and the software verifies their identity. User encryption keys are unique to each user on a specific device. This data can still be accessed using recovery methods available to forensic administrators. Only this user and forensic administrators have access to this data.

Note: Due to the access limitations on user encrypted data, user encryption keys should only be used to protect data that resides within the user profile directory and should NOT be used for any shared data on the computer.

User Roaming Encryption Key - Like data encrypted with a user encryption key, data encrypted with a user roaming encryption key is only accessible to the specific user to which the user roaming encryption key is assigned. However, unlike user encryption keys, which are assigned to a specific user on a specific computer, user roaming encryption keys are assigned to a specific user and used across the entire enterprise footprint. User roaming encryption keys should always be used for encrypting removable media.

The chart below shows the default key and encryption algorithm that is configured in often modified policy.

Policy Key (Common; User; User Roaming) (SDE) Where is the Policy Set Algorithm
Encrypt User Profile Documents User
Note: If Policy-Based Encryption is disabled, then the SDUSER key is used.
User Data Encryption Key

Allowed Values

  • Common
  • User
  • User Roaming
 AES256
Encrypt Outlook Personal Folders User User Data Encryption Key

Allowed Values

  • Common
  • User
  • User Roaming
 AES256
Encrypt Temporary Files User User Data Encryption Key

Allowed Values

  • Common
  • User
  • User Roaming
 AES256
Encrypt Temporary Internet Files User User Data Encryption Key

Allowed Values

  • Common
  • User
  • User Roaming
 AES256
Encrypt Windows Paging File One-Time 128-Bit key is generated each time that the shield initializes. N/A AES256
Secure Windows Credentials System Data Encryption (SDE) N/A AES256
Secure Windows Hibernation File System Data Encryption (SDE) N/A AES256

When using the shield to encrypt entire disk partitions, it is recommended to use the SDE encryption key. This ensures that any encrypted operating system files are accessible during states when a managed user is not logged in.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Affected Products

Dell Encryption
Article Properties
Article Number: 000125064
Article Type: Solution
Last Modified: 15 Apr 2024
Version:  9
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.