Explanations on usage

Stormshield Data Management Center

In SDMC, public key infrastructures (PKIs) cannot be managed, unlike in Stormshield Data Authority Manager version 10.

Smart cards/tokens

For the SDS Enterprise middleware to function properly, the smart card minidrivers of the cryptographic medium in question must be installed on the workstation.

The smart card reader for a cryptographic medium cannot be changed during the course of a Windows session. If you have started using a smart card in a certain reader, you must restart your Windows session in order to use this card in another reader.

Accounts can only be created on a TPM chip with RSA keys that do not exceed 2048 bits. This limitation also applies to SSO accounts with keys that are stored on a TPM chip.


After the SDS Enterprise agent has been installed or after changes have been made to the security policy, the workstation must be restarted for the policy to be correctly applied.

Malfunctions may occur when connecting two cryptographic devices (token and/or card) at the same time on a workstation. This restriction does not apply when the SmartCard support Stormshield middleware is used.

When the Windows setting for the size of the elements is set to more than 100%, the SDS band in the connection window and in the "About" window does not display on the entire width of the window.

When importing PGP keys, if the window Password required is resized, the buttons Cancel and OK do not correctly display.

When peers are selected from the LDAP directory for an encryption operation, for peers that have several certificates, SDS Enterprise will always suggest the most recent certificate, even if it has been revoked. The encryption operation will therefore fail. We recommend deleting revoked certificates from your LDAP directory.

When a .usi account from the SDAM is installed on a user's workstation, the values of the parameters prescribed by the .json policy configuration file prevail when the kernel starts up, and when the user logs in.

The type of SSO account used to log in to the SDS Enterprise account depends on the operation of the smart card or USB token account type. The agent card extension must therefore be installed for it to run.

When an SDS Enterprise account is blocked, the only way for a password account to be unblocked is via the account's backup password.

Specific revocation list download protocols cannot be disabled (HTTP, FILE, etc.). All protocols are properly managed.

The date on which the revocation list was last downloaded is no longer shown in the revocation controller. However, a Windows event log will be generated.

Stormshield Data File

SDS Enterprise currently does not support Microsoft OneNote files.

When a file is protected in .sdsx format, or protection is removed from an .sdsx file, Windows permissions applied to the file are restricted to the session user only and to the permissions inherited from the parent folder.

In the event a protected file in the process of being edited cannot be backed up (e.g. if the file has been deleted or renamed in the meantime, or the file is located on a shared network and the connection has been shut down), the user will need to modify the backup location or rename his file.

Files protected by SDS Enterprise and stored on a shared network, while in the process of being modified by an authorized user, can still be simultaneously modified by another authorized user.

The SDSX format strictly does not support certificate RSA keys smaller than 2048 bits.

Temporary decryption folders cannot be protected locally with the Data Team module.

Stormshield Data Share

Automatic folder protection cannot apply to folders already protected by Team.

By default, Microsoft applications are not allowed to "Save as" in synchronized shared spaces, to prevent sharing files in plaintext.

When automatic file protection is enabled on a folder, and you are using "Save as" on allowed applications, you must shut down the application that is attempting to save, so that the file can be seen in the automatically protected folder.

The file path from the root of the synchronized folder must not exceed 185 characters, including extensions (e.g., .pptx, .sdsx). Otherwise, the file will not be protected and will no longer be accessible.

To ensure that files moved to a Dropbox synchronized space are automatically protected, use the drag and drop or copy and paste functions. If you use the Move to Dropbox pop-up menu on a file, it will not be protected.

When an automatic protection rule is applied to the content of a folder, or when protection is removed from the content of a folder after an automatic protection rule has been disabled, the Windows permissions applied to the files contained in the folder are restricted to the session user and to the permissions inherited from the parent folder.

Share is not supported on network shares, file servers or external drives.

If the padlock icon does not appear on a protected folder, check th registry base, under "Ordinateur\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers", that the following keys have been placed above the existing keys in the tree:

  • EncrypterOverlayIcon

  • SDSShareOverlayIcon

If this is not the case, add spaces before their names and restart Explorer in order to apply the change.

The protection of a folder cannot be modified if you have already protected or modified access to one of its sub-folders or parent folders.

Stormshield Data Mail

Encrypted messages cannot be sent to recipients over Microsoft Exchange in offline mode in Microsoft Outlook. A connection is required for SMTP address resolution.

Users may sometimes not be able to open .sdsx files attached to encrypted messages It is therefore recommended to download attachments before opening them.

PGP messages received as attachments (.msg) cannot be opened by dragging and dropping them in an Outlook folder.

When the Outlook reading pane is disabled, simply double-clicking on a large encrypted message will not open it. You must double-click twice on the message.

The encryption band does not display when writing a new encrypted email via the Start menu if Outlook is not running. The email will thus be correctly encrypted.

The Mail add-in is not compatible with Kaspersky Outlook Anti-Virus Addin. If the certificates of the recipient are not available, some e-mails can be sent as they are not encrypted.

We do not recommend removing the smart card to lock a SDS Enterprise card account whereas an e-mail is being saved as the backup will not work.

In Windows Explorer, .msg files signed or encrypted with Outlook cannot be opened. In this case, apply the workaround described in the Stormshield Knowledge base (authentication required).

Stormshield Data Virtual Disk

You are advised against using a Virtual Disk volume on remote spaces. A correction timeout may prevent access to the disk or changes made to the disk may not be saved.

Stormshield Data Team

Stormshield Data Team is not compatible with the backup tool Veeam. The tool prevents folders protected with a Team rule from being encrypted.

In Microsoft Windows 10 and 11, when the user encrypts a folder, the SDS Enterprise padlock icon does not always appear on encrypted files. However files are correctly encrypted.

The Shadow Copy volume backup system, enabling version management in Windows Explorer among other things, is not supported by Stormshield Data Team.

Stormshield Data Team cannot support synchronized directories such as SharePoint, Dropbox, Office 365, etc. and thus cannot encrypt them. We recommend that you exclude these directories from the folders analyzed by Stormshield Data Team by using the Folder exclusion advanced parameter found in the configuration of the Team feature in the SDMC administration console.