Configuring Stormshield Data File
File encryption in Stormshield Data File makes it possible to guarantee the confidentiality of the data that your users process every day. With this feature, encryption and decryption tasks on user-defined event triggers can also be automated.
For more information, refer to Securing files in the SDS Enterprise advanced user guide.
Configuring file encryption
-
Go to Policies > Features > File, and enable the settings of your choice.
| Properties |
The default encryption format is .sdsx. In this format, the user can edit an encrypted file transparently without the need to decrypt and subsequently re-encrypt it, as was the case with the previous sbox format. |
| Converting .sbox files to .sdsx format |
These options work with the .sdsx encryption format. If you want your users' files in the old .sbox format to be replaced by files in .sdsx format, activate the Force conversion of .sbox files to .sdsx format option. When a user opens an encrypted file with the .sbox extension, it is automatically converted to .sdsx format and the user does not need to re-encrypt it after opening. The new file is protected for the same recipients as the original file. You can specify a path to move old .sbox files to after conversion. Otherwise, they remain in their original location. Conversion only works on one .sbox file at a time. If this option is disabled, two context menus allow you to Open or Unprotect a .sbox file. If this option is enabled, a single menu is used to Open the file. If the user selects several files including at least one .sbox file, only the Open menu is visible. |
| Encryption and decryption |
Select the items for which you wish to authorize encryption and decryption. |
| Multiple encryption |
|
| Special encryption |
|
| Encryption of read-only files | There are several options available for the encryption of read-only files. |
| Manual encryption and decryption of lists | See the section below on how to use lists. |
| Windows encryption of the decryption temporary directory |
By default, Windows encryption of the temporary directory for decrypting .sdsx files (directory C:\Users\[user]\AppData\LocalLow\Stormshield\Stormshield Data Security\Decrypted) is enabled. You can disable it. |
For more information on the advanced use of the File feature on the SDS Enterprise agent, refer to the section Stormshield Data File.
Using lists
Encryption and decryption lists can be used to automate file encryption and decryption for error-free ease of use. A file list can also be created to prevent selected files from being encrypted.
Using encryption and decryption lists
Files enrolled in encryption or decryption lists are automatically processed at a predetermined time or when a predetermined event takes place. For example, you can choose to automatically encrypt files when the session is locked, when the user logs out from SDS Enterprise, or at set intervals (e.g., every 15 minutes) as a background task.
-
Indicate the paths of the files or folders to be encrypted or decrypted. The list can be exported and imported in JSON format.
EXAMPLE OF A .JSON FILE
{
"askForConfirmation":false,
"path":"C:\\Users\\john\\Documents\\Files","recursive":true
},
{
"askForConfirmation":false,
"path":"C:\\Users\\john\\Documents\\Images","recursive":false
}
Encryption and decryption lists can also be used to manually launch a batch encryption or decryption of all of the list items or of selected ones only.
Recursion of automatic file list encryption or decryption defines the sub-folder inclusion behavior. It is set by the Include sub-folders option and can either be on or off. Recursion is applied as follows:
- as a mode, it applies to all items and can be enabled and repeated in various screens.
- as a property of a folder, it defines whether only the indicated folder will be encrypted or decrypted automatically or its sub-folders as well.
- as a property of a file, it defines whether only the indicated file will be encrypted or decrypted automatically or whether files with the same name, but located in other folders, will also be encrypted or decrypted.
- as a property of a file set defined by an expression using wildcard characters (* and ?), it defines whether only the file set will be encrypted or decrypted, or whether files of the same name located in other folders, will also be encrypted or decrypted.
Using exclusion lists
For security reasons, you may need to prevent the encryption of certain files so that they will not be encrypted by mistake. You can create an exclusion list, which will contain the list of files that must not be encrypted.
-
Indicate the paths of the files or folders to exclude from encryption. The list can be exported and imported in JSON format.
The recursion principles explained in Using encryption and decryption lists apply to exclusion lists.
To prevent the encryption of the system folder (C:\WINDOWS\ by default) and the Stormshield Data File installation folder (C:\Program Files\Arkoon\Security BOX by default), we recommend adding these folders to the exclusion list.
Do take note of the following rules as well:
- If a file/folder belongs to both the encryption and exclusion lists, the exclusion list overrides the encryption list.
- When several exclusion rules apply to a file, the most restrictive one applies. If one requires confirmation and the other excludes it unconditionally, the file is excluded without any confirmation request.
- Exclusion rules are enforced between the verification of hidden files and that of read-only files. In other words, if the rules are as follows:
- the hidden files must not be encrypted,
- a confirmation request for read-only files is required.
If both rules apply to a file, it will not be encrypted without a confirmation request.