Encryption of removable drives

This component is available if Kaspersky Endpoint Security is installed on a computer that runs on Windows for workstations. This component is unavailable if Kaspersky Endpoint Security is installed on a computer that runs on Windows for servers.

Kaspersky Endpoint Security supports encryption of files in FAT32 and NTFS file systems. If a removable drive with an unsupported file system is connected to the computer, the encryption task for this removable drive ends with an error and Kaspersky Endpoint Security assigns the read-only status to the removable drive.

To protect data on removable drives, you can use the following types of encryption:

Full Disk Encryption (FDE).
Encryption of the entire removable drive, including the file system.

It is not possible to access encrypted data outside the corporate network. It is also impossible to access encrypted data inside the corporate network if the computer is not connected to Kaspersky Security Center (e.g. on a guest computer).
File Level Encryption (FLE).
Encryption of only files on a removable drive. The file system remains unchanged.

Encryption of files on removable drives provides the capability to access data outside the corporate network using a special mode called portable mode.

During encryption, Kaspersky Endpoint Security creates a master key. Kaspersky Endpoint Security saves the master key in the following repositories:

Kaspersky Security Center.
User's computer.
The master key is encrypted with the user's secret key.
Removable drive.
The master key is encrypted with the public key of Kaspersky Security Center.

After encryption is complete, the data on the removable drive can be accessed within the corporate network as if was on an ordinary unencrypted removable drive.

Accessing encrypted data

When a removable drive with encrypted data is connected, Kaspersky Endpoint Security performs the following actions:

Checks for a master key in the local storage on the user's computer.
If the master key is found, the user gains access to the data on the removable drive.

If the master key is not found, Kaspersky Endpoint Security performs the following actions:
1. Sends a request to Kaspersky Security Center.
  After receiving the request, Kaspersky Security Center sends a response that contains the master key.
2. Kaspersky Endpoint Security saves the master key in the local storage on the user's computer for subsequent operations with the encrypted removable drive.
Decrypts the data.

Special features of removable drive encryption

Encryption of removable drives has the following special features:

The policy with preset settings for removable drive encryption is formed for a specific group of managed computers. Therefore, the result of applying the Kaspersky Security Center policy configured for encryption / decryption of removable drives depends on the computer to which the removable drive is connected.
Kaspersky Endpoint Security does not encrypt / decrypt read-only files that are stored on removable drives.

The following device types are supported as removable drives:

Data media connected via the USB bus
hard drives connected via USB and FireWire buses
SSD drives connected via USB and FireWire buses

Encryption of removable drives component settings

Parameter	Description
Encryption mode	Encrypt entire removable drive. If this item is selected, when applying the policy with the specified encryption settings for removable drives, Kaspersky Endpoint Security encrypts removable drives sector by sector, including their file systems. Encrypt all files. If this item is selected, when applying the policy with the specified encryption settings for removable drives, Kaspersky Endpoint Security encrypts all files that are stored on removable drives. Kaspersky Endpoint Security does not re-encrypt files that are already encrypted. The contents of the file system of a removable drive, including the folder structure and names of encrypted files, are not encrypted and remain accessible. Encrypt new files only. If this item is selected, when applying the policy with the specified encryption settings for removable drives, Kaspersky Endpoint Security encrypts only those files that were added or modified on removable drives after the Kaspersky Security Center policy was last applied. This encryption mode is convenient when a removable drive is used for both personal and work purposes. This encryption mode lets you leave all old files unchanged and encrypt only those files that the user creates on a work computer that has Kaspersky Endpoint Security installed and encryption functionality enabled. As a result, access to personal files is always available, regardless of whether or not Kaspersky Endpoint Security is installed on the computer with encryption functionality enabled. Decrypt entire removable drive. If this item is selected, when applying the policy with the specified encryption settings for removable drives, Kaspersky Endpoint Security decrypts all encrypted files stored on removable drives as well as the file systems of the removable drives if they were previously encrypted. Leave unchanged. If this item is selected, the application leaves drives in their previous state when the policy is applied. If the drive was encrypted, it remains encrypted. If the drive was decrypted, it remains decrypted. This item is selected by default.
Portable mode	This check box enables / disables the preparation of a removable drive that makes it possible to access files stored on this removable drive on computers outside of the corporate network. If this check box is selected, Kaspersky Endpoint Security prompts the user to specify a password before encrypting files on a removable drive upon the application of the policy. The password is needed to access files encrypted on a removable drive on computers outside of the corporate network. You can configure the password strength. Portable mode is available for the Encrypt all files or Encrypt new files only modes.
Encrypt used disk space only	This check box enables / disables the encryption mode in which only occupied disk sectors are encrypted. This mode is recommended for new drives whose data has not been modified or deleted. If the check box is selected, only portions of the drive that are occupied by files are encrypted. Kaspersky Endpoint Security automatically encrypts new data as it is added. If the check box is cleared, the entire drive is encrypted, including residual fragments of previously deleted and modified files. The ability to encrypt only occupied space is available only for the Encrypt entire removable drive mode. After encryption started, enabling / disabling the Encrypt used disk space only function will not change this setting. You must select or clear the check box before starting encryption.
Custom rules	This table contains devices for which custom encryption rules are defined. You can create encryption rules for individual removable drives in the following ways: Add a removable drive from the list of trusted devices for Device Control. Manually add a removable drive: By device ID (Hardware ID, or HWID) By device model: vendor ID (VID) and product ID (PID)
Allow encryption of removable drives in offline mode	If this check box is selected, Kaspersky Endpoint Security encrypts removable drives even when there is no connection to Kaspersky Security Center. In this case, the data required for decrypting removable drives is stored on the hard drive of the computer to which the removable drive is connected, and is not transmitted to Kaspersky Security Center. If the check box is cleared, Kaspersky Endpoint Security does not encrypt removable drives without a connection to Kaspersky Security Center.
Encryption password settings / Portable File Manager	Password strength settings for the Portable File Manager.

See also: About managing the application via the Kaspersky Security Center Administration Console

Starting encryption of removable drives

Adding an encryption rule for removable drives

Portable mode for accessing encrypted files on removable drives

Decryption of removable drives

Page top