Starting encryption of removable drives

You can use a policy to decrypt a removable drive. A policy with defined settings for removable drive encryption is generated for a specific administration group. Therefore, the result of data decryption on removable drives depends on the computer to which the removable drive is connected.

Kaspersky Endpoint Security supports encryption in FAT32 and NTFS file systems. If a removable drive with an unsupported file system is connected to the computer, removable drive encryption ends with an error and Kaspersky Endpoint Security assigns read-only access for the removable drive.

To encrypt removable drives:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
  3. In the workspace, select the Policies tab.
  4. Select the necessary policy and double-click to open the policy properties.
  5. In the policy window, select Data EncryptionEncryption of removable drives.
  6. In the Encryption mode drop-down list, select the default action that you want Kaspersky Endpoint Security to perform on removable drives:
    • Encrypt entire removable drive (FDE). Kaspersky Endpoint Security encrypts the contents of a removable drive sector by sector. As a result, the application encrypts not only the files stored on the removable drive but also its file systems, including the file names and folder structures on the removable drive.
    • Encrypt all files (FLE). Kaspersky Endpoint Security encrypts all files that are stored on removable drives. The application does not encrypt the file systems of removable drives, including the names of files and folder structures.
    • Encrypt new files only (FLE). Kaspersky Endpoint Security encrypts only those files that have been added to removable drives or that were stored on removable drives and have been modified after the Kaspersky Security Center policy was last applied.

    Kaspersky Endpoint Security does not encrypt a removable drive that is already encrypted.

  7. If you want to use portable mode for encryption of removable drives, select the Portable mode check box.

    Portable mode is a mode of file encryption (FLE) on removable drives that provides the ability to access data outside of a corporate network. Portable mode also lets you work with encrypted data on computers that do not have Kaspersky Endpoint Security installed.

  8. If you want to encrypt a new removable drive, it is recommended to select the Encrypt used disk space only check box. If the check box is cleared, Kaspersky Endpoint Security will encrypt all files, including the residual fragments of deleted or modified files.
  9. If you want to configure encryption for individual removable drives, define encryption rules.
  10. If you want to use full disk encryption of removable drives in offline mode, select the Allow removable drive encryption in offline mode check box.

    Offline encryption mode refers to encryption of removable drives (FDE) when there is no connection to Kaspersky Security Center. During encryption, Kaspersky Endpoint Security saves the master key only on the user's computer. Kaspersky Endpoint Security will send the master key to Kaspersky Security Center during the next synchronization.

    If the computer on which the master key is saved is corrupted and data is not sent to Kaspersky Security Center, it is not possible to obtain access to the removable drive.

    If the Allow removable drive encryption in offline mode check box is cleared and there is no connection to Kaspersky Security Center, removable drive encryption is not possible.

  11. Save your changes.

After the policy is applied, when the user connects a removable drive or if a removable drive is already connected, Kaspersky Endpoint Security prompts the user for confirmation to perform the encryption operation (see the figure below).

The application lets you perform the following actions:

If the user initiates safe removal of a removable drive during data encryption, Kaspersky Endpoint Security interrupts the data encryption process and allows removal of the removable drive before the encryption process has finished. Data encryption will be continued the next time the removable drive is connected to this computer.

If encryption of a removable drive failed, view the Data encryption report in the Kaspersky Endpoint Security interface. Access to files may be blocked by another application. In this case, try unplugging the removable drive from the computer and connecting it again.

KES11_USB_Encription_Notification

Removable drive encryption request

Page top