McAfee Endpoint Encryption for Files and Folders Self Extractor White Paper
About Endpoint Encryption for Files and Folders Self-Extractors Introduction Endpoint Encryption for Files and Folders is a solution for transparent and policy controlled file and folder encryption, i.e. protecting sensitive information from unauthorized access. In order to read files encrypted with Endpoint Encryption for Files and Folders, the user must have the product installed and also have access to the encryption key used to encrypt the file(s). Access to encryption keys is granted through the Endpoint Encryption Manager, where the keys also are created. For a further description of the large number of competitive advantages with Endpoint Encryption for Files and Folders, please contact a McAfee representative. Along with the need to encrypt files and folders on local disks, network shares, removable devices etc., there is a growing need to share encrypted data with users that do not have Endpoint Encryption for Files and Folders installed, e.g. submitting a confidential document to your organization s attorney firm. For this purpose, the Self- Extractor functionality in Endpoint Encryption for Files and Folders has been created. Purpose The purpose of the Self-Extractor function is to be able to share encrypted data with users that do not have Endpoint Encryption for Files and Folders installed on their computers, e.g. you want to hand over the input material for your financial statements to your accounting firm on a USB flash memory stick, but you obviously want the data to be protected when on the stick. Still, you cannot force the accountants to install the full Endpoint Encryption for Files and Folders client, nor can you have them come to your office working off your guest laptops. In situations like this, the Self-Extractor functionality of Endpoint Encryption for Files and Folders is ideal. How it works Creating the Self-Extractor The way the Self-Extractor functionality of Endpoint Encryption for Files and Folders works is very straightforward. The user with the Endpoint Encryption for Files and Folders client installed simply right-clicks the file or folder the user wants to transform into a Self-Extractor file. From the Endpoint Encryption for Files and Folders > context menu entry, the user opens the sub-menu containing two entries that pertain to Self-Extractors: 1
Create Self-Extractor ({filename}.exe), and Attach as Self-Extractor to E-mail If the user selects Create Self-Extractor ({filename}.exe), then the Self-Extractor is saved to whatever location the user selects, e.g. a USB flash memory drive. The user is prompted to select the password to be used to encrypt the Self-Extractor. Based on the PKCS#5( http://www.rsa.com/rsalabs/node.asp?id=2127) standard, an encryption key is derived from the password and then that key is used to encrypt the Self-Extractor. The password for the Self-Extractor must conform to the user s standard Endpoint Encryption password rules. For example, if the user s Endpoint Encryption password must be at least 6 characters long and contain at least one number, then the Self- Extractor password must also be at least 6 characters long and contain at least one number. It is possible to create Self-Extractors from both entire folders and individual files. The Self-Extractor is in essence a password encrypted copy of the source folder/source file, i.e. not the source folder/file itself. The source folder/file remains unaffected when the Self-Extractor is created. The Self-Extractor file will be an executable (*.exe). If the user selects Attach as Self-Extractor to E-mail, then the Self-Extractor executable file is automatically packaged into a compressed file (*.cab). The Endpoint Encryption for Files and Folders client calls whatever default e-mail application is used to create a new e-mail, to which the Self-Extractor cab file is automatically attached. Before the attachment is made, the Self-Extractor file itself is created by prompting the user for a password, i.e. the same procedure as when selecting Create Self-Extractor described above. Reading the Self-Extractor On the reading side, the way to open a Self-Extractor is even easier than creating the file. The recipient simply double clicks the Self-Extractor file, whereby a dialog will appear. In this dialog, the recipient must enter the very same password that was used when the Self-Extractor was created the creator of the Self-Extractor must in an appropriate manner tell the recipient what password has been used. Sending the password in the same e-mail as the Self-Extractor attachment is not a proper way. Preferably SMS messages or a telephone call should be used to transfer passwords for Self-Extractors. Without the correct password, Self-Extractors cannot be opened; there is no super-password. 2
By default, once the correct password is given the content of the Self-Extractor will open up automatically with the associated application. When the recipient then closes this application, the unpacked content of the Self-Extractor is also wiped from disk the actual Self-Extractor per se remains intact, however, so it may be opened again with the correct password. If the recipient wants to permanently save the unpacked content to disk, then the recipient needs to select this option in the dialog where the Self-Extractor password is entered. There, the recipient may browse where to save the unpacked content of the Self-Extractor. It is important to notice that the reader of the Self-Extractor does not need to have local Administrator rights on the PC where the Self-Extractor is read. Any regular user can open the Self-Extractor, provided the password is known. If the recipient received the Self-Extractor as an e-mail attachment, the procedure is the same as when clicking the Self-Extractor directly. As the *.cab format is recognized as a standard format, any PC machine will automatically start the default decompressing utility to unpack the content of the *.cab file, and the user may directly double click the Self-Extractor file once the unpackaged content is presented. Automatically created Self-Extractors on Removable Media Other than the two ways outlined above to create Self-Extractors, the Administrator may decide that any file users place on removable media, e.g. a USB memory stick, via Windows drag-and-drop operations is converted into a Self-Extractor. The purpose of this feature is to: secure the removable media such that the files are protected, should the user loose the USB memory, while at the same time: allowing the user to open and read the protected files on the removable media on any Windows computer without a need to first install Endpoint Encryption for Files and Folders. This auto-conversion may happen fully automated, without the user interference, or there may be an intermediate question presented to the user, asking if the file(s) shall be converted into a Self-Extractor when drag-dropped. If this feature is enabled and user answers No to the question to convert the file into a Self-Extractor, the file won t be put on the removable media; the drag-drop operation will fail. This feature only supports the Windows Explorer initiated file transfers to removable media, i.e.: Drag-and-drop operations 3
Copy-Paste Cut-Paste It is not supported when files are being created directly on the removable media, nor are the Command Prompt file transfer commands supported ( move and copy ). Limitation It s important to remember that the Self-Extractor doesn t contain functionality for the recipient to edit the content of the Self-Extractor and then sending the altered content back to the originator, unless of course the reader/recipient also has Endpoint Encryption for Files and Folders installed with the Self-Extractor option enabled. Further information For further information about Endpoint Encryption for Files and Folders, or any of the other award-winning Endpoint Encryption products, please contact your McAfee representative or visit www.mcafee.com. 4