Portable mode for accessing encrypted files on removable drives

Portable mode is a mode of file encryption (FLE) on removable drives that provides the ability to access data outside of a corporate network. Portable mode also lets you work with encrypted data on computers that do not have Kaspersky Endpoint Security installed.

Portable mode is convenient to use in the following cases:

• There is no connection between the computer and the Kaspersky Security Center Administration Server.
• The infrastructure has changed with the change of the Kaspersky Security Center Administration Server.
• Kaspersky Endpoint Security is not installed on the computer.

Portable File Manager

To work in portable mode, Kaspersky Endpoint Security installs a special encryption module named Portable File Manager on a removable drive. The Portable File Manager provides an interface for working with encrypted data if Kaspersky Endpoint Security is not installed on the computer (see the figure below). If Kaspersky Endpoint Security is installed on your computer, you can work with encrypted removable drives using your usual file manager (for example, Explorer).

The Portable File Manager stores a key to encrypt files on a removable drive. The key is encrypted with the user password. The user sets a password before encrypting files on a removable drive.

The Portable File Manager starts automatically when a removable drive is connected to a computer on which Kaspersky Endpoint Security is not installed. If automatic startup of applications is disabled on the computer, manually start the Portable File Manager. To do so, run the file named pmv.exe that is stored on the removable drive.

Portable File Manager

Support for portable mode for working with encrypted files

How to enable portable mode support for working with encrypted files on removable drives in the Administration Console (MMC)

How to enable portable mode support for working with encrypted files on removable drives in the Web Console

Accessing encrypted files on a removable drive

After encrypting files on a removable drive with portable mode support, the following file access methods are available:

• If Kaspersky Endpoint Security is not installed on the computer, the Portable File Manager will prompt you to enter a password. You will need to enter the password each time you restart the computer or reconnect the removable drive.
• If the computer is located outside the corporate network and Kaspersky Endpoint Security is installed on the computer, the application will prompt you to enter the password or send the administrator a request to access the files. After gaining access to files on a removable drive, Kaspersky Endpoint Security will save the secret key in the computer's key storage. This will allow access to files in the future without entering a password or asking the administrator.
• If the computer is located inside the corporate network and Kaspersky Endpoint Security is installed on the computer, you will get access to the device without entering a password. Kaspersky Endpoint Security will receive the secret key from the Kaspersky Security Center Administration Server to which the computer is connected.

Recovering the password for working in portable mode

If you have forgotten the password for working in portable mode, you need to connect the removable drive to a computer with Kaspersky Endpoint Security installed inside the corporate network. You will get access to the files because the secret key is stored in the computer's key storage or on the Administration Server. Decrypt and re-encrypt files with a new password.

Features of portable mode when connecting a removable drive to a computer from another network

If the computer is located outside the corporate network and Kaspersky Endpoint Security is installed on the computer, you can access the files in the following ways:

• Password-based access

  After entering the password, you will be able to view, modify, and save files on the removable drive (transparent access). Kaspersky Endpoint Security can set a read-only access right for a removable drive if the following parameters are configured in the policy settings for encryption of removable drives:

  • Portable mode support is disabled.
  • The Encrypt all files or Encrypt new files only mode is selected.

  In all other cases, you will get full access to the removable drive (read/write permission). You will be able to add and delete files.

  You can change the removable drive access permissions even while the removable drive is connected to the computer. If the removable drive access permissions are changed, Kaspersky Endpoint Security will block access to the files and prompt you for the password again.

  After entering the password, you cannot apply encryption policy settings for the removable drive. In this case, it is impossible to decrypt or re-encrypt files on the removable drive.

• Ask the administrator for access to files

  If you have forgotten the password for working in portable mode, ask the administrator for access to files. To access the files, the user needs to send the administrator a request access file (a file with the KESDC extension). The user can send the request access file by email, for example. The administrator will send an encrypted data access file (a file with the KESDR extension).

  After you complete the Request-Response password recovery procedure, you will receive transparent access to files on the removable drive, and full access to the removable drive (read/write permission).

  You can apply a removable drive encryption policy, and decrypt files, for example. After recovering the password or when the policy is updated, Kaspersky Endpoint Security will prompt you to confirm the changes.

  How to obtain an encrypted data access file in the Administration Console (MMC)

  1. Open the Kaspersky Security Center Administration Console.
  2. In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
  3. In the workspace, select the Devices tab.
  4. On the Devices tab, select the computer of the user requesting access to encrypted data and right-click to open the context menu.
  5. In the context menu, select Grant access in offline mode.
  6. In the window that opens, select the Data Encryption tab.
  7. On the Data Encryption tab, click the Browse button.
  8. In the window for selecting a request access file, specify the path to the file received from the user.

  You will see information about the user's request. Kaspersky Security Center generates a key file. Email the generated encrypted data access key file to the user. Or save the access file and use any available method to transfer the file.

  How to obtain an encrypted data access file in the Web Console

  1. In the main window of Web Console, select Devices → Managed devices.
  2. Select the check box next to the name of the computer whose data you want to restore access to.
  3. Click the Share this device offline button.
  4. Select the Data Encryption section.
  5. Click the Select file button and select the request access file that you received from the user (a file with the KESDC extension).

     The Web Console will display information about the request. This will include the name of the computer on which the user is requesting access to the file.

  6. Click the Save key button and select a folder to save the encrypted data access key file (a file with the KESDR extension).

  As a result, you will be able to obtain the encrypted data access key, which you will need to transfer to the user.

Page top