Configuring Stormshield Data File

File encryption in Stormshield Data File makes it possible to guarantee the confidentiality of the data that your users process every day. With this feature, encryption and decryption tasks on user-defined event triggers can also be automated.

For more information, refer to Securing files in the SDS Enterprise advanced user guide.

Configuring file encryption

  • Go to Policies > Features > File, and enable the settings of your choice.

Properties

The default encryption format is .sdsx.

In this format, the user can edit an encrypted file transparently without the need to decrypt and subsequently re-encrypt it, as was the case with the previous sbox format.
Encryption and decryption Select the items for which you want to allow encryption and decryption.
Multiple encryption

  • If the user frequently needs to encrypt a large volume of files, unselect Confirm encryption for each file.

  • You can choose whether to encrypt hidden files.
Special encryption

  • When you enable file encryption for a recipient, you will use the recipient's public key for encryption and they will use their private key for decryption.

  • Self-decrypting files can be shared with recipients who do not have either Stormshield Data File or Security BOX SmartFILE.

  • SmartFILEs can be shared with recipients who only have Security BOX SmartFILE. For more information, see Generating a Security BOX SmartFILE filein the SDS Enterprise Advanced User Guide.
Encryption of read-only files There are several options available for the encryption of read-only files.
Manual encryption and decryption of lists See the section below on how to use lists.
Windows encryption of the decryption temporary directory

By default, Windows encryption of the temporary directory for decrypting .sdsx files (directory C:\Users\[user]\AppData\LocalLow\Stormshield\Stormshield Data Security\Decrypted) is enabled.

You can disable it.

For more information on the advanced use of the File feature on the SDS Enterprise agent, refer to the section Stormshield Data File.

Using lists

Encryption and decryption lists can be used to automate file encryption and decryption for error-free ease of use. A file list can also be created to prevent selected files from being encrypted.

Files enrolled in encryption or decryption lists are automatically processed at a predetermined time or when a predetermined event takes place. For example, you can choose to automatically encrypt files when the session is locked, when the user logs out from SDS Enterprise, or at set intervals (e.g., every 15 minutes) as a background task.

  • Indicate the paths of the files or folders to be encrypted or decrypted. The list can be exported and imported in JSON format.

EXAMPLE OF A .JSON FILE
{
"askForConfirmation":false,
"path":"C:\\Users\\john\\Documents\\Files","recursive":true
},
{
"askForConfirmation":false,
"path":"C:\\Users\\john\\Documents\\Images","recursive":false
}

Encryption and decryption lists can also be used to manually launch a batch encryption or decryption of all of the list items or of selected ones only.

Recursion of automatic file list encryption or decryption defines the sub-folder inclusion behavior. It is set by the Include sub-folders option and can either be on or off. Recursion is applied as follows:

  • as a mode, it applies to all items and can be enabled and repeated in various screens.
  • as a property of a folder, it defines whether only the indicated folder will be encrypted or decrypted automatically or its sub-folders as well.
  • as a property of a file, it defines whether only the indicated file will be encrypted or decrypted automatically or whether files with the same name, but located in other folders, will also be encrypted or decrypted.
  • as a property of a file set defined by an expression using wildcard characters (* and ?), it defines whether only the file set will be encrypted or decrypted, or whether files of the same name located in other folders, will also be encrypted or decrypted.

For security reasons, you may need to prevent the encryption of certain files so that they will not be encrypted by mistake. You can create an exclusion list, which will contain the list of files that must not be encrypted.

  • Indicate the paths of the files or folders to exclude from encryption. The list can be exported and imported in JSON format.

The recursion principles explained in Using encryption and decryption lists apply to exclusion lists.

To prevent the encryption of the system folder (C:\WINDOWS\ by default) and the Stormshield Data File installation folder (C:\Program Files\Arkoon\Security BOX by default), we recommend adding these folders to the exclusion list.

Do take note of the following rules as well:

  1. If a file/folder belongs to both the encryption and exclusion lists, the exclusion list overrides the encryption list.
  2. When several exclusion rules apply to a file, the most restrictive one applies. If one requires confirmation and the other excludes it unconditionally, the file is excluded without any confirmation request.
  3. Exclusion rules are enforced between the verification of hidden files and that of read-only files. In other words, if the rules are as follows:
  1. the hidden files must not be encrypted,
  2. a confirmation request for read-only files is required.

If both rules apply to a file, it will not be encrypted without a confirmation request.