Encrypting files on local computer drives

Kaspersky Endpoint Security does not encrypt files that are located in OneDrive cloud storage or in other folders that have OneDrive as their name. Kaspersky Endpoint Security also blocks the copying of encrypted files to OneDrive folders if those files are not added to the decryption rule.

To encrypt files on local drives:

1. Open the Kaspersky Security Center Administration Console.
2. In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
3. In the workspace, select the Policies tab.
4. Select the necessary policy and double-click to open the policy properties.
5. In the policy window, select Data Encryption → File Level Encryption.
6. In the Encryption mode drop-down list, select According to rules.
7. On the Encryption tab, click the Add button, and in the drop-down list select one of the following items:
   1. Select the Predefined folders item to add files from folders of local user profiles suggested by Kaspersky experts to an encryption rule.
      • Documents. Files in the standard Documents folder of the operating system, and its subfolders.
      • Favorites. Files in the standard Favorites folder of the operating system, and its subfolders.
      • Desktop. Files in the standard Desktop folder of the operating system, and its subfolders.
      • Temporary files. Temporary files related to the operation of applications installed on the computer. For example, Microsoft Office applications create temporary files containing backup copies of documents.

        It is not recommended to encrypt temporary files, as this can cause data loss. For example, Microsoft Word creates temporary files when processing a document. If temporary files are encrypted, but the original file is not, the user may receive an Access Denied error when trying to save the document. Additionally, Microsoft Word might save the file, but it will not be possible to open the document the next time, i.e. the data will be lost.

      • Outlook files. Files related to the operation of the Outlook mail client: data files (PST), offline data files (OST), offline address book files (OAB), and personal address book files (PAB).
   2. Select the Custom folder item to add a manually entered folder path to an encryption rule.

      When adding a folder path, adhere to the following rules:

      • Use an environment variable (for example, %FOLDER%\UserFolder\). You can use an environment variable only once and only at the beginning of the path.
      • Do not use relative paths.
      • Do not use the * and ? characters.
      • Do not use UNC paths.
      • Use ; or , as a separator character.
   3. Select the Files by extension item to add individual file extensions to an encryption rule. Kaspersky Endpoint Security encrypts files with the specified extensions on all local drives of the computer.
   4. Select the Files by groups of extensions item to add groups of file extensions to an encryption rule (for example, Microsoft Office documents). Kaspersky Endpoint Security encrypts files that have the extensions listed in the groups of extensions on all local drives of the computer.
8. Save your changes.

As soon as the policy is applied, Kaspersky Endpoint Security encrypts the files that are included in the encryption rule and not included in the decryption rule.

File encryption has the following special features:

• If the same file is added to both an encryption rule and a decryption rule, then Kaspersky Endpoint Security performs the following actions:
  • If the file is not encrypted, Kaspersky Endpoint Security does not encrypt this file.
  • If the file is encrypted, Kaspersky Endpoint Security decrypts this file.
• Kaspersky Endpoint Security continues to encrypt new files if these files meet the criteria of the encryption rule. For example, when you change the properties of an unencrypted file (path or extension), the file then meets the criteria of the encryption rule. Kaspersky Endpoint Security encrypts this file.
• When the user creates a new file whose properties meet the encryption rule criteria, Kaspersky Endpoint Security encrypts the file as soon as it is opened.
• Kaspersky Endpoint Security postpones the encryption of open files until they are closed.
• If you move an encrypted file to another folder on the local drive, the file remains encrypted regardless of whether or not this folder is included in the encryption rule.
• If you decrypt a file and copy it to another local folder that is not included in the decryption rule, a copy of the file may be encrypted. To prevent the copied file from being encrypted, create a decryption rule for the target folder.