Encryption of removable drives
This component is available if Kaspersky Endpoint Security is installed on a computer that runs on Windows for workstations. This component is unavailable if Kaspersky Endpoint Security is installed on a computer that runs on Windows for servers.
Kaspersky Endpoint Security supports encryption of files in FAT32 and NTFS file systems. If a removable drive with an unsupported file system is connected to the computer, the encryption task for this removable drive ends with an error and Kaspersky Endpoint Security assigns the read-only status to the removable drive.
To protect data on removable drives, you can use the following types of encryption:
- Full Disk Encryption (FDE).
Encryption of the entire removable drive, including the file system.
It is not possible to access encrypted data outside the corporate network. It is also impossible to access encrypted data inside the corporate network if the computer is not connected to Kaspersky Security Center (e.g. on a guest computer).
- File Level Encryption (FLE).
Encryption of only files on a removable drive. The file system remains unchanged.
Encryption of files on removable drives provides the capability to access data outside the corporate network using a special mode called portable mode.
During encryption, Kaspersky Endpoint Security creates a master key. Kaspersky Endpoint Security saves the master key in the following repositories:
- Kaspersky Security Center.
- User's computer.
The master key is encrypted with the user's secret key.
- Removable drive.
The master key is encrypted with the public key of Kaspersky Security Center.
After encryption is complete, the data on the removable drive can be accessed within the corporate network as if was on an ordinary unencrypted removable drive.
Accessing encrypted data
When a removable drive with encrypted data is connected, Kaspersky Endpoint Security performs the following actions:
- Checks for a master key in the local storage on the user's computer.
If the master key is found, the user gains access to the data on the removable drive.
If the master key is not found, Kaspersky Endpoint Security performs the following actions:
- Sends a request to Kaspersky Security Center.
After receiving the request, Kaspersky Security Center sends a response that contains the master key.
- Kaspersky Endpoint Security saves the master key in the local storage on the user's computer for subsequent operations with the encrypted removable drive.
- Sends a request to Kaspersky Security Center.
- Decrypts the data.
Special features of removable drive encryption
Encryption of removable drives has the following special features:
- The policy with preset settings for removable drive encryption is formed for a specific group of managed computers. Therefore, the result of applying the Kaspersky Security Center policy configured for encryption / decryption of removable drives depends on the computer to which the removable drive is connected.
- Kaspersky Endpoint Security does not encrypt / decrypt read-only files that are stored on removable drives.
- The following device types are supported as removable drives:
- Data media connected via the USB bus
- hard drives connected via USB and FireWire buses
- SSD drives connected via USB and FireWire buses
