Configuring File Encryption Rules

The following procedure explains the configurable options for policy rules affecting File Encryption devices.

  1. Create a new Endpoint Encryption policy.

    See Creating a Policy.

  2. Click File Encryption.

    The File Encryption policy rules settings appear.

    Figure 1. File Encryption Policy Rules
  3. Under Folder to Encrypt, specify folders that are automatically created and encrypted on the endpoint when the File Encryption agent synchronized policies.
  4. Under Encryption Key, select the encryption for the File Encryption encrypted folder.
    • User key: Use a unique key for each Endpoint Encryption user. Only the Endpoint Encryption user can decrypt files that he or she encrypted.

    • Policy key: Use a unique key for each policy. Only Endpoint Encryption users and devices in the policy can decrypt files.

    • Enterprise key: Any Endpoint Encryption user or device in the Enterprise can decrypt the files.


    Selecting Policy key or Enterprise key controls the sharing for the File Encryption shared key. For more information, see File Encryption Actions.

  5. Under Storage Devices, configure the following options:
    • Select Disable optical drives to control whether removable media is accessible from the endpoint.

    • Select Disable USB drives to control when the USB ports are disabled. Options are:
      • Always

      • Logged out

      • Never

    • Select Encrypt all files and folders on USB devices to automatically encrypt all the files and folders on removable drives when plugged into the endpoint.

    • Select Specify the file path to encrypt on USB devices to add or remove encrypted folders to USB drives. If a folder does not exist, it is created. If no drive letter is specified, all USB devices are affected.

  6. Under Notifications, select Show a legal notice to show the specific legal message at start up or only after installing the File Encryption agent.