Policies

Option is end user configurable and its default state is on

Option is end user configurable and its default state is off

Option is not end user configurable and has been locked on

Option is not end user configurable and has been locked off

The name of the policy (such as "Legal Group" or "Accounting"). If you don't name the policy, SEM will describe the Policy with a date and timestamp. Note: You cannot edit the name of Site-wide Default policy.

How often an agent re-authenticates with the Smartcrypt Manager (in minutes). Default: 15 minutes. Edit the field to change this interval.

Smartcrypt agents cache encryption keys they have access to on the systems they run on. If an agent loses connection with the manager (For example, the user's AD account has been disabled and the agent can no longer log in) this is the maximum time (in hours) the agent will keep the keys before it automatically purges them from that device. Default: 24 hours. Edit the field to change this interval. Note: Keys will be re-synced if / when the device is successfully re-authenticated.

Use the fastest version of the Advanced Encryption Standard (AES) available on the system. This is the default.

Use only FIPS-validated algorithms to encrypt or decrypt files, email messages, and email attachments.

Always choose FIPS-validated algorithms for encryption and decryption, but allow unzipping files encrypted with the AE-2 algorithm used by some compression applications.

Choose FIPS-validated algorithms over others, but does not require them.

List of Active Directory users and groups for which this policy should apply. Note: If a user is defined in more than one policy, the first one in the policy list will be applied.

List of Active Directory users and groups that are allowed to control and modify this policy. Note: If a user is defined that is not currently a Sys Admin, the user will be added to the SEM Admins list configured as a Security Admin.

Users can create and define recipients of Smartkeys.

Users can delete Smartkeys they have created.

Data can be encrypted with a private Smartkey issued with an account. Note: Files encrypted with private Smartkeys are not decryptable by contingency keys or contingency group members.

Data can be encrypted with a Smartkey owned by another user. Note: "Another User" may be a Smartcrypt user outside of your organization.

Users can encrypt with X.509 personal certificates

Users can encrypt with OpenPGP keys

Strict checking identifies certificates that are valid and designated for encryption. See next section for Strict Checking Options.

If you wish to only see certificates created by a specific certificate authority, type the complete issuer's name in this box. You'll find this information in the Details tab of Certificate Properties.  Look for the Issued by section in the Details tab, and type everything after CN=.

For example, if all your company's certificates are issued by COMODO, type (no quotes) "COMODO Client Authentication and Secure Email CA" in this box.

If you wish to only see certificates issued to someone in a specific organization, type the complete Organizational Unit (OU) name in this box.  You'll find this information in the Details tab of Certificate Properties.  Look for the Issued to section in the Details tab, and type everything after OU=.

For example, if all your company's certificates have an OU of Corporate Secure Email, type (no quotes) "Corporate Secure Email" in this box

This option causes Smartcrypt to warn you if a selected certificate to add a signature appears on an accessible list of certificates that have been revoked. If strict checking is also turned on, Smartcrypt does not use a revoked certificate.

You must first download a list of revoked certificates from a certificate authority to use this option.

Check the purpose for which the certificate is designated (encryption or signing).

Check whether the current date is within the valid range of dates for the certificate

Check whether the period of validity of the certificate does not extend past the dates when the issuer certificate is valid. For example, if the issuer certificate is valid from February 1, 2015, to January 31, 2018, the date range during which the selected certificate is supposed to be valid does not begin before February 1, 2015, or end after January 31, 2018.

The signature algorithm creates a hash value for the file to be signed.

The hash value uniquely represents the file: any change to the file gives it a different hash value. Comparing the hash value of the file when it was signed with the file's current hash value reveals whether the file has been changed.

Smartcrypt uses the SHA2 hash algorithm at 256-bit strength by default. Stronger versions (384- and 512-bit) of SHA2 are also available. Click the button to approve the use of either of these algorithms.

Note: You may allow the use of the MD5 or SHA1 algorithms by clicking in a blank space on this line. These algorithms are deprecated for signing keys, and not recommended.

Strict checking identifies certificates that are valid and designated for encryption. See Strict Checking Options.

If you wish to only see certificates created by a specific certificate authority, type the complete issuer's name in this box. You'll find this information in the Details tab of Certificate Properties.  Look for the Issued by section in the Details tab, and type everything after CN=.

For example, if all your company's certificates are issued by COMODO, type (no quotes) "COMODO Client Authentication and Secure Email CA" in this box.

If you wish to only see certificates issued to someone in a specific organization, type the complete Organizational Unit (OU) name in this box.  You'll find this information in the Details tab of Certificate Properties.  Look for the Issued to section in the Details tab, and type everything after OU=.

For example, if all your company's certificates have an OU of Corporate Secure Email, type (no quotes) "Corporate Secure Email" in this box

This option causes Smartcrypt to warn you if a selected certificate to add a signature appears on an accessible list of certificates that have been revoked. If strict checking is also turned on, Smartcrypt does not use a revoked certificate.

You must first download a list of revoked certificates from a certificate authority to use this option.

Check whether an X.509 certificate has been revoked that has been used to sign or encrypt any file in the archive or the archive itself

ASCII armor (also known as Radix-64) is a character format that creates an ASCII character stream that could be used in transferring OpenPGP files through transport mechanisms that can only handle character data (for example, email body text).

Smartcrypt offers the choice of the algorithms shown below. Different key lengths are supported for the Advanced Encryption Standard (AES) algorithm. In general, the longer the key, the stronger the encryption. Encryption also takes slightly longer in proportion to the length of the key.

Smartcrypt uses the SHA2 hash algorithm at 256-bit strength by default. Stronger versions (384- and 512-bit) of SHA2 are also available. Click the button to approve the use of either of these algorithms.

Note: You may allow the use of the MD5 or SHA1 algorithms by clicking in a blank space on this line. These algorithms are deprecated for signing keys, and not recommended.

The minimum number of characters that a passphrase must contain. Passphrases shorter than this are rejected.

Longer passphrases are harder to guess. You can require a minimum length as great as 260 characters. Default is 8 characters.

The maximum number of characters that a passphrase can contain. Passphrases longer than this are rejected. Default is 250 characters. You can assign a maximum length as great as 260 characters.

Sets the maximum number of adjacent, case-sensitive occurrences of the same character. A setting of 1 allows no repetitions. A setting of 2 allows two adjacent occurrences, and so on. A setting of 0 (the default) turns the option off and allows all repetitions.

For example, a setting of 2 disallows a passphrase that contains aaa but allows aAa or a1a2a.

Minimum number of lower case alphabetical characters a passphrase requires. Default is 0.

Minimum number of special characters a passphrase requires.  By default a special character is defined as any non-alphanumeric character. Examples include

@#$%''*()_-+={}&&:;<>,.?/\`~!"* ^[]

Default is 0.

These rules restricts certain character types from being used as the FIRST character or LAST character of a passphrase. Use the drop-down menu next to the relevant character type (Lowercase, Uppercase, Digits, or Symbols).Choices include:

By default, Smartcrypt does not check for placement.

This allows for control on the default and available actions from the Smartcrypt Outlook Plugin. The default option displays in bright blue. Other allowed actions are displayed in a grayer blue. Admins can delete actions to prevent there use.

Defining extensions in the extensions to include creates a small subset of extensions that will be considered by the Smartcrypt Plugin when performing Compress attachments only and Encrypt Attachments only actions.

Example

Setup - The policy is set to include extensions ".pdf"

User Action - The user sends an email with a .PDF and attached the the email

User Action - The user sends an email with a .PNG and attached the the email

Defining extensions in the extensions to exclude creates a small subset of extensions that will be ignored by the Smartcrypt Plugin when performing "Compress attachments only" and "Encrypt Attachments only" actions.

Example

Setup - The policy is set to exclude extensions ".pdf"

User Action - The user sends an email with a .PDF and attached the the email

User Action - The user sends an email with a .PNG and attached the the email

There is another dialog that the Plugin can open to select user controlled options for Smartcrypt. This is useful when sending email outside of outlook (from a "send an email option" in other applications).

Auto-Search Recipients will look at the users existing Smartkeys are try to pick a Smartkey that all recipients have access to. If a Smartkey is not found, a new only can be created with all recipients included on the email message.

Smartcrypt can include a plain text (non encrypted) document with instructions on how to decrypt the attachment.

The zip archive produced by Smartcrypt can be automatically signed with a digital certificate (when present).

Users can change the encryption on existing ZIP archives attached to an email message. This option must be set if you want Smartcrypt to encrypt existing archives.

Smartcrypt gives the same, generic name to all ZIP file attachments that contain multiple files. In this field, specify the generic name to use.

When you zip a single attached file, ordinarily the ZIP file is named after the attached file itself. For example, if the attached file is my_file.docx, Smartcrypt names the ZIP file my_file.zip. (Exception: If the Security option to Encrypt file names is set, the generic name is always used.)

Following the Default ZIP Name, you can also define an alternate three-character extension for ZIP archives. Some networks have security settings that prevent file attachments with the ZIP extension from being sent or received. Use this feature if this is an issue for you or your recipient

By default, Smartcrypt extracts compressed files in the same directory as the original archive. If another file with the same name is located in that same directory in Finder, the newly-extracted file is added as a copy of the original file.

This setting allows you to select a new default folder, or be prompted for a destination folder each time you open an archive. Choose from these options:

• Original archive folder (default)
• Your Desktop
• Other folder. This option opens a Finder box. Choose any folder for all extracted files to be extracted to.
• Prompt for folder. When you select this option, you will be asked where to put the extracted files each time you extract an archive with Smartcrypt.

By default, Smartcrypt extracts compressed files in the same directory as the original archive. If another file with the same name is located in that same directory in Finder, the newly-extracted file is added as a copy of the original file.

This setting allows you to select a new default folder, or be prompted for a destination folder each time you open an archive. Choose from these options:

• Original archive folder (default)
• Your Desktop
• Other folder. This option opens a Finder box. Choose any folder for all extracted files to be extracted to.
• Prompt for folder. When you select this option, you will be asked where to put the extracted files each time you extract an archive with Smartcrypt.

Define what happens when a user selects an archive.

Extract Archive: Unzip the files in the archive in Finder.

View Archive: Display the files in a Smartcrypt window.