Enable Whole Disk Recovery Tokens - this will send a one-time token to the management server and can be used to regain access to the encrypted disk.Under Symantec Drive Encryption there are some options which should be enabled and must be defined according company policy/local regulations. The options can be configured in the consumer policy:Ĭonsumers > Consumer Policy > select the policy > in the section Symantec Encryption Desktop click the Desktop (button) > Drive Encryption (tab). Note that, if none of the options above was enabled *before* losing access to the disk, it will not be possible to access to the content because the records cannot be modified after losing access to the disk. There are some ways to to ensure access to encrypted disks. Which are the recovery options configurable for Disk Encryption in Symantec Encryption Management Server? Organization ADK - this will be applied to every user in the environmentįor standalone instalation you can use the Master Key in a similar way of an ADK, however, this would imply a trust with the users (that they won't remove that key) and the value of this would be only for recovery of encrypted data when the user key is lost.Policy ADK - this can be defined per consumer policy.For different purposes two types of ADK can be defined in a managed environment: An ADK can be used to decrypt encrypted data and messages if an end user is unable or unwilling to do so. Key reconstruction is not suitable for enterprise data recovery, since only the user knows the answers to the reconstruction questions.Īdditional Decryption Key (ADK) - The ADK is only available in Symantec Encryption Management Server environments. Key reconstruction is useful if the user loses their key material, or forgets their key passphrase.
#Symantec encryption desktop 10.3.2 release notes how to
How to recover a lost key or decrypt data with an alternative key? Key Reconstruction - Enabling key reconstruction ensures that users can reconstruct their PGP keys. Soft-Ignition Passphrase: You need to know the passphrase you have specified.Hardware Token: You need to have the PKCS#11 token and its respective PIN.If used, the server will be kept locked until unlocked using the proper method. This is only needed when there is a risk of an unauthorized person gaining physical control of the server hardware. Ignition Keys (you don't really backup those, but you need the credentials, so have them safe) - most environments don't really require this one.Symantec Encryption Desktop keyrings (including private ones), especially if using standalone installations and/or Client Key Mode (CKM) and Server-Client Key Mode (SCKM).Organization Key (full keypair) and its correspondent passphrase - this is probably the most critical key in the encryption environment (Used to sign all user keys the Symantec Encryption Management Server creates and, to encrypt server backups!).
not encrypted.Īmong others, you should keep up-to-date and good backups of: This point is simply the basilar of IT best practices - Backups are your friends, but only if tested!!!Īdditional note: much of the time data backups can be kept stored in safe locations in clear, i.e. There are usually three important aspects for the recovery of encrypted data: All information is available in the product documentation, including the Administrator's guide. Disclaimer: this may not be an exaustive description of the solution and is intended to be used as a guideline.
0 kommentar(er)
