Data encryption and protection

Data encryption reduces the risk of unintentional leakage in case your notebook, removable drive, or hard drive is stolen or lost, or upon access by unauthorized users and applications.

Kaspersky Endpoint Security for Windows provides encryption functionality. Kaspersky Endpoint Security for Windows allows you to encrypt files stored on local drives of devices and removable drives, as well as encrypt removable drives and hard drives entirely.

Encryption rules are configured through Kaspersky Security Center by defining policies. Encryption and decryption according to the existing rules are performed when applying a policy.

Availability of the encryption management feature is determined by the user interface settings.

The administrator can perform the following actions:

• Configure and perform file encryption or decryption on local drives of the device.
• Configure and perform file encryption on removable drives.
• Create rules of access to encrypted files by applications.
• Create and deliver to the user a key file for access to encrypted files if file encryption is restricted on the user's device.
• Configure and perform hard drive encryption.
• Manage user access to encrypted hard drives and removable drives (manage authentication agent accounts, create and deliver to users information on request for account name and password restoration, as well as access keys for encrypted devices).
• View encryption statuses and reports about encryption of files.

These operations are performed using tools integrated into Kaspersky Endpoint Security for Windows. For detailed instructions on how to perform operations and a description of encryption features please refer to the Kaspersky Endpoint Security for Windows Online Help.

Kaspersky Security Center supports encryption management functionality for devices running macOS operating systems. Encryption is configured using Kaspersky Endpoint Security for Mac tools for those application versions that support encryption functionality. For detailed instructions on how to perform operations and a description of encryption features, refer to the Kaspersky Endpoint Security for Mac Administrator's Guide.

Viewing the list of encrypted devices

To view the list of devices storing encrypted information:

1. In the console tree of Administration Server, select the Data encryption and protection folder.
2. Open the list of encrypted devices in one of the following ways:
   • By clicking the Go to list of encrypted drives link in the Manage encrypted drives section.
   • By selecting the Encrypted drives folder in the console tree.

The workspace displays information about devices on the network storing encrypted files, and about devices encrypted at the drive level. After the information on a device is decrypted, the device is automatically removed from the list.

You can sort the information in the list of devices either in ascending or descending order in any column.

The user interface settings determine whether the Data encryption and protection folder appears in the console tree.

Viewing the list of encryption events

When running data encryption or decryption tasks on devices, Kaspersky Endpoint Security for Windows sends Kaspersky Security Center information about events of the following types:

• Cannot encrypt or decrypt a file, or create an encrypted archive due to a lack of free disk space.
• Cannot encrypt or decrypt a file, or create an encrypted archive due to license issues.
• Cannot encrypt or decrypt a file, or create an encrypted archive due to missing access rights.
• The application has been prohibited to access an encrypted file.
• Unknown errors.

To view a list of events that have occurred during data encryption on devices:

1. In the console tree of Administration Server, select the Data encryption and protection folder.
2. Open the list of events that occurred during encryption in one of the following ways:
   • By clicking the Go to error list link in the Data encryption errors section.
   • By selecting the Encrypted drives folder in the console tree.

The workspace displays information about problems that have occurred during data encryption on devices.

You can take the following actions in the list of encryption events:

• Sort data records in ascending or descending order in any of the columns.
• Perform a quick search for records (by text match with a substring in any of the list fields).
• Export the list of events to a text file.

The user interface settings determine whether the Data encryption and protection folder appears in the console tree.

Exporting the list of encryption events to a text file

To export the list of encryption events to a text file:

1. Create a list of encryption events.
2. From the context menu of the events list select Export list.

   The Export list window opens.

3. In the Export list window, specify the name of the text file with the list of events, select a folder to save it and click the Save button.

   The list of encryption events will be saved to the file that you have specified.

Creating and viewing encryption reports

You can generate the following reports:

• Report on encryption status of mass storage devices. This report contains information about the device encryption status for all groups of devices.
• Report on rights of access to encrypted devices. This report contains information about the status of user accounts that have been granted access to encrypted devices.
• Report on file encryption errors. This report contains information about errors that occurred when data encryption or decryption tasks were run on devices.
• Report on encryption status of managed devices. This report contains information about whether the encryption status of devices meets the encryption policy.
• Report on blockage of access to encrypted files. This report contains information about blocking application access to encrypted files.

To generate the report on encryption of devices:

1. In the console tree, select the Data encryption and protection folder.
2. Do one of the following:
   • To generate the report on the encryption status of managed devices, click the View report on encryption status of mass storage devices link.

     If you have not configured this report yet, the New Report Template Wizard will start. Follow the steps of the Wizard.

   • To generate the report on encryption status of mass storage devices, in the console tree select the Encrypted drives subfolder, and then click the View report on encryption status of mass storage devices button.

The report generation starts. The report appears on the Reports tab of the Administration Server node.

To generate the report on rights of access to encrypted devices:

1. In the console tree, select the Data encryption and protection folder.
2. Do one of the following:
   • Click the Report on rights to access encrypted drives link in the Manage encrypted drives section to start the New Report Template Wizard.
   • Select the Encrypted drives subfolder, then click the Report on rights to access encrypted drives button to start the New Report Template Wizard.
3. Follow the steps of the New Report Template Wizard.

The report generation starts. The report appears on the Reports tab of the Administration Server node.

To generate the report on file encryption errors:

1. In the console tree, select the Data encryption and protection folder.
2. Do one of the following:
   • Click the View report on file encryption errors link in the Data encryption errors section to start the New Report Template Wizard.
   • Select the Encryption events subfolder, then click the Report on file encryption errors link to start the New Report Template Wizard.
3. Follow the steps of the New Report Template Wizard.

The report generation starts. The report appears on the Reports tab of the Administration Server node.

To generate the report on the status of encryption of managed devices:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Reports tab.
3. Click the New report template button to start the New Report Template Wizard.
4. Follow the instructions of the New Report Template Wizard. In the Selecting the report template type window, in the Other section select Report on encryption status of managed devices.

   After you have finished with the New Report Template Wizard, a new report template appears in the Administration Server node, on the Reports tab.

5. In the node of the relevant Administration Server on the Reports tab, select the report template that was created during the previous steps of the instructions.

The report generation starts. The report appears on the Reports tab of the Administration Server node.

You can also obtain information about whether the encryption statuses of devices and removable drives conform to the encryption policy by viewing information panes on the Statistics tab of the Administration Server node.

To generate the report on blockage of access to encrypted files:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Reports tab.
3. Click the New report template button to start the New Report Template Wizard.
4. Follow the instructions of the New Report Template Wizard. In the Selecting the report template type window, in the Other section, select Report on blockage of access to encrypted files.

   After the New Report Template Wizard finishes, a new report template appears in the Administration Server node, on the Reports tab.

5. In the node of the Administration Server on the Reports tab, select the report template that was created during the previous steps of the instructions.

The report generation starts. The report appears on the Reports tab of the Administration Server node.

Transmitting encryption keys between Administration Servers

If the data encryption feature is enabled on a managed device, the encryption key is stored on the Administration Server. The encryption key is used to access encrypted data and to manage the encryption policy.

The encryption key must be transmitted to another Administration Server in the following cases:

• You reconfigure Network Agent on a managed device to assign the device to another Administration Server. If this device contains encrypted data, the encryption key must be transmitted to the target Administration Server. Otherwise, the data cannot be decrypted.
• You encrypt a removable drive connected to a device D1 that is managed by the Administration Server S1, and then you connect this removable drive to a device D2 managed by the Administration Server S2. To access to the data on the removable drive, the encryption key must be transmitted from the Administration Server S1 to the Administration Server S2.
• You encrypt a file on a device D1 managed by the Administration Server S1, and then you try to access the file on a device D2 managed by the Administration Server S2. To access the file, the encryption key must be transmitted from the Administration Server S1 to the Administration Server S2.

You can transmit encryption keys the following ways:

• Automatically, by enabling the Use hierarchy of Administration Servers to obtain encryption keys option in the properties of two Administration Servers between which an encryption key must be transmitted. If this option is disabled for one of the Administration Servers, the automatic transmission of encryption keys is not possible.

  When you enable the Use hierarchy of Administration Servers to obtain encryption keys option in an Administration Server properties, the Administration Server sends all of the encryption keys stored in its repository to the primary Administration Server (if any) one level up in the hierarchy.

  When you try to access encrypted data, the Administration Server first searches the encryption key in its own repository. If the Use hierarchy of Administration Servers to obtain encryption keys option is enabled and the required encryption key has not been found in the repository, the Administration Server additionally sends a request to the primary Administration Servers (if any) to provide the required encryption key. The request will be sent to all of the primary Administration Servers up to the server on the highest level of the hierarchy.

• Manually from one Administration Server to another by exporting and importing the file containing the encryption keys.

To enable automatic transmission of encryption keys between Administration Servers within the hierarchy:

1. In the console tree, select the Administration Server for which you want to enable automatic transmission of encryption keys.
2. In the context menu of the Administration Server, select Properties.
3. In the properties window, select the Encryption algorithm section.
4. Enable the Use hierarchy of Administration Servers to obtain encryption keys option.
5. Click OK to apply the changes.

The encryption keys will be transmitted to primary Administration Servers (if any) at the next synchronization (the heartbeat). This Administration Server will also provide, upon request, an encryption key from its repository to a secondary Administration Server.

To transmit encryption keys between Administration Servers manually:

1. In the console tree of Administration Server, select the secondary Administration Server from which you want to transmit encryption keys.
2. In the context menu of the Administration Server, select Properties.
3. In the properties window, select the Encryption algorithm section.
4. Click the Export encryption keys from Administration Server.
5. In the Export encryption keys window:
   • Click the Browse button, and then specify where to save the file.
   • Specify a password to protect the file from unauthorized access.

     Remember the password. A lost password cannot be retrieved. If the password is lost, you have to repeat the export procedure. Therefore, make a note of the password and keep it handy.

6. Transmit the file to another Administration Server, for example, through a shared folder or removable drive.
7. On the target Administration Server, make sure that Kaspersky Security Center Administration Console is running.
8. In the console tree of Administration Server, select the target Administration Server where you want to transmit encryption keys.
9. In the context menu of the Administration Server, select Properties.
10. In the properties window, select the Encryption algorithm section.
11. Click Import encryption keys to Administration Server.
12. In the Import encryption keys window:
    • Click the Browse button, and then select the file containing encryption keys.
    • Specify the password.
13. Click OK.

The encryption keys are transmitted to the target Administration Server.