Section 1 of 3: General Functionality of SEE RME:
Section 1 Question 1: Can we use RME to prevent access to USB drives on systems?
Answer: Yes, RME can be used to block access to files when USB drives are plugged in. Many policies exist to be able to cover just about any scenario needed.
Section 1 Question 2: We want to block all USB devices, but
allow specific devices, does RME have the capability to allow this?
Answer: Yes, RME has the ability to block all devices, but allow or “exclude” some devices if the security policy allows and can be done on a granular level.
Section 1 Question 3: How are files encrypted to USB devices, or other removable devices?
Answer: RME can use a regular password to encrypt files, as well as x.509 certificates. When using
a password, there are many different types of passwords you can use, such as a session password, applicable to a particular Windows login session, to a “Default” password, or a combination of all these options. Password policies can even apply to these scenarios. Section 1 Question 4: Can I copy data from one encrypted RME drive to another USB drive?
Answer: This is not allowed.
Section 1
Question 5: Can RME be used to enforce encryption of data copied to removable devices?
Answer: Yes, the policies that are built in can allow flexibility so that users determine if data gets encrypted all the way to the most secure environments where data must be encrypted when copied to devices. DLP integration can help with this enforcement. Refer to the
Online Help for more information on this topic.
Section 1 Question 7: I want to be able to encrypt some files with a password and allow someone else to
decrypt the file with a password without installing any software, is this possible?
Answer: Yes, RME has the ability to encrypt individual files to a password. This feature is called the “Self-Decrypting Archive” part of SEE RME.
Section 1 Question 8: Can I copy/paste files from SEE RME and do they decrypt when I do so?
Answer: You can copy and paste files from SEE RME and the end result is the files will remain
encrypted.
SEE RME does not use the Windows Clipboard functionality to provide the most secure method to copy files. Because of this, special steps must be taken.
See the following article for information on how these copy/paste methods work: 222692 - How can I Recover Files Encrypted with Symantec Removable Media Encryption (RME)? See the following table for copy/paste
functionality:
| Options
| Removable Media Encryption
| Other Drives
| | Copy encrypted files
| Yes
| No
| | Paste encrypted files
| No
| Yes
| | Attach encrypted files to email
| Yes
| No
|
ISFR-1600/EPG-22844 Section 1 Question 9: I want to have a group of users be able to share items through Removable Media Encryption, but I don't want them to have to exchange passwords.
Answer: The RME Workgroup Key is part of the policy (not the SEE RME installer) so that when a machine is in a particular policy group on the SEE Management Server all data can get encrypted to this Workgroup Key and then anyone who is part
of this key is automatically authenticated and can then read the data. For more information on this topic, see the following online help file: Configuring the Removable Media Encryption - Workgroup Key policy options Section 2 of 3: Recovery Options
of SEE RME:Section 2 Question 1: Can "shared" access to configured for SEE RME so that everything encrypted will be usable to other users without having to share a "password"?
Answer: Yes! SEE RME allows for the use of a collaborative feature called "Workgroup Keys". This allows machines part of a group policy to be able to access all data written to removable devices to be accessible from any other device part of
this group policy. For more information on this topic, see the following article: 252268 - Workgroup Key for Symantec Endpoint Encryption Removable Media Encryption Section 3 of 3: Recovery Options of SEE RME:Section 2 Question 1: If files are encrypted, can my organization recover the files if the user
forgets the password to open the files?
Answer: RME can allow you to use a recovery certificate that is based on the policy. If the recovery certificate is used, this can be used to decrypt the files. Refer to the
Online Help for more information on this topic.
Section 2 Question 2: What sort of Certificate do I need to
create for recovery?
Answer: A PKCS#7 (P7B) format should be used when you generate your certificate.
For more information on this topic, refer to the following KB article or the
Online Help for more information on this topic: 171224 - Creating a Recovery
certificate for Endpoint Encryption Removable Media Encryption Section 2 Question 3: What are the Best Practices for RME when it comes to recovery?
Answer: When you generate your recovery certificate, make sure it won’t expire too quickly. For example, if you generate a certificate that expires in 1 year, after this time, users will not be able to encrypt to this certificate unless you allow encryption to
expired certificates in policy, which is not generally recommended. Creating a certificate for as long as you think you’ll be using this version is recommended. Starting with 5 years may be good. If you get a new recovery certificate, you can embed this into the client when you generate a new SEE RME Client. So keep track of when the certificate will expire.
Section 2 Question 4: If I need to use a recovery
certificate, how can I do this?
Answer: The Encryption Administrator would have access to the recovery certificate. If any files need to be decrypted, this recovery certificate can be used as long as the password for this certificate is known.
For more information on the actual recovery process, see the following article: Section 2 Question 5: If I forgot my password, how can my administrator help me recover
them?
Answer: In order to recover files, see the following article: 222692 - How can I Recover Files Encrypted with Symantec Removable Media Encryption (RME)? Section 2 Question 6: How are certificates used for encryption with RME?
Answer: See the following article fore more information on this topic: 203389 - How certificates are used for file encryption by Endpoint Encryption Removable Media Encryption Section 2 Question 7: Can a user reset their password if they forget it for SEE RME?
Answer: This is not currently possible. The Recovery Certificate can be used discussed in Question 1 above, but Symantec Enterprise Division is currently looking to include this
functionality.
If you would like to be added to have this functionality, log a support case and provide the following IDs and Symantec Enterprise Support can assist with this. ISFR-1600/EPG-22844
What can you use to encrypt removable drives?
BitLocker to Go is a feature of Windows 10 (Pro and Enterprise) that allows you to easily encrypt your personal devices and prevent unauthorized access1. Without the encryption key, the device is inaccessible. When you connect your BitLocker encrypted USB device to a Windows PC you will be prompted for your password.
Most removable-media encryption products can be configured to restrict access to devices on an authorized list using the proper encryption software and the correct key. To any other computer the device appears to be unformatted and any data is inaccessible.
What does it mean to encrypt a USB drive?
USB control and encryption helps to protect your valuable data by encrypting it (or the portable device it is stored on) before it leaves the corporate network. It does this by enforcing AES 256 encryption on authorized flash drives, while disallowing the use of unauthorized portable devices on protected endpoints.
| 
