General Information About Dell Encryption

Affected Products:

• Dell Encryption
• Dell Data Protection | Encryption

Not Applicable

General Shield Encryption Information

For Windows, you can specify encryption in two ways: You can specify locations where files are encrypted (Common Encrypted Folders, User Encrypted Folders), and you can specify applications whose work is encrypted (Application Data Encryption List).

Encrypting data does not restrict the ability of a user to view, create, change, rename, copy, move, share, or delete their files and folders as usual. Encrypting data also does not restrict the ability of an administrator to rename and delete files and folders as usual. Deleted encrypted files and folders remain encrypted, whether they are in the Recycle Bin or permanently deleted. However, users cannot NTFS-compress or EFS-encrypt Shield-encrypted files or folders. If instructed to encrypt NTFS-compressed or EFS-encrypted files for the logged-in user, the Shield removes the associated folder attributes and file characteristics before encrypting the files.

If data was originally encrypted because of its location, the Shield automatically decrypts it when it is copied or moved from an encrypted area to a decrypted area by a user who can access the data. If a user who cannot access the data renames or moves it (only possible within a partition), the data always remains encrypted. Each managed user can access files they own (encrypted at the user level), plus files encrypted at the device level. If a user shares an encrypted area, it is accessible only while that user is logged on, and anyone accessing it is treated as its owner.

When the Shield encrypts an instance of an NTFS hard-linked file, the encrypted instance is no longer linked to the original file, and hard linking is disabled for the encrypted file. If Secure Post Encryption Cleanup is set to any value other than, No Overwrite, the Shield overwrites the original file. Files in encrypted folders are encrypted either when they are created, or (after creating an unmanaged user) when a managed user logs in. The Shield also scans relevant folders for possible encryption and decryption when a folder is renamed, or it receives encryption policy changes. If Scan Workstation on Logon is True, when a user logs in, the Shield compares how files in currently- and previously encrypted folders are encrypted to the user policies, and makes any necessary changes. If Scan Removable Media is True, when removable storage is inserted, the Shield scans it for possible encryption and decryption. If a computer has two users, and a given folder is encrypted for only one of those users, new files in that folder remain unencrypted until the user with the encryption policy logs in. If another folder is encrypted for both users as a User Encrypted Folder, files created by one user are not accessible by the other user. If you want the files to be accessible by both, you can either list the folder in the Common Encrypted Folders policy, or change the User Data Encryption Key to Common. If you specify a network folder in the Common Encrypted Folders or User Encrypted Folders policy, the Shield does not encrypt it. The Shield only encrypts folders on the local hard drive. If an application has a file open simultaneously, when the Shield is attempting to encrypt or decrypt it. The Shield tries again to encrypt or decrypt this file each time the user logs in. Following an unsuccessful attempt, the Shield closely integrates with the operating system to maximize the likelihood that the file encryption status changes to match policy. If, during a large file encryption processing, an application tries to access the file, a dialog displays after 1-2 seconds, giving the user the option of canceling encryption or decryption. If the user cancels, the Shield tries again the next time the user logs in. You can view encryption failures in the Remote Management Console. When initial encryption of an endpoint is complete, the Shield creates the registry entry:

HKCU\Software\Credant\CMGShield\InitialEncryptionDone and sets it to True (1).

Changing the encryption algorithm causes an encryption sweep to occur. Depending on the volume of encrypted files and computer resources on each computer, performance that is maybe affected while the encryption sweep is being completed.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.