CSC User Guide

FILE & MEDIA ENCRYPTION USER GUIDE VERSION 2.0

VERSION 2.0 | 12 August 2011

PREPARED BY: North American Security Services

Managed Encryption Service (MES)

Computer Sciences Ltd. 2011 All rights reserved

NASS-MES Page 2 of 35

CSC Checkpoint File_Media Encryption User Guide v2.0.docx

Printed copies of this document are for reference only.

CSC PROPRIETARY

USER GUIDE - FILE & MEDIA ENCRYPTION

Amendment History

Issue Date Amended By Amendment Details

1.0 18-Feb-2011 James R Sims Initial Release

2.0 12-Aug-2011 James R Sims Added Do Not Cancel Media import

Distribution

Name or Role Department or location Number of Copies

CSC Approvals

Authorized By: Role Date





CSC PROPRIETARY


Abstract

This document provides a User Guide for the Checkpoint File Encryption and Media Encryption applications as part of CSCs MPS 609 encryption policy.





CSC PROPRIETARY


Table of Contents

TABLE OF CONTENTS ............................................................................................................. 4

1 INTRODUCTION ............................................................................................................... 5

2 MEDIA ENCRYPTION USER INSTRUCTIONS ............................................................... 5

3 FILE ENCRYPTION USER INSTRUCTIONS ................................................................. 31





CSC PROPRIETARY


1 Introduction

Checkpoint Endpoint Media encryption (ME) will allow end users to encrypt and decrypt removable media in an effort to protect company information if the media is lost or stolen. Removable media is classified as USB Memory sticks, removable hard drives, etc. If your computer can recognize a device you plug into a USB port as a Mass Storage Device, it has the potential to be encrypted. ME encrypts the entire removable device. Checkpoint File encryption (FE) is an additional feature that allows you to protect your information by encrypting it one file at a time (or several files, but not the entire disk drive). Once encrypted, the information can only be accessed by people who know the correct password. These two applications are used in addition to the Check Point Full Disk Encryption (FDE) on the local PC hard drive.

2 Media Encryption User Instructions

Follow the guidelines below to use Media Encryption (ME). See Section 3 for details about File Encryption (FE). Most CSC Desktop & Laptop Computers have PME (Pointsec Media Encryption) installed. This is a former version. When you run the upgrade to ME (Checkpoint Media Encryption) you will notice some differences in the appearance of any formerly PME encrypted device.

The first screen is showing a former PME encrypted drive for reference only.





CSC PROPRIETARY


After upgrade, the former PME Encrypted Files convert to a new yellow padlock icon (FE is able to read these former PME files for backwards compatibility.)

Important Note: After upgrade, if you copy a file or edit it, the file is replaced with a non encrypted version on the removal media.

Therefore, we recommend you copy all the files from the former PME encrypted device to the local drive, format the removable media, and then fully encrypt the removable media with ME before proceeding.





CSC PROPRIETARY


(Make sure all the files are now copied to your local drive and are accessible before formatting the removable drive). Next, format the removable drive to prepare for new ME encryption. Limitations of Media Encryption on NTFS Drives

ME will allow encryption of NTFS formatted removable media with file sizes up to 4.0 GB maximum. Files larger than 4.0 GB must be moved to the local system prior to encryption of the removal media. Search for all files 4.0 GB and larger and move them to your local C: drive, etc. prior to running the Welcome to EPM Media Import Wizard. After you have verified that all files are smaller than 4.0 GB continue to Encrypting Removable Media for the First Time.

The total size of used space in the external media cannot exceed the total amount of free space on your computers system drive (usually the C: drive). The reason is that ME will attempt to temporarily back-up your data to the system drive, so the external media can be prepared for encryption. Once the drive is ready, the data will be automatically copied back from the system drive to the external media.





CSC PROPRIETARY


Encrypting Removable Media for the First Time When connecting unencrypted removable media for the first time you will be prompted with the Welcome to EPM Media Import Wizard screen:

Please do not click Do not display again until the media is changed on the Welcome to EPM Media Import Wizard screen. Choosing Cancel at this screen will make the welcome screen disappear and you can then navigate to the drive. This will trigger the welcome screen again however; clicking Cancel will allow you to use the drive without encrypting. If the device you chose not to encrypt is removed then replaced, the welcome screen will appear along with the drive content. You can simply click cancel and use the device without encrypting.





CSC PROPRIETARY


If you chose to encrypt the device click Next, and you will be presented with the Media Properties screen:

Secure format can be used as stated above as a precaution, but is not needed for all devices. If you decide to Secure format the drive, please keep in mind that the data already in the drive will be lost and will be unrecoverable. Copy the data to your local drive if you wish to save it before a Secure format. When you are ready, Click Next to begin the Media encryption process.





CSC PROPRIETARY


Media owner information will now be entered. Notice the only choice allowed the first time is Media owner will be assigned on first use. Click Next.





CSC PROPRIETARY


Password Protection provides you with two options; a full access password, and a read only password. Full access gives you the ability to change, delete and add files. Make this password something only you know. The read only password allows you to share information with co-workers without the fear of it being modified in anyway. This password should follow the password policy, but otherwise be a password you would not normally use yourself. The read only password is not required to encrypt the first time. If you chose to not set a read only password you have two options to set it later; access the media encryption menu or authenticate to the device on a computer that does not have ME installed.





CSC PROPRIETARY


After you have created a password click Next to complete the first time encryption. ******** Remember, the encryption process will slow down considerably if you did not remove the data from the device with the Secure format option in the prior step; therefore, at this stage, you will not be able to click Cancel and start over. Do not interrupt the encryption process at any time until it completes or the data will be corrupted and not recoverable. If encryption does not complete for any reason, you will have to reformat the drive and start over. ******** After a successful completion of the encryption process, click "Finish" on the "Completing EPM Media Import Wizard".





CSC PROPRIETARY


At this point the removable media (USB drive) is ready for you to copy the files back from the local hard drive and it will utilize the new ME (EPM) application. Proceed to copy files back to removable drive

You are now ready to use your encrypted device.





CSC PROPRIETARY


What to expect when using an encrypted media The next time you insert your encrypted media into a computer you will be prompted to enter a password.

Once the password is entered the encrypted device will open a window displaying the contents.

If you select Cancel instead of entering a password, access will be denied. This is important because you will also not be able to see the encrypted media in My Computer or Windows Explorer. This will also prevent you from formatting the media to erase encryption. If you want to format the drive you must disconnect and reconnect the media to once again get the prompt for a password. You must then enter the correct password to allow you to format. Note: The only other option to reformat the media is to connect it to a PC that does not have ME installed, and then perform a complete reformat. (Warning When formatting a drive all prior data is lost and not recoverable).





CSC PROPRIETARY


If you select Cancel instead of entering a password you will see this Access Denied screen.

Note: Only use Key recovery... when instructed by a Customer Support Services (Service Desk) agent. This is used to reset your password, if it was forgotten. Important Notice: A prior version of ME was released to a small number of systems which does not show a Key recovery option. This is rare, however, if you do not see the Key recovery button, you must Export (decrypt the data) your media, then re-encrypt your media with the newer version in order to enable password reset functionality. If you see the "Key Recovery..." bar then no further action is required.





CSC PROPRIETARY


Accessing the Media Encryption Menu In the windows taskbar you will see a yellow padlock icon. By hovering your cursor you will see a message stating the status of full disk and media encryption. (If full disk protection is not installed, you will not see a status message). Endpoint Security Status: Media Encryption enabled

Right click the yellow padlock and select Settings

On the left of the window you have two options if Full disk encryption version

7.x is not installed, you will have only one option.

Select the media encryption button on the left side of the window.

You are now able to modify the encrypted media. In the box labelled Open

EPM Client Click Open.





CSC PROPRIETARY


After you open EPM Client the following screen is available.

On this screen you can navigate to the encrypted drive. The most important options are the ones listed in tools. Tools Options

Export media from EPM Control - YES, this means decrypt.





CSC PROPRIETARY


The welcome wizard will now be displayed, click Next

Decryption will be completed and this screen will be displayed, click finish

You will now see that the N:\ drive is no longer encrypted.





CSC PROPRIETARY


Set EPM media full access password - Authenticate to the drive and you will

be prompted to enter and confirm a new password.





CSC PROPRIETARY


Set EPM media read only password - Authenticate to the drive and you will

be prompted to enter and confirm a new password. This is the same window

used to reset the full access in every way, but it does set the read only

password.





CSC PROPRIETARY


Stand Alone Access via Unlock.exe When accessing encrypted media on a computer without ME installed, the Windows Explorer will show you a file called Unlock.exe instead of the contents of the removable media. A typical explorer screen follows as an example.

Double click "Unlock.exe" and enter your password.

Once the password is entered the encrypted device will open a window displaying the contents.





CSC PROPRIETARY


NOTE: In the image above you can see "Change Full Access Password" and "Change Read Only Password" boxes. This can be done here or by accessing the tools portion of the Media Encryption Menu. CAUTION: If you copy files from the encrypted media and leave them on the local hard drive as you disconnect the removable media, you will be prompted to remove them from the local drive for security purposes. This is especially important if the removable media was connected to a non encrypted PC (such as a personal home PC).





CSC PROPRIETARY


How to Encrypt a CD To encrypt a CD ME must use the native Windows CD burning tool. This process will be similar to encrypting a media device. After inserting a blank CD this screen will appear. Click, "Next".





CSC PROPRIETARY


Media properties will be displayed, Click "Next".





CSC PROPRIETARY


Assign this media to a user radio button will be the only choice, Click "Next".





CSC PROPRIETARY


Assign a password to this media only.

Select files and folders to add to the CD ROM by clicking the second (Files) and third (Folders) button on the Select files window. Click "Next" when finished.





CSC PROPRIETARY


You will be prompted to authenticate to the CD ROM before it finishes the burning process.

CD ROM encryption is now complete. When the CD is accessed it will prompt you for the password you created and then function as normal.





CSC PROPRIETARY


Stand Alone Access via Unlock.exe on a CD When accessing an encrypted CD on a computer without ME installed, the Windows Explorer will show you a file called Unlock.exe instead of the contents of the CD. A typical explorer screen follows as an example.

Double click "Unlock.exe" and enter your password.





CSC PROPRIETARY


How to burn CD/DVD without encrypting. Insert the CD or DVD. The "Welcome to EPM Media Import Wizard" will open

Click on "Cancel". The EPM media import window will close. Proceed to add files to the CD as you normally would, by browsing to the CD/DVD and performing a drag and drop to the CD icon. Warning! All files should be dragged at the same time, as burning will take place immediately.





CSC PROPRIETARY


The following menu will show up when you attempt to burn:

Select the option "Like a USB flash drive" and click "Next"





CSC PROPRIETARY


3 File Encryption User Instructions

Checkpoint File Encryption (FE) is an application that is already available on your PC. It is a security product which protects information stored on your workstation.

FE protects your information by encrypting it. Once encrypted, the information can only be accessed by people who know the correct password.

File Encryption also enables you to create encrypted information packages for easy and secure storage and transfer, for example via e-mail.

File Encryption is tightly integrated with Windows, so using File Encryption is simple. You access File Encryption by right-clicking on a file folder or volume and selecting the Encryption option.

Table 1-1 Maximum Encrypted Package Size

File System Maximum Encrypted

Package Size

FAT 2GB

FAT32 2GB

NTFS 2GB

The maximum file size to include in encrypted packages is 2GB, independent of the file system used. If the files you wish to encrypt comprise more than the maximum file size for the file system you are using, compress the files to less than the maximum file size.





CSC PROPRIETARY


To create an encrypted package:

In Windows Explorer, right-click on the files or folders to be included in the encrypted package and select Encryption. File Encryption options are displayed:

Choose "Encrypt with Check Point File Encryption" > "Create Encrypted Package..."

Leave the default Creator name as your user ID (only the password is needed to decrypt the file). Enter a password and confirm it. Note - This password is used only to protect this encrypted package, and does not need to be the same as your Windows password.





CSC PROPRIETARY


Password guidelines:

always set a password that is at least 8 characters long

include both numbers, letters and punctuation characters

use both upper and lower case letters

do not use more than two consecutive identical characters.

Enter a file name for your Encrypted Package. Click Save.

Click OK.





CSC PROPRIETARY


Important: If you send the package via e-mail, the recipient has to know the password to open the package. You can agree on a password before the e-mail is sent, for example, by telephone conversation. Never send the package and the password in the same e-mail.

To open an encrypted package:

Double click on the encrypted package and enter the one-time password.

Click OK and browse to the path to save the file(s).

Click OK to save the file(s).





CSC PROPRIETARY


To securely delete any files in your system:

In Windows Explorer, right-click on the files (or folder) to be deleted and select "Encrypt with Check Point File Encryption" >

. The File Encryption options are displayed:

Choose: Secure delete.

Click Yes to delete the encrypted file or package. Warning! This cannot be reversed, as this data does not go to the Recycle bin. The status bar will show 100% complete and the file will be removed.

Technical Support If assistance with FE or ME is required please call your local help desk and follow the approved process.

End of Document

CSC User Guide

Documents

Transcript of CSC User Guide