Policies

Option is end-user configurable, and its default state is on.

The name of the policy (typically referring to the users or groups it will be assigned to). If you don't name the policy, PEM will describe the Policy with a date and timestamp. 

 *Note: You cannot edit the name of Site-wide Default policy.

PEM Agents cache encryption keys they have access to, for the system on which they run. If agent loses connection with PEM Administrator (or instance user’s AD account has been disabled and agent can no longer log in), the number in this field specifies the maximum time (in hours) the agent will keep keys before it automatically purges them from the device. By default, the value is set to 24 hours.

*Note: Keys will be re-synched when device is successfully re-authenticated.

This option enables or disables the ability to use PK Protect for iOS or Android platforms for specific set of users defined in policy. By default, this option is enabled.

Enabling this option will reset settings in existing policy on any PK Protect client device before applying this new policy. It can be used in combination with mobile file format to set the client device to default settings to use the zipx file format instead of zip.

FIPS is an abbreviation for Federal Information Processing Standards, a set of standards for information processing in federal agencies in the United States. In FIPS 140 mode, encryption and decryption are done using only encryption and hashing algorithms that have been validated for compliance with FIPS 140-2 security requirements for cryptographic modules by NIST (National Institute of Standards and Technology), a branch of the US government.

Click your preferred FIPS compliance options. Your selection will turn a bright blue; this is the default for clients that this policy applies to. The site-wide policy by default displays all the options, allowing clients to change from the default. To enforce just one selection (such as Use FIPS 140 Mode), delete the remaining options.

*Note: FIPS mode is not supported for MacOS X platform.

The following FIPS settings are available:

• Prefer fastest available algorithm – This option uses the fastest version of Advanced Encryption Standard (AES) available on the system. By default, this option is selected.
• Prefer FIPS-validated algorithm - Choose FIPS-validated algorithms over others if available but does not require FIPS algorithms to be used.
• Use FIPS 140 mode – This option will only use FIPS validated algorithms to encrypt or decrypt files, email messages and email attachments.
• Use FIPS- validated algorithm; allow AE extraction – This option will always choose FIPS validated algorithms to encrypt and decrypt data, but allows unzipping files encrypted with the AE-2 algorithm used by some compression applications.

This field contains the list of Active Directory (AD) users and groups to which this policy should apply.

*Note: If a user is defined in more than one policy, the first one in the policy list will be applied.

This field contains the list of Active Directory (AD) users and groups that are allowed to control and modify this policy. 

*Note: If a user is defined who is not Sys Admin, then this user will be added to the PEM Admins list and configured as Sys Admin.

This will preserve the alternate data stream of a file during compression. By default, Allowed (default off) is selected.

This field display the list of algorithms that can be used for encryption zip archive. PK Protect supports AES in several key lengths as well as AE2 (256-bit) and 3DES (168-bit).

By default, PK Protect uses the strongest available algorithm and key length (AES-256).

Allow OpenPGP Keys

Strict checking identifies certificates that are valid and designated for encryption. Following options are enabled when you select this option:

• Check Key Usage - Check the purpose for which the certificate is designated (encryption or signing).
• Check time validity - Check whether the current date is within the valid range of dates for the certificate.
• Check time nesting - Check whether the period of validity of the certificates does not extend past the dates when issuer certificate is valid. 

 For example, if the issuer certificate is valid from February 1, 2015, to January 31, 2018, the date range during which the selected certificate is supposed to be valid does not begin before February 1, 2015, or end after January 31, 2018.

If you wish to see only those certificates which are created by a specific certificate authority, type the issuer's name in this field. This information can be found in the Details tab of Certificate Properties.  Look for the Issued by section in the Details tab, and type everything after CN=in the field

For example, if all your company's certificates are issued by COMODO, type (no quotes) "COMODO Client Authentication and Secure Email CA" in the field.

If you wish to see only those certificates which are issued to someone in a specific organization, type the complete Organizational Unit (OU) name in this field.  This information can be found in the Details tab of Certificate Properties.  Look for the Issued to section in the Details tab, and type everything after OU= in the field.

For example, if all your company's certificates have an OU of Corporate Secure Email, type (no quotes) "Corporate Secure Email" in the field.

This option causes PK Protect to warn if a selected certificate’s signature appears on an accessible list of certificates that have been revoked. When Strict Checking option is turned on, PK Protect does not use a revoked certificate.

To use this option, you must download a list of revoked certificates from a certificate authority.

The signature algorithm creates a hash value for the file to be signed. The hash value uniquely represents the file: any change to the file gives it a different hash value. Comparing the hash value of the file when it was signed with the file's current hash value reveals whether the file has been changed. PK Protect uses the SHA2 hash algorithm at 256-bit strength by default. Stronger versions (384- and 512-bit) of SHA2 are also available. Click the button to approve the use of either of these algorithms.

Note: You may allow the use of the MD5 or SHA1 algorithms by clicking in a blank space on this line. These algorithms are deprecated for signing keys, and not recommended.

If you wish to see only those certificates which are created by a specific certificate authority, type the complete issuer's name in this field. This information can be found in the Details tab of Certificate Properties.  Look for the Issued by section in the Details tab, and type everything after CN= in the field.

For example, if all your company's certificates are issued by COMODO, type (no quotes) "COMODO Client Authentication and Secure Email CA" in the field. 

If you wish to see only those certificates which are issued to someone in a specific organization, type the complete Organizational Unit (OU) name in this field.  This information can be found in the Details tab of Certificate Properties.  Look for the Issued to section in the Details tab, and type everything after  OU= in the field.

For example, if all your company's certificates have an OU of Corporate Secure Email, type (no quotes) "Corporate Secure Email" in the field.

This option causes PK Protect to warn if a selected certificate’s signature appears on an accessible list of certificates that have been revoked. When Strict Checking option is turned on, PK Protect does not use a revoked certificate.

To use this option, you must download a list of revoked certificates from a certificate authority.

Check certificates revocation when verifying

This option allows you to check whether an X.509 certificate has been revoked that has been used to sign or encrypt any file in the archive or the archive itself. 

Enabling this option gives users the ability to take a zip file and spilt it into many zip files which together make the original zip file.

ASCII Armor (also known as Radix-64) is a character format that creates an ASCII character stream that could be used in transferring OpenPGP files through transport mechanisms that can only handle character data (for example, email body text).

By Default, Allowed (default on) option is selected.

This option allows users to create OpenPGP files and disable encryption. By default, Allowed (default on) option is selected.

PK Protect offers the choice of the algorithms shown below. Different key lengths are supported for the Advanced Encryption Standard (AES) algorithm. In general, the longer the key, the stronger the encryption. Encryption also takes slightly longer in proportion to the length of the key.

• AES – This is standard algorithm adopted by US federal government and in widespread used in banking and credit card operations.
• CAST5 – This algorithm is the default algorithm for OpenPGP clients.
• IDEA – This is an optional algorithm in the OpenPGP standard, used in many OpenPGP clients.

By default, Pk Protect uses SHA2 Hash algorithms at 256-bit strength. Stronger versions, SHA2 (384-bit) and SHA2 (512-bit) are also available to be used for encryption.

*Note: You can allow the use of MD5 or SHA1 algorithms by clicking in a blank space on this line. However, these algorithms are deprecated for signing keys and are not recommended.

The minimum number of characters that a passphrase must contain. Passphrases shorter than this are rejected. You can require a minimum length as large as 260 characters. By default, the length of passphrase is 8 characters.

The maximum number of characters that a passphrase can contain. Passphrases longer than this are rejected. By default, the maximum length of passphrase is 250 characters. You can assign 260 characters as a maximum length.

Sets the maximum number of adjacent, case-sensitive occurrences of the same character. A setting of 1 allows no repetitions. A setting of 2 allows two adjacent occurrences, and so on. A setting of 0 (the default) turns the option off and allows all repetitions.

For example, a setting of 2 disallows a passphrase that contains aaa but allows aAa or a1a2a.

The minimum number of lower-case alphabetical characters a passphrase requires. The default value is set to 0 (zero).

The minimum number of upper-case alphabetical characters a passphrase requires. The default value is set to 0 (zero).

The minimum number of digits i.e., 0-9, a passphrase requires. By default, the value is set to 0 (zero).

The minimum number of special characters a passphrase requires. By default, a special character is defined as a non-alphanumeric character. The default value is set to 0 (zero).

E.g., @, #, $, %,',’, *, (,), ,_,-,+,=,{,},&,&,:, ;,<,>,/,\,`,~,!,",*,^,[,]. 

This field allows you to specify the contingency keys that can be used for the decryption of files.

Enabling this option allows you to specify the contingency users.

This field allows specific individuals to be defined, who will be able to decrypt information encrypted by the users in this policy.

To enable this feature, select the Enable Contingency Users checkbox.

• If enabled, then this feature will allow selected users to decrypt any files encrypted with any key.
• If disabled, this feature will disable the contingency public key but will not delete it. After disabling, the members of the policy will not be able to decrypt previously encrypted file, nor they will be able to decrypt newly encrypted file.

This allows control on the default and available actions from the PK Protect Outlook Plugin. The default option displays in bright blue, Other allowed actions are displayed in a grayer blue; and admins can prevent certain functionality by not including them in the field. Following actions are taken on emails:

• Encrypt message body and attachment – Select this option to allow users to send an email i.e., an encrypted email body. The subject line does not get encrypted into the .zip archive. The recipient can use email mime (.eml) viewer to read the original message. This is the most secure option, but also the most obtrusive to normal email workflow.
• Encrypts attachment only - Include this option to allows users to send an email and ignore the body of the email message, and it only encrypt the attachments to the email. The attachments will be gathered and included in single zip archive and then gets encrypted.
• Compress attachment only - Include this option to allows users to send an email and ignore the body of the email message, and it only compress the attachments to the email. The attachments will be gathered and included in single zip archive and then compress, but not encrypted.
• Skip actions - Include this option to allows users to send an email that bypasses the PK Protect Outlook Plugin. Do not select this option if desired bypass is not required.

This field displays the list of file extensions that will be considered by PK Protect Plugin when performing ‘Compress Attachments Only’ and ‘Encrypt Attachments only’. E.g., If the policy is set to exclude ‘.pdf’ extensions and user performs an action by sending an email with PDF attachment. Following action is taken:

If user sends a ‘.png’ attachment instead of ‘.pdf’ then in that case following actions are taken:

This field displays the list of file extensions that will be ignored by PK Protect Plugin when performing ‘Compress Attachments Only’ and ‘Encrypt Attachments only’.

E.g., If the policy is set to exclude ‘.pdf’ extensions and user performs an action by sending an email with PDF attachment.

If user sends a ‘.png’ attachment instead of ‘.pdf’ then in that case following actions are taken:

If the option is enabled, text and picture signature element in the email body will not be included in the archive. It will be included in the plain text email. By default, Allowed (default on) option is selected in the drop-down.

This option is visible when Smartkey is selected in Email Encryption Options.

This option is visible when PKWARE Identity is selected in Email Encryption Options.

This option is visible when PKWARE Identity is selected in Email Encryption Options.

Check this checkbox to define one or more Community Keys to use if the initial search for recipients does not find a Smartkey.

The Outlook plugin will select the first available Community Key.

This option is visible when Smartkey is selected in Email Encryption Options.

Check this checkbox to define one or more Community Keys to use if the initial search for recipients does not find a Smartkey.

The Outlook plugin will select the first available Community Key.

Hide Smartkey selections when prompting for passphrase entry

This option is visible when Smartkey and Passphrase is selected in Email Encryption Options.

Use pre-selected Smartkeys when auto-search for recipients fails to find a Smartkey

The email body is encrypted for the list of recipients specified in this field.

The attachments get encrypted for the list of recipients specified in this field. 

The attachments are compressed for the list of recipients specified in this field.

No action is performed on the emails for the list recipient(s) specified in this field.

Display Recipient Expand Limit

If a user mails the content to a list of external recipients subjected to the policy, PK Protect will display the list all email addresses, using which user can deselect individual recipients from processing.

The admin can define a top limit of how many individual emails to display. With this setting, you can limit the number of list recipients to display.

External Email Recipient Prompt Instructions

Enter the message you want to display when prompting the user. The prompts specify what a user can do next.

You can use HTML tags for highlighting the message in the prompt such as bold, underlined and italic, line breaks, etc.  

Distribution Exemptions

If you’ve a large distribution list, such as an "All Employees" list, type the list address (such as AllEmployees@MyCompany.com) here to prevent PK Protect from displaying every name in the list.

The name defined here will be shown to end users as a gateway option of where to send emails. As an example, we'll define the name as "Send from SecurityMail" The overall context provided to the end user will be shown as,

 ""

Would you like to protect your message?

Sensitive information detected in the following file(s):

<Examplefile.docx>

Button: Encrypt Attachments

Button: Send from SecurityMail

""

Concatenation of email subject before the user's defined email subject. Example: If a user has a subject in their email as "ProjectXYZ" and a Subject Prefix is defined as "GATEWAY" the final string will be "GATEWAY ProjectXYZ 

Concatenation of email subject after the user's defined email subject.

Define the x-header tag name for the .msg file.

Define the x-header tag value for the .msg file.

Decrypt Attachments

If this option is checked, it prompts user to decrypt the attachment before it is sent. 

Send Mail via Gateway

If this option is checked, the rules above are applicable for sending emails.

If this option is checked, the rules above are applicable for sending meeting requests. 

There is another dialog that the Plugin can open to select user-controlled options for PK Protect. This is useful when sending email outside of outlook (from a "send an email option" in other applications). By default, the Allowed (default on) option is selected.

Check this box to display a message when the policy forces encryption of a message. By default, this option is enabled. 

Add PKWARE header tag to email

Check this box to add an x-header tag to each email processed by the Outlook plugin. This is required when you want to differentiate PK Protect-processed mail from the rest of your email traffic.

Allow conversion of Rich Text Format (RTF) messages to HTML

Check this checkbox to convert the message format from Rich Text Format (RTF) to HTML format.

Auto-Search Recipients

Auto-Search Recipients will look at the Smartkeys that all recipients have access. If a Smartkey is not found, a new key can be created with all recipients included on the email message. By default, the Allowed (default on) option is selected.

Include Unzip Instructions

PK Protect can include a plain text (non-encrypted) document with instructions on how to decrypt the attachment. Default: Allowed (default on).

Instructions

Text added here will be provided in a text file that is sent out automatically when a user sends an encrypted attachment. This text can be plaintext or HTML formatted. 

*Note: This is not used when email body encryption is activated or when discovery filter override recipient filtering is not checked.

Sign Attachments

The zip archive produced by PK Protect can be automatically signed with a digital certificate if present. By default, Allowed (default off) option is selected.

Re-Encrypt Attachments

Default Zip Name

Using this option, you can give same generic name to all ZIP file attachments that contain multiple files. You can also define alternate three-character extension of the zip archives. Some networks have security settings that prevent file attachments with the zip extension from being sent or received. Use this feature if this is an issue for you and your recipients.

When you zip a single attached file, ordinarily the ZIP file is named after the attached file itself. If the security option to encrypt file names is set, the generic name is always used.

For example, if the attached file is employee_data.docx, PK Protect names the zip file employee_data.zip.

*Note: This field accommodates for a .zipx entry, as an alternative to zip.

Enable Recent Mode

If this option is checked, users can select ‘Recents’ from PKWARE tray icon in the Windows operating system. It displays the list of all messages that have been recently sent.

Enable Sending Passphrase to Recipients

This checkbox is enabled when Enable Recent Mode is selected. If this option is checked, users can select a ‘Mail’ icon in ‘Recents’ dialog to prompt a new email with pre-selected recipients in the Bcc field and the passphrase is included in the body of the email.

By default, PK Protect extracts compressed files in the same directory as the original archive. If another file with the same name is kept in the same directory in Finder, the newly extracted file is added as a copy of the original file.

This setting allows you to select a new default folder or be prompted for a destination folder each time you open an archive. Choose from these options:

• Original Archive – This extracts the file in the same location where original archive is kept.
• Desktop – This option allows you to extract the file at Desktop location.
• Prompt for Folder - When you select this option, you will be asked where to put the extracted files each time you extract an archive with PK Protect.
• Other – This option opens a Finder box. Choose any folder for all extracted files to be extracted to.

By default, PK Protect extracts compressed files in the same directory as the original archive. If another file with the same name is in that same directory in Finder, the newly extracted file is added as a copy of the original file.

This setting allows you to select a new default folder or be prompted for a destination folder each time you open an archive. Choose from these options:

• Original Archive – This extracts the file in the same location where original archive is kept.
• Desktop – This option allows you to extract the file at Desktop location.
• Prompt for Folder - When you select this option, you will be asked where to put the extracted files each time you extract an archive with PK Protect.
• Other – This option opens a Finder box. Choose any folder for all extracted files to be extracted to.

This option defines what happens when user selects an archive. There are two options available:

• Extract Archive – This option unzips the files in the archive in Finder.
• View Archive – This option displays the files in PK Protect Window. 

When the user extracts file(s) from an archive, it gets open in the associated application. By default, Allowed (default on) option is selected.  

When a file is encrypted, the unencrypted version of this file is removed from the system. By default, Allowed (default on) option is selected.

Delete archive on decryption

When files are decrypted (encryption is removed), the encrypted archive is deleted. By default, Allowed (default off) option is selected.