Starting encryption of removable drives

To encrypt removable drives:

1. Open the Kaspersky Security Center Administration Console.
2. In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
3. In the workspace, select the Policies tab.
4. Select the necessary policy and double-click to open the policy properties.
5. In the Data Encryption section, select the Encryption of removable drives subsection.
6. In the Encryption mode drop-down list, select the default action that you want Kaspersky Endpoint Security to perform on removable drives:
   • Encrypt entire removable drive (FDE). Kaspersky Endpoint Security encrypts the contents of a removable drive sector by sector. As a result, the application encrypts not only the files stored on the removable drive but also its file systems, including the file names and folder structures on the removable drive.
   • Encrypt all files (FLE). Kaspersky Endpoint Security encrypts all files that are stored on removable drives. The application does not encrypt the file systems of removable drives, including the names of files and folder structures.
   • Encrypt new files only. Kaspersky Endpoint Security encrypts only those files that have been added to removable drives or that were stored on removable drives and have been modified after the Kaspersky Security Center policy was last applied.
   • Decrypt entire removable drive. Kaspersky Endpoint Security decrypts all encrypted files that are stored on removable drives, as well as the file systems of the removable drives if they were previously encrypted.
   • Leave unchanged. Kaspersky Endpoint Security does not encrypt or decrypt files on removable drives.

   Kaspersky Endpoint Security does not encrypt a removable drive that is already encrypted.

   Kaspersky Endpoint Security supports encryption in FAT32 and NTFS file systems. If a removable drive with an unsupported file system is connected to the computer, removable drive encryption ends with an error and Kaspersky Endpoint Security assigns read-only access for the removable drive.

7. If you want to use portable mode for encryption of removable drives, select the Portable mode check box.

   Portable mode is a method of encryption of removable drives that lets you obtain access to data on computers that do not have Kaspersky Endpoint Security installed or that have no access to data encryption functionality.

   Portable mode is available only for encryption at the file system level (FLE).

8. If you want to encrypt a new removable drive, it is recommended to select the Encrypt used disk space only check box. If the check box is cleared, Kaspersky Endpoint Security will encrypt all files, including the residual fragments of deleted or modified files.
9. If you want to configure encryption for individual removable drives, define encryption rules.
10. If you want to use full disk encryption of removable drives in offline mode, select the Allow removable drive encryption in offline mode check box.

    Offline encryption mode is encryption of removable drives when there is no connection to Kaspersky Security Center. During encryption, Kaspersky Endpoint Security saves the master key only on the user's computer. Kaspersky Endpoint Security will send the master key to Kaspersky Security Center during the next synchronization.

    Offline encryption mode is available only for full disk encryption (FDE).

    If the computer on which the master key is saved is corrupted and data is not sent to Kaspersky Security Center, it is not possible to obtain access to the removable drive.

    If the Allow removable drive encryption in offline mode check box is cleared and there is no connection to Kaspersky Security Center, removable drive encryption is not possible.

11. Click OK to save the changes.

After the policy is applied, when the user connects a removable drive or if a removable drive is already connected, Kaspersky Endpoint Security prompts the user for confirmation to perform the encryption operation (see the figure below).

The application lets you perform the following actions:

• If the user confirms the encryption request, Kaspersky Endpoint Security encrypts the data.
• If the user declines the encryption request, Kaspersky Endpoint Security leaves the data unchanged and assigns read-only access for this removable drive.
• If the user does not respond to the encryption request, Kaspersky Endpoint Security leaves the data unchanged and assigns read-only access for this removable drive. The application prompts for confirmation again when subsequently applying a Kaspersky Security Center policy or the next time this removable drive is connected.

If the user initiates safe removal of a removable drive during data encryption, Kaspersky Endpoint Security interrupts the data encryption process and allows removal of the removable drive before the encryption process has finished. Data encryption will be continued the next time the removable drive is connected to this computer.

Removable drive encryption request

Page top