Windows: Encrypt with Lockers

Smartcrypt Lockers run as a Windows Service. This provides an unattended automatic startup and protection after the application is installed and configured. If the file system can be mounted by a client that can run Smartcrypt, a locker can be used to automatically protect the data on the volume. Lockers can be run by admin and non-admin users.

On this page:

Locker Service Configuration On Windows Device Joined to the Domain

  1. After installing the Smartcrypt client onto the system, open Smartcrypt Options, and click the Lockers tab
     

  2. Click Configure Service. A dialog will open that requires the current logged-in user to enter their password. After supplying the password, click OK.
     
  3. Creating a Windows Service requires Administrator Privileges. Click Yes on this screen.
  4. In Smartcrypt Options, you will see the Smartcrypt Service was created and shows the current status:

        

Locker Service Configuration On Windows Device Not Joined to the Domain

A Windows device not joined to the domain can still be used with Smartcrypt Lockers. There are a few different setup constraints that this setup relies on, so it is important to follow these instructions when using Lockers on a machine that is not joined to the domain.

  1. Find the Smartcrypt Agent icon in the task tray, and select Login:

    Since this machine is not using Active Directory credentials to log in with Windows, Smartcrypt needs a user to manually log in to store the Smartcrypt credentials on the machine in the secured Credential Manager.
  2. After seeing the log in prompt, enter your email address or if no email in your lab exists, enter the User Principal Name (UPN). A familiar Windows authentication window will open to have you authenticate with your Active Directory credentials again.
  3. (Optional) After successfully logging in, we can verify that the Smartcrypt Credentials used to access Smartcrypt have been successfully stored to your local system account in Credential Manager. Open the Control Panel, then open Credential Manager to confirm the Smartcrypt Credentials existence

    Now my local system account has credentials, I can manually copy the Smartcrypt metadata folder into the Smartcrypt Service directory. This still will enable the Smartcrypt Service to login. To Log in, the service needs the Metadata, and the stored Credentials. Open the %localappdata%\PKWARE folder. 
  4. Make a new folder called SmartcryptService. Then copy the .meta folder into the SmartcryptService folder.
  5. Open the Task Manager on the machine and load the Services tab.Confirm that you see an entry called SmartcryptService. After finding it in the list of services, Right-click and select Open Services.
  6. In Windows Services Snap-in that opens, find SmartcryptService, right-click the service and select Properties.
  7. In the SmartcryptService, we need to set up login credentials for authentication with Smartcrypt. There are also different startup options for Windows Services. In the General tab, define the Startup type value. Selecting Automatic will enable the Service automatically when the machine is powered on. Manual will require you the user to start / stop the service manually, so it is recommended to select Automatic.

Next we need to make sure that the Windows Service authenticates with Smartcrypt as the appropriate local user. In the Log On tab, enter the credential used to log in with Windows on the device. Since you have stored the Smartcrypt Credentials for this local system user account, and moved the metadata into the correct directory, the Smartcrypt Service will be able to authenticate the local account with a Smartcrypt Account. If you haven't set up the Locker in Smartcrypt Enterprise Manager yet, you might want to check out Creating a Smartcrypt Locker, as a Locker needs to be defined in the Manager before it works on the client.

Adding a Locker Service on Windows

If you desire to have more than one Smartcrypt user to have a protected folder on a device, you need a separate Locker Service running on  that device. To manually create the Windows Service:

In an elevated Command Prompt (cmd), run the following command to create a new Windows Service called "Locker Service For User A" :

sc create "Locker Service For User A" binpath= "C:\Program Files (x86)\PKWARE\Smartcrypt\SmartcryptService.exe """Locker Service For User A""""

If you see this error, you are not elevated to Administrator Command Prompt.

[SC] OpenSCManager FAILED 5:

Access is denied.

After creating a new service, you will need to configure it in the Windows Services Manager, just like in the example at the top of this page.

Deleting a Locker Service On Windows

In an elevated Command Prompt (cmd), run the following command to delete the existing Windows Service called "Locker Service For User A".

sc delete "Locker Service For User A"

If you see this error, you are not elevated to Administrator Command Prompt.

[SC] OpenSCManager FAILED 5:

Access is denied.

More information on Windows Services can be found here: https://technet.microsoft.com/en-us/library/cc755249(v=ws.11).aspx

More information on creating a Smartcrypt Locker in the Smartcrypt Manager can be found here: Creating a Smartcrypt Locker