Lockers
Description
Lockers provide automatic, persistent folder protection across any file system in your environment. When creating a locker on a device, an administrator needs to define details for how the locker will be configured. If the file system can be mounted by a client that can run Smartcrypt, a locker automatically protects the data on the volume. Set up lockers on this page. As soon as the locker information syncs to the Smartcrypt client device, anything placed in the locker will be protected.
Existing lockers
When you browse to the Lockers tab, the default view will display all lockers defined on the devices in your Smartcypt ecosystem. The main view displays:
- Name and email address of the locker's user (Owner)
- The name of the device in the Smartcrypt universe
- The platform/operating system of the device hosting the locker
- Paths to the protected volume(s) on that device (see table in the next section)
- Whether the locker is a valid location and is able to be encrypted.Click the number in the Compliant or Not Compliant column to see details about the locker. See Compliance for more information.
To display what Smartkey is being used, click Edit to view the details.
Locker Compliance
The Compliant and Not Compliant columns in the Lockers list indicate if the agent has received the latest policy changes from the Smartcrypt Enterperise Manager.
Viewing the Status of Existing Lockers
Click Status to view additional details about the selected Locker.
| Compliance | Offers a quick visual identification of problems. The green circle indicates the agent has received the latest SEM policy changes. The red circle indicates that the agent has not received the latest SEM policy changes. |
|---|---|
| Status | This field identifies any issues occurring in the agent. Possible issues include an invalid configuration or path/location. Click Edit to fix the problem. |
| Name | Name of the selected Locker(s) owned by the selected user. |
| Path | Location to be protected on the end points. |
| Size | Total size of protected file(s) and folder(s) on this device. |
| Files | A count of protected files. |
| Folders | A count of protected folders |
| Plaintext | A count of un-encrypted text files in the protected Path. |
| Encrypted | A count of encrypted files in the protected Path. |
| Sensitive | A count of sensitive files in the protected Path. |
| Reported At | Date and time of this status report. |
New Locker
Click Add to display this Device Search page: Enter relevant data in at least one field to locate the device you want to make a Locker on.
Complete the form to set up a new locker. This page also appears when you click Edit on an existing locker.
Common Attributes
| Field | Description |
|---|---|
| Name | Name of the selected Locker(s) owned by the selected user. |
| Path | The path is the exact folder path on the remote device to be set up as a locker. You may use a Universal Naming Convention (UNC) path. If the path doesn't exist on the specified device, the Smartcrypt client will try to create the path. If the path is invalid (for example, by referring to a path without permissions to access) no locker will be created. 
Do not place an Assignment in the same path as a Locker! This can lead to a variety of behaviors. |
| Smartkey | Select a Smartkey from the drop-down menu to encrypt the locker's files. Since we have defined a user and a device to set up the locker, the Smartkey list will be narrowed to Smartkeys the Locker user has access to. If the Smartkey you prefer to use does not appear in the menu, ensure that the locker user has access. |
| Whitelist | (Optional) By default, Smartcrypt will encrypt every file placed in the Locker. With the Whitelist, you can restrict the number and type of files encrypted in the folder. For example, if you only want to encrypt spreadsheets in this locker, type *.xls* in the whitelist. In the figure above, only files with a .dropbox extension in the user's Dropbox\Accounting folder is encrypted. All other files placed in this locker will remain unencrypted. When defining a set of whitelisted items, separate each file or extension with semicolons. If a whitelist is defined, ONLY the extensions matching the whitelist will be encrypted. |
| Blacklist | The blacklist works like a whitelist in reverse. Items added to a blacklist will not be encrypted if they are found in a locker. When defining blacklisted items, separate each file or extension with semicolons.
The system is set to automatically blacklist the following files and patterns: .dropbox, desktop.ini, thumbs.db, ~.*, |
| Sweep Interval | The Sweep Interval is a secondary scan that runs to ensure all files are being encrypted. It is possible that a system under extremely high load will not expose the correct file system event to Smartcrypt, which will result in a file not being encrypted. The sweep interval will look for plain text files in the locker and encrypt them. This interval is the timer for how often the secondary scan should run.
On Solaris, AIX and HP-UX systems, there are no system event notifications for Smartcrypt to capture. To encrypt any files in a locker, you must define a Sweep Interval. |
| Report Compliance and Status | The locker will communicate its status to the Smartcrypt Enterprise Manager, generating a report if the agent running the locker has not received the latest SEM policy changes |
| Exclude Hidden Files | By default, a locker will not encrypt hidden files. If you want to encrypt hidden files located in the locker, uncheck this option. |
| Exclude System Files | By default, a locker will not encrypt Windows system files. If you want to encrypt system files located in the locker, uncheck this option. You can verify system files by looking at the attributes of a file to confirm if it is deemed a system file.
This protection only exists on Windows-based operating systems. |
| Report Successful Encryptions | If Data Security Intelligence is enabled on the Basics page, each file added or changed in the locker, will be reported in the Audit Log. That can generate thousands of events. Uncheck this option If your organization is not interested in the encryption events that will be generated by a locker. |
| Report Encryption Failures | A locker might fail to encrypt a file on the initial attempt. This might be caused by the file being locked open, or some other environmental issue. The Smartcrypt Locker service will attempt to encrypt the file again, but if your organization is interested in the failures being reported, enable this option. |
Discovery
Discovery Lockers use Smartcrypt Discovery to scan the contents of un-encrypted documents to determine remediation actions. To learn more about how to setup Smartcrypt Discovery, see Discovery.
| Remediation Actions | Remediation actions, defined in this table, are responsible for configuring the order of smart filter bundle(s) that are tied to specific remediation options. Remediation action order is important; the client agent processes the remediation actions list from the top down. The agent uses the first one that applies to its particular discovered action. Each row has a defined smart filter bundle that correlates to a remediation action defined in the discovery page. For example, a Smartcrypt assignment has two remediation actions. The first remediation action at the top looks for, “Secret” and has a remediation action to encrypt and move the file. The second remediation action below the first looks for, “Secret”+“Sensitive”, and remediates by deleting the files. If an assigned client finds “Secret” it will apply and only apply to the first remediation action at the top of the list by encrypting and moving the file. If an assigned client finds “Sensitive”, it will apply and only apply the second remediation action in the list by moving the file. If a Smartcrypt client older than 15.60.0046 is given an assignment with multiple remediation actions, the client will default to only using the top remediation action. |
|---|---|
| Smart Filter Bundles | The list of Discovery Filters to be used to scan data for matches on sensitive data. |
Re-encryption
Description
Re-encryption within a locker allows the Smartcrypt service the ability to change the encryption key protecting the archive file. The identity running the Smartcrypt Locker Service needs to have access to the existing key and the new key for re-encryption to work properly.
| Field | Description |
|---|---|
| Report Successful Re-Encryptions | When re-encryption is enabled, this reporting option will report a data security intelligence event when a re-encryption event occurs. An example of the event occurring would be in the use case of a file was encrypted with KEY A before entering the Locker folder, and is re-encrypted with KEY B by the Locker service. |
Report Re-Encryption Failures | When re-encryption is enabled, this reporting option will report a data security intelligence event when a failed re-encryption event occurs. An example of the event occurring would be in the use case of a file was encrypted with passphrase before entering the Locker folder, and is supposed to be re-encrypted with KEY B by the Locker service. If the re-encryption cannot occur a re-encryption failure event can be triggered. |
Use Cases
Example Use Case
Setup - The Smartcrypt Locker Service is running as a Active Directory Service account "PKWARE". The PKWARE identity has access to Community Key A and Community Key B. The Locker is setup to enable re-encryption and to protect data with Community Key B.
| Scenario | Locker Action |
|---|---|
A file encrypted with Key A is added to locker. | The Locker will re-encrypt the file to Key B because the identity has access to Key A and Key B. |
| A file encrypted with Key C is added to locker. | The Locker will not re-encrypt the file to Key B because the identity does not has access to Key C. |
| A file encrypted with a passphrase is added to locker. | The Locker will not re-encrypt the file to Key B because the it requires a passphrase to decrypt. |
A file encrypted with a PGP Key or x509 certificate is added to locker. | The Locker will not re-encrypt the file to Key B because the it requires a certificate or PGP key to decrypt. |
Applying Multiple Keys to Lockers with Subfolders
Smartcrypt allows subfolders in a locker to be controlled by different encryption keys. The Smartcrypt Administrator just needs to create multiple entries for the Locker configuration for a device.
Example Use Case
Setup - There is a file server with files in the root directory ("P:\Shares\)" and subfolders than need to be controlled by different keys.
| Locker Path | Smartkey |
|---|---|
| P:\Shares | Key A |
| P:\Shares\Engineering | Key B |
| P:\Shares\HR | Key C |
To accomplish this, add three lockers with separate paths and Smartkeys:
- Click Add Locker.
- Identify the server and owner of that locker.
- Click Add Locker.
- Set the Path as P:\Shares.
- Set Smartkey to Key A.
- Set other parameters as required.
- Click Save.
- Repeat Steps 3-7 with the appropriate Paths for Key B and Key C.
- Click Done.
Now a file is placed into the following folders
| File Path | Action | Explanation |
|---|---|---|
| P:\Shares\test.txt | File is encrypted with Key A | The file is placed in the root folder of the "Shares" locker, which is controlled by the Locker Service, therefore it is encrypted with Key A. |
| P:\Shares\Engineering\test.txt | File is encrypted with Key B | The file is placed in the root of a subfolder which is controlled by the Locker Service, therefore it is encrypted with Key B. |
| P:\Shares\Engineering\Releases\test.txt | File is encrypted with Key B | The file is placed in the subfolder of the "Engineering" locker, which is controlled by the Locker Service, therefore it is encrypted with Key B. |
| P:\Shares\Accounting\test.txt | File is encrypted with Key A | The file is placed in a subfolder of the "Shares" locker, and not in the "Engineering" or "HR" folders, therefore it is encrypted with Key A. |