Symantec File Share Encryption

To start using Symantec File Share Encryption, you will need to set up an encrypted folder.  To do this, follow these steps or contact the ICT Service Desk for more assistance. 

1. Right-click the folder you want to encrypt and choose from the context menu Symantec Encryption Desktop > Encrypt “<folder name here>” with Symantec File Share…Advanced
2. In the new dialogue box (Add Users) that appears, click the ‘Add’ button
3. In the new dialogue box (User Selection) that appears, click ‘icsecsem.cc.ic.ac.uk’ and then search for your encryption group by typing the first few characters of the group's name in the search box and pressing the search icon (magnifying glass)
4. Highlight your group on the left-hand side column and click ‘Add’ (bottom left corner) to move your group into the right-hand side column and click ‘OK’
5. In the previous dialogue box (from 2. earlier), right-click your group name and make your group one of the following roles and then click ‘Next’: 

• Admin (has full control over encryption groups)
• Group Admin (has limited control over encryption groups)
• User (has no control over encryption groups)

Deciding on one of the three choices above.  In general, if you alone want to maintain control from the encryption management side of things, choose the ‘User’ role for the group.  However, if you want the group to have full encryption management responsibilities, chose the ‘Admin’ role instead. (these can always be changed at any time if you decide to change your mind)

6. Choose a signer from the drop-down list (it will most likely be your name) and click ‘Next’
7. This is the last dialogue box.  Depending on the size of your folder and/or how many files/sub-folders you have, this might take some time.  When it has been completed, click the ‘Finish’ button to close the dialogue box. 

This all depends on when the person was added to the group.  Group membership usually takes about an hour to synchronise over to the Symantec Encryption Server.  However, on some occasions, this can take up to 6 hours.  Unfortunately, this sync time constraint is beyond ICT’s control. 

These system files will only be visible by users with access to the files and folders, but do not have the Symantec Encryption Desktop client installed. 

If you have the Symantec Encryption Desktop client installed, encrypted files and folders will have a blue padlock icon displayed in the bottom left-hand corner of the icon.  

Note: Unfortunately, sometimes, this blue padlock icon does not always get displayed and this can usually be fixed by refreshing your Windows Explorer window by pressing the ‘refresh’ icon or pressing F5

If you do not have the Symantec Encryption Desktop client installed, encrypted folders will be identifiable as folders with PGPFS.INI file within it.

If you have SED installed, and you move (or copy) an unencrypted file or folder to an encrypted folder, that file or folder (and its contents) will automatically become encrypted to the same settings/groups as its parent folder. 

If you have SED installed, and you move (or copy) an encrypted file or folder out of an encrypted folder, that file or folder (and its contents) will remain in its encrypted state. 

Firstly, using Microsoft Outlook, if you attach an encrypted file/document(s) to an email, that file/document(s) will be automatically decrypted ‘on the fly’, so there is nothing extra the user must do in this respect. 

If you want to share a document with a user who is not part of the encryption group, yet you have a common file share/folder that you both use outside of the encrypted folder system, then simply copy (or move) the file/folder to the shared area and decrypt it.  To decrypt the file/folder, right-click and from the context menu choose:

• Symantec Encryption Desktop>
  • Decrypt “<insert file/folder name here>” with Symantec File Share 

There may be occasions where you cannot access encrypted files or folders, despite being in all the right groups and having Symantec Encryption Desktop installed. This is often because the file or folder has had the parent folder’s group key removed and has been encrypted with either a single users key or another group’s key. (see illustration below)

If this happens, you will need to contact the ICT Service Desk who will then determine rightful ownership of the data, and if applicable, use the Additional Decryption Key (ADK) to realign the encryption settings and make the file/folder accessible again within the parent group/folder structure. 

The Symantec Encryption Desktop client works by synchronising your private keys (which are secured on the Symantec Encryption Management Server) to your local PC/laptop.  Sometimes, these keys can either get corrupt or get out of sync.  If this error occurs or something is not working how you expect it to, the most common solution is to update the Symantec Encryption Desktop client policy. 

To do this, right-click the Symantec Encryption Desktop system tray icon and choose ‘Update Policy’.

In rare cases, the Symantec Encryption Desktop client installation itself can become corrupt and you can get all manner of errors ranging from ‘Contact your Administrator’ or ‘This file is corrupt’.  When this happens, it is possible to reset your SED client completely and start afresh. To do this, either contact the ICT Service Desk for assistance or if you feel comfortable enough, you can reset the client yourself by performing the following:

1. Close the SED client completely by right-clicking the system tray icon and choosing ‘Exit PGP Services’
2. Click ‘OK’ to the warning message
3. Press the Windows key (on your keyboard) together with the letter ‘R’ and in the dialogue box that pops up enter ‘%appdata%’ (without quotes) and press ‘OK’
4. In the new explorer window that pops up, navigate into the ‘PGP Corporation’ folder
5. Copy (or move) the ‘PGP’ folder to a safe location (this is just a precaution in case there are keys in there that do not exist on the server, but this is extremely rare)
6. Now delete the ‘PGP’ folder completely and close this window
7. From your Windows Start menu, find and start Symantec Encryption Desktop
8. You will now be required to enrol and trust the Symantec Encryption Management server certificate and enter your college username and password again
9. Symantec Encryption Desktop should now be performing as expected

If your documents look like this (see illustration below), you are most likely using a PC or laptop that does not have Symantec Encryption Desktop installed.  This can arise if you have had to switch from your regular PC or laptop to a temporary one. 

In this scenario, contact the ICT Service Desk to have Symantec Desktop Encryption installed on your temporary device. 

Right-click the file or folder in question and choose the Symantec File Share tab

For more advanced usage, Symantec provides a command-line tool (pgpnetshare.exe) bundled with the Symantec Encryption Desktop client.  With some Windows command line or PowerShell scripting, it is possible to report on multiple folders across your network shares or file system, as well as other encryption/decryption tasks.

For more information on what this command-line tool can offer and how to use it, please refer to the documentation/user guide at the bottom of this page or contact the ICT Service Desk. 

Symantec Encryption Desktop User Guide

Symantec Encryption Desktop Command Line User Guide (pgpnetshare.exe)