This article describes SafeGuard Persistent Encryption, and explains the rules by which it works
First seen in
SafeGuard File Encryption 6.10.0
SafeGuard File Encryption 6.0
What is Persistent Encryption?
Persistent Encryption is a SafeGuard option which ensures that files remain encrypted when they are moved or copied with Windows Explorer. If files are moved or copied using different tools, Persistent Encryption may not work in the same way, see below for more details.
How do you enable or disable Persistent Encryption?
Persistent Encryption is enabled by default. It requires a Security Officer (SO) to enable or disable 'Persistent Encryption' for files which are encrypted as follows:
- In the SafeGuard Management Center go to Policies | General Settings | File Encryption | Enable Persistent Encryption.
- Set the 'Enable persistent encryption' option to 'Yes' or 'No'.
What is the effect of disabling Persistent Encryption?
When Persistent Encryption is disabled, files only remain encrypted for as long as they are subject to an encryption rule. This means that when files are copied or moved to a location not covered by an encryption rule, then they are created in plain (i.e. not encrypted). For example, if a user copies an encrypted file into a folder for which no encryption rule has been defined, the file will be decrypted in the target folder.
What is the effect of enabling Persistent Encryption?
When Persistent Encryption is enabled, files remain encrypted even when they are moved or copied. This prevents the unintended creation of plain copies of encrypted files, even if they are created in locations that are not covered by an encryption rule.
How does Persistent Encryption work with existing encryption?
The following will help you predict the effects of using Persistent Encryption
Persistent Encryption only applies if the names of the source file and the target file are identical.
The SafeGuard file encryption driver stores only the name of the file, without any path information. Only the name is used for comparison and therefore it only works in situations where the names of the source file and the target file are identical. If the file is renamed during the copy operation, the resulting file is considered to be a 'different' file and therefore is not subject to Persistent Encryption.
When a user saves an encrypted file with Save As under a different file name in a location not covered by an encryption rule, the file will be plain text.
Information about files is kept for a limited time only. If the operation takes too long (more than 15 seconds), the newly created file is considered to be a different, independent file and therefore is not subject to Persistent Encryption.
Persistent Encryption with an encryption rule
Persistent Encryption tries to ensure that an encrypted file retains its encryption state, for example its original encryption key. This works if the file is moved to a folder with no applicable encryption policy. However, if the file is copied or moved to a location where an encryption policy applies, the encryption policy has higher priority and therefore overrules Persistent Encryption. As a result, the file will end up encrypted with the key defined in the encryption rule, and not with the one that was originally used.
Persistent Encryption with an Ignore path rule
An Ignore path rule overrides Persistent Encryption, which means that encrypted files that are copied to a folder with an applicable Ignore path are stored in plain.
Persistent Encryption with an Exclude path rule
An Exclude path rule overrides Persistent Encryption, which means that encrypted files that are copied to a folder with an applicable Exclude path are stored in plain.
The Exclude path rule is primarily used for files that are accessed very frequently, and for which there is no particular reason to encrypt them. This improves system performance.
Why is Persistent Encryption not doing what I expected?
Persistent Encryption may not always behave exactly as you would expect. Here are some common scenarios where this might be the case. Too many files are encrypted
- This scenario can occur when you copy a plain file to several locations at the same time, and where one or more of those locations applies encryption rules and the other locations do not. This can result in copies of that file being encrypted when you did not expect them to be.
This occurs because although the original file is not encrypted, if the file is first copied to an encrypted location, the file name is added to the driver's internal list. When the second copy is created somewhere else, the driver finds the file name in its list and encrypts the second copy as well, even if files going to the second location wouldn't normally be encrypted.
- If you open an encrypted file, and then shortly afterwards create a new file with the same name, the newly created file will be encrypted with the same key as the file that was opened first.
Note: This only applies if the same application/thread is used for reading the encrypted file as well as creating the new one.
Example of a common way in which this might happen:
- In Windows Explorer right-click in a folder which has encryption rule, then click New | Text document.
- Immediately right-click in a folder without an encryption rule, and click New | Text document. This second file will be encrypted too.
Files are not encrypted
- This scenario can occur if you create multiple copies of a file as follows.
If you create copies of an encrypted file in the same folder as the original file, the copies are not encrypted. This is because the copies have different file names (for example, doc.txt vs. doc - Copy.txt) and when the file names do not match, they are not encrypted by Persistent Encryption.
How does Persistent Encryption work if you move/copy files with a different tool, not Explorer?
Note: Persistent Encryption only works if you copy or move files with Windows Explorer.
- If Persistent Encryption is enabled, and you use different tools (for example, xcopy), to move/copy a file, the file will be decrypted if no encryption rule has been defined for the target folder.
- If Persistent Encryption is disabled, the rules defined in your (the user) profile will be applied.