Explanations on usage
Stormshield Data Management Center
In SDMC, public key infrastructures (PKIs) cannot be managed, unlike in Stormshield Data Authority Manager version 10.
Smart cards/tokens
For the SDS Enterprise middleware to function properly, the smart card minidrivers of the cryptographic medium in question must be installed on the workstation.
The smart card reader for a cryptographic medium cannot be changed during the course of a Windows session. If you have started using a smart card in a certain reader, you must restart your Windows session in order to use this card in another reader.
Virtual card accounts can only be created with RSA keys of up to 2048 bits. This limitation also applies to SSO accounts whose keys are stored on a virtual card.
Microsoft Virtual Smart Cards and certain types of smart cards associated to their middleware do not support the RSA-OAEP-SHA-256 encryption algorithm. This incompatibility prevents .sdsx files from being decrypted. For more information, refer to the Stormshield knowledge base.
Kernel
After the SDS Enterprise agent has been installed or after changes have been made to the security policy, the workstation must be restarted for the policy to be correctly applied.
Malfunctions may occur when connecting two cryptographic devices (token and/or card) at the same time on a workstation. This restriction does not apply when the SmartCard support Stormshield middleware is used.
When the Windows setting for the size of the elements is set to more than 100%, the SDS band in the connection window and in the "About" window does not display on the entire width of the window.
When importing PGP keys, if the window Password required is resized, the buttons Cancel and OK do not correctly display.
When peers are selected from the LDAP directory for an encryption operation, for peers that have several certificates, SDS Enterprise will always suggest the most recent certificate, even if it has been revoked. The encryption operation will therefore fail. We recommend deleting revoked certificates from your LDAP directory.
When a .usi account from the SDAM is installed on a user's workstation, the values of the parameters prescribed by the .json policy configuration file prevail when the kernel starts up, and when the user logs in.
The type of SSO account used to log in to the SDS Enterprise account depends on the operation of the smart card or USB token account type. The agent card extension must therefore be installed for it to run.
When an SDS Enterprise account is blocked, the only way for a password account to be unblocked is via the account's backup password.
Specific revocation list download protocols cannot be disabled (HTTP, FILE, etc.).
The date on which the revocation list was last downloaded is no longer shown in the revocation controller. However, an entry in the Windows event log is generated.
The recovery account certificate must have Data Encipherment and Key Encipherment features.
Stormshield Data File
User access management - the "Edit access" menu cannot be used when selecting both files and folders.
SDS Enterprise currently does not support Microsoft OneNote documents.
When a file is protected in .sdsx format, or protection is removed from an .sdsx file, Windows permissions applied to the file are restricted to the session user only and to the permissions inherited from the parent folder.
If it is not possible to save a protected document currently being edited (the document has been renamed or deleted in the meantime, or the document is on a network share and the connection is interrupted), the user must change the save location or rename the document.
Multiple users can simultaneously edit a document protected by Stormshield Data File.
The SDSX FORMAT does not support RSA keys for certificates strictly below 2048 bits.
Temporary decryption folders cannot be protected locally with the Data Team module.
Stormshield Data Share
Automatic folder protection cannot apply to folders already protected by Team.
By default, Microsoft applications are not allowed to "Save as" in synchronized shared spaces, to prevent sharing files in plaintext.
When automatic document protection is enabled for a folder and you use the "Save as" function on the applications concerned, you need to close the application from which you saved the file for the file to be visible in the automatically protected folder.
The file path from the root of the synchronized folder must not exceed 185 characters, including extensions (e.g., .pptx, .sdsx). Otherwise, the file will not be protected and will no longer be accessible.
To ensure that files moved to a Dropbox synchronized space are automatically protected, use the drag and drop or copy and paste functions. If you use the Move to Dropbox pop-up menu on a file, it will not be protected.
When an automatic protection rule is applied to the content of a folder, or when protection is removed from the content of a folder after an automatic protection rule has been disabled, the Windows permissions applied to the files contained in the folder are restricted to the session user and to the permissions inherited from the parent folder.
Share is not supported on network shares, file servers or external drives.
If the "padlock" icon is not visible on a protected folder, check in the registry, in "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers", that the following keys are positioned above the existing keys in the tree:
-
EncrypterOverlayIcon
-
SDSShareOverlayIcon
If this is not the case, add spaces before their names and restart Explorer in order to apply the change.
The protection of a folder cannot be modified if you have already protected or modified access to one of its sub-folders or parent folders.
The "padlock" icon is not visible on a synchronized OneDrive folder because OneDrive does not support overlapping icons.
User access management - the "Edit access" menu cannot be used:
-
when both files and folders are selected.
-
on a simultaneous selection of several protected folders or on an unprotected folder.
Sharing protection rules - for a shared protection rule on a folder to apply to a user, they must be logged into their SDS Enterprise account, be among the recipients of the rule and browse to the folder concerned.
Sharing protection rules - an automatic protection rule defined locally on a collaborative workspace folder by one user and not shared is overwritten if another user defines a shared rule on the same folder, including the first user.
Sharing protection rules - if two users define a different shared protection rule on the same folder, the most recent rule is taken into account.
Sharing protection rules - when a user deletes a folder with a shared protection rule by placing it in the Recycle Bin, the rule remains active until the Recycle Bin is emptied.
Sharing protection rules - A shared protection rule cannot be converted into a non-shared rule, and vice versa.
Stormshield Data Mail
Microsoft Outlook's message recall feature is not compatible with Stormshield Data Mail encryption.
Encrypted messages cannot be sent to recipients over Microsoft Exchange in offline mode in Microsoft Outlook. A connection is required for SMTP address resolution.
Users may sometimes not be able to open .sdsx files attached to encrypted messages It is therefore recommended to download attachments before opening them.
PGP messages received as attachments (.msg) cannot be opened by dragging and dropping them in an Outlook folder.
When the Outlook reading pane is disabled, simply double-clicking on a large encrypted message will not open it. You must double-click twice on the message.
The encryption band does not display when writing a new encrypted email via the Start menu if Outlook is not running. The email will thus be correctly encrypted.
The Mail add-in is not compatible with Kaspersky Outlook Anti-Virus Addin. If the certificates of the recipient are not available, some e-mails can be sent as they are not encrypted.
We do not recommend removing the smart card to lock a SDS Enterprise card account whereas an e-mail is being saved as the backup will not work.
In Windows Explorer, .msg files signed or encrypted with Outlook cannot be opened. In this case, apply the workaround described in the Stormshield Knowledge base (authentication required).
Stormshield Data Virtual Disk
You are advised against using a Virtual Disk volume on remote spaces. A correction timeout may prevent access to the disk or changes made to the disk may not be saved.
Stormshield Data Team is not compatible with the backup tool Veeam. The tool prevents folders protected with a Team rule from being encrypted.
In Microsoft Windows 10 and 11, when the user encrypts a folder, the SDS Enterprise padlock icon does not always appear on encrypted files. However files are correctly encrypted.
The Shadow Copy volume backup system, enabling version management in Windows Explorer among other things, is not supported by Stormshield Data Team.
Synchronized directories such as SharePoint, Dropbox, Office 365, Google Drive on premise, etc. are not supported by Stormshield Data Team and therefore cannot be secured by the module. We recommend excluding these directories from the folders analyzed by Stormshield Data Team using the advanced Folder exclusion setting available in Team functionality configuration in the SDMC administration console.